This bugfix and security release Serendipity 2.3.4 fixes a potential remote code execution exploit for users with upload rights (on Windows systems only), some bugs in the Media Library renaming code and adds some other small fixes and enhancements backported from our master branch:
-
Add plugin source (Spartacus, bundled or local) to list of installable plugins and show plugin author(s) on plugin managament page.
-
Fix: Add "more info" link to Spartacus for all plugins there (was missing for already installed plugins).
-
Fix: [SECURITY]: Media Library: The file name of renamed files may not end with one or more dot(s). This is not problematic on Linux, but on Windows file names ending with a dot will lose this dot on disk, making it possible to rename a file without extension ("file") to "file.php." which morphes to "file.php" on Windows, creating an executable PHP file in a remotely accessable directory and a possible remote code execution vulnerability. Thanks to Junyu Zhang for spotting this!
-
Fix: Media Library: Renaming files without extension caused a discrepancy between the file name on disk and in the media library database so the database entry was deleted, making the file disappear from the Media library (while it was still in disk).
-
Fix: Media Library: Add some more checking and proper error messages.
-
Fix: Wrap comments with very long words on the backend dashboard.
You can download the release file and unzip it to your installation as usual, or update from within Serendipity using the Serendipity Autoupdate Plugin (serendipity_event_autoupdate
).
(MD5: 0b203494571997a3ac5093a21c3d855e)