Release notes - Scalelite - Version 1.5.2
Security Fixes:
Important: We removed support for POST requests on join endpoint and also Content-Type headers are now required
In Scalelite v1.5.2 POST requests are no longer allowed for the join endpoint. To ensure they are validated properly, a Content-Type header must also be provided for POST requests that contain data in the request body. Endpoints now support a limited set of content types that includes text/xml
, application/xml
, application/x-www-form-url-encoded
, and multipart/form-data
. By default each endpoint only supports application/x-www-form-urlencoded
and multipart/form-data
, but individual endpoints can override this and define their own set of supported content types. The create
endpoint supports all of the four previously listed content types while insertDocument
supports only text/xml
and application/xml
. Any requests with a content type that differs from the set supported by the target endpoint will be rejected with a new unsupportedContentType
error.
Notes:
Security advisory will be published not earlier than May 31, 2024: https://github.com/blindsidenetworks/scalelite/security/advisories/GHSA-p3q9-qff5-97p7
Release tested by contributors [ @farhatahmad ] composer deployment