This security release removes the following file extensions from the default whitelist of accepted types for uploaded files: dotm, potm, jar, css, js and xltm.

If you require the ability to upload these file types in your projects, you will need to add them back in again. For more information, see "Configuring: File types".

Change Log


  • 2018-05-24 3bddea7 Prevent php code execution in assets folder, and remove file extensions (Robbie Averill) - See ss-2018-012
  • 2018-04-26 02db1cc Update jQuery version, remove entwine from frontend use (Dylan Wagstaff) - See ss-2018-015
  • 2018-04-26 c461dcb Update jQuery version used in templates (Dylan Wagstaff) - See ss-2018-015
  • 2018-04-26 238ae51 Update jQuery version used in templates (Dylan Wagstaff) - See ss-2018-015
  • 2018-04-26 299131ed2 File security documentation (Damian Mooyman) - See ss-2018-012
  • 2018-04-25 be96858 Remove jar, dotm, potm, xltm from file extension whitelist, hard-code CSS and JS for TinyMCE support (Robbie Averill) - See ss-2018-014
  • 2018-04-24 f847f186b Remove password text from session data on failed submission (Aaron Carlino) - See ss-2018-013
  • 2018-04-23 aa365e0 Remove dotm, potm, jar, css, js, xltm from default File.allowed_extensions (Robbie Averill) - See ss-2018-014
  • 2018-04-23 cf330de Enforce HTTPS for all URLs when in test mode (Robbie Averill) - See ss-2018-009
  • 2018-04-23 f9c03fa Prevent php code execution in assets folder (Damian Mooyman) - See ss-2018-012
  • 2018-04-23 1e27835 Prevent php code execution in assets folder (Damian Mooyman) - See ss-2018-012
  • 2018-04-22 beec0c0d4 regression of SS-2017-002 (Robbie Averill) - See ss-2018-010
  • 2018-04-19 b2c5576 Fix search term escaping to prevent possible SQL injection attack (Robbie Averill) - See ss-2018-11
  • 2018-04-11 e409d6f67 Restrict non-admins from being assigned to admin groups (Damian Mooyman) - See ss-2018-001
  • 2018-04-10 9053014a7 Validate against malformed urls (Damian Mooyman) - See ss-2018-008
  • 2018-04-10 2e13ae746 Prevent code execution in template value resolution (Damian Mooyman) - See ss-2018-006
  • 2018-04-09 db04ed9 Remove on* events as allowed properties (Damian Mooyman) - See ss-2018-004
  • 2018-04-08 d935140a9 Prevent unauthenticated isDev / isTest being allowed (Damian Mooyman) - See ss-2018-005

Features and Enhancements

  • 2018-04-13 24ff267 Ability to inject a different process manager class. (Frank Mullenger)
  • 2018-04-08 fa2bb55 Replace HeaderField with LiteralField (Raissa North)
  • 2018-04-04 ee6b9c8 Allow ProcessManager log path to be configurable via environment variable (Robbie Averill)
  • 2017-12-21 4d60f01 add test for a --no-dev build (Christopher Joe)


  • 2018-05-23 e7e32d13a Add namespace and encryptor to tests that expect blowfish to be available (Robbie Averill)
  • 2018-05-22 a0230a3 Manually replace Maori with Māori (intl bug) (Robbie Averill)
  • 2018-05-18 c7ab8df broken links (Raissa North)
  • 2018-05-18 4913290 Add extension to remap polymorphic relationship classes for Parent and Form fields (Robbie Averill)
  • 2018-05-09 8f363d6 Remove unnecessary translation of parameterised field value (Raissa North)
  • 2018-05-03 a40daef Set default_locale to en_NZ, and allow errors to be returned as 200 OK (Robbie Averill)
  • 2018-05-03 a3b586a Allow configurable default locale, or use the first defined locale (Robbie Averill)
  • 2018-05-03 c0bd59c Allow errors to be returned with 200 header codes (Robbie Averill)
  • 2018-04-23 838ce23 regex in performance guide htaccess rules (Tomas Cantwell)
  • 2018-04-22 dca8ae5 regex issue in performance docs (Tomas Cantwell)
  • 2018-04-20 b4943fb Automatically create default SiteTree records for new subsites (Robbie Averill)
  • 2018-04-20 f47a222 Unentice direct BasePage creation in the CMS (Dylan Wagstaff)
  • 2018-04-15 4d333b2 Move directory controller template into correct location (Robbie Averill)
  • 2018-04-11 caab511 the each loop to propperly get the field passed in (Simon Erkelens)
  • 2018-04-05 39044de Use correct CacheInterface API methods and remove doubled up logic (Robbie Averill)
  • 2018-04-04 a886f68 reintroduce extension hook for comment form rendering (Raissa North)
  • 2018-04-03 b450b5c Only add File_ShowInSearch if File class is in query (Raissa North)
  • 2018-04-03 2b3b0c8 Cast IFrameURL right title as HTMLText to avoid double escaping (Robbie Averill)
  • 2018-03-29 0ca0b2c let CompositeField subclasses render themselves (Dylan Wagstaff)
  • 2018-03-23 7e9f6ce Handle nullable $original object argument in onAfterPublish (Robbie Averill)
  • 2018-03-23 f7ffb70 Use userforms template for member list field, fixes display rule issue (Robbie Averill)
  • 2018-03-20 bb3e9d6 Missing use statement for ProcessManager (Gordon Anderson)
  • 2018-02-06 5bff64b47 Fix Director::test() not persisting removed session keys on teardown (Damian Mooyman)

Was this article helpful?