This repository has been archived by the owner on Oct 6, 2021. It is now read-only.
Releases: paragonie/airship
Releases · paragonie/airship
Version 1.4.3
v1.4.3
This tag was signed with the committer’s verified signature.
paragonie-security
P.I.E. Security Team
- Fixed a self-induced XSS via the user's display name, reported on HackerOne.
Version 1.4.2
v1.4.2
This tag was signed with the committer’s verified signature.
paragonie-security
P.I.E. Security Team
- Update version constants to prevent endless update loops.
Version 1.4.1
v1.4.1
This tag was signed with the committer’s verified signature.
paragonie-security
P.I.E. Security Team
- #161:
Don't hard-codeHTTP/1.1in response headers. - #164:
Fixed dead code in Skyport landing. - HackerOne #181210:
Correctly detect.onionURLs. If this malfunctions, there is a
nonzero risk of MITM attack (because HTTPS wasn't enforced on
.onionURLs). - HackerOne #181225:
Prevent phishing attacks via pages opened withtarget="_blank". - HackerOne #181315:
Consistently use binary-safe string functions.
Version 1.4.0
v1.4.0
This tag was signed with the committer’s verified signature.
paragonie-security
P.I.E. Security Team
- Cryptographically associate account recovery tokens with the row ID
of the user who requested the reset. This means that updating the
userid column of an existing recovery token will not allow you to
login as the arbitrary user. - #52,
#137,
#140:
Allow users, groups, blog post categories, author profiles,
and series to be deleted. - #72:
You can now configure how emails are sent out. All of the options
currently provided by Zend\Mail. - #128:
All CMS Airship cookies send a Same-Site header (strictly). This
adds another layer of resilience against CSRF attacks. - #147:
Implemented a framework for importing data (i.e. password hashes)
into a CMS Airship project. This will allow users to log in with
their old password, when Airship only knows the old password hash. - #138,
#141:
In addition to being able to change the name of a blog category or
author, you can also update the slug (and optionally create a
redirect from the old slug to the new one). - #148:
You can now override the footer text. - #149:
Implemented a View History feature for Blog Posts. - #155:
You can now create user accounts from the Bridge.
Version 1.3.2
v1.3.2
This tag was signed with the committer’s verified signature.
paragonie-security
P.I.E. Security Team
- Update Gregwar/RST to v1.0.3 to prevent LFI attacks.
HackerOne Report.
Version 1.3.1
v1.3.1
This tag was signed with the committer’s verified signature.
paragonie-security
P.I.E. Security Team
- #134:
Fixed a few bugs that caused the installer to fail in weird ways
during a fresh install (i.e. for Docker users). - #136:
If you don't specify a subheader in the blog config, nothing will be
displayed. - #139:
If an author's biography is empty, the "About the Author" section
will not be displayed. In a future version, we may change this
behavior to be dependent on the status of a checkbox rather than the
non-emptiness of the biography field. - #142:
Hide "Uncategorized" from the right menu if there are no blog posts
without a category. - #143:
Fixed issues with date/time handling that broke post editing. - #144:
Fixed the regular expression in therequiredattribute that caused
browsers to prevent form submission. - #145:
The "default format" is now respected by the forms that support
different input formats. - #146:
Created a button to purge the caches. - Hid the link to view blog post history, as that feature was
overlooked. We'll implement it in version 1.4.0. - Some image types can be viewed directly instead of always forcing a
download. The enforcement logic is a whitelist (that gadgets can
extend).
Also, this runs an autorun script that was overlooked in preparing the v1.3.0 update. If you had broken symlinks for the new Motifs, this will fix it automatically.
Version 1.3.0
v1.3.0
This tag was signed with the committer’s verified signature.
paragonie-security
P.I.E. Security Team
- Significant UI/UX improvements.
- Redesigned the Bridge UI to be more suitable for a control panel.
- The left menu in the Bridge is now collapsable, but automatically
opens the sections which indicate your current location in the
cabin.
- Update Halite to 2.2.0.
- Added a
WhiteListfilter, which is a strict typed alternative to
switch-case whitelisting. - #129:
Extension developers can now make their motifs configurable by
end users. - #114:
We no longer display the database password on the databases page.
This has always only been accessible to administrators, but now it
is write-only from the web interface. - #131:
If an exception is thrown by the part of code that loads the logger,
and the database driver was selected, it will no longer silently
produce a white screen. - #132:
You can now control the date/time a blog post is published. - #133:
Added the "slug" field to the "Create New Blog Post" form.
Version 1.2.8
v1.2.8
This tag was signed with the committer’s verified signature.
paragonie-security
P.I.E. Security Team
- In addition to expiring after a set period of time, account recovery
URLs can only be used once. This fixes this feature by making it in
line with the expected behavior. - Bootstrap (JS/CSS framework) was removed, as we don't use it.
- Dependency update (e.g. HTMLPurifier 4.8.0).
Version 1.2.7
v1.2.7
This tag was signed with the committer’s verified signature.
paragonie-security
P.I.E. Security Team
- Added logic to the Airship updater to attempt to run
composer install
(if we can) if an update includes acomposer.lockfile.
Version 1.2.6
v1.2.6
This tag was signed with the committer’s verified signature.
paragonie-security
P.I.E. Security Team
- Update Guzzle for upstream fix to CVE-2016-5385.