Improved brute-force protection
This release improves the brute-force protection of the Panel. Unfortunately the protection didn't trigger when a valid email address, but an invalid password was passed. This bug is now fixed.
We have also made further improvements to the brute-force protection. It now also applies to requests with HTTP Basic Auth. Additionally, it protects better from brute-force attacks carried out by botnets. You can read more about this feature and its limitations in the docs.
It is recommended to upgrade your Kirby 3 installation to Kirby 3.2.3 to benefit from the improved protection.
Thanks to Clemens Prill for reporting the issue.
Changes
- Fixed user models (#1892)
- Fixed dimension detection for webp files
- Fixed
Str::splitwith multi-char separator (#1753) - Fixed blueprint option for site title (#1899)
- Fixed cache prefix with a port in the host address
- Fixed issue with session cache (#1932)
- Fixed access of dotted keys in queries (#1939)
- Email addresses with umlauts are now correctly validated by
V::email()and thus also in the panel (#1895) - Fixed width and height attributes in video tags (#1875)
- The manual locale setup warning is now translatable (#1897)
- Updated translations
- Support for sorting constants in the
sortByoption in sections (#1913) - New
Collection::sortArgs()method to create sortBy arguments from a string - Fixed API error handling on errors without route
- Optional content lock for virtual pages (#1539
- Media files are now correctly generated again in multi-site setups
- Brute-force protection improvements (see above)