Security fix
- Fix a security vulnerability where a file processed through Timber image operations could possibly execute arbitrary code in certain circumstances.
Details
The vulnerability could be exploited if your website processes user file inputs (like a form upload) or sideloaded images directly with one of the Timber image operations like Resize, Letterbox, Retina, ToJpg or ToWebp without prior checks whether the uploaded files are really images. We couldn’t replicate the vulnerability in a default WordPress installation, where a user uploads files through the media library. But there could be cases where your website might be vulnerable if a user can upload files in another way.
Important
This vulnerability only exists for websites running on PHP 7.4 or lower.
What’s changed
- Allow the
Timber\PostPreview::read_moreto accept a boolean value by @gerardo-rodriguez in #2578 - Fix tests failing with WordPress 6.4 by @gchtr in #2964
- Remove functionality that disabled updates via the dashboard for major and minor releases by @Levdbas in #2963
Contributors
- @Sonicrrrr reported the security vulnerability. Thanks!
- @gerardo-rodriguez made their first contribution in #2578
Full Changelog: 1.24.0...1.24.1