New
v2.6.3
New features
- EventManager: system commands are disabled by default and an allow list has been added to explicitly define which ones are allowed. CVE-2024-52309. Thanks to @hyperreality for reporting.
- EventManager: add
{{EscapedVirtualPath}}placeholder. - EventManager: add
{{DateTime}}placeholder.
Bug Fixes
- WebAdmin: check CSRF header when deleting blocked hosts in the same way we already do for all other state-changing endpoints.
- WebAdmin: correctly display multiple active connections for the same session.
- WebClient: improve readability of upload progress.
- Plugins: fix passing additional environment variables.
Backward incompatible changes
If you rely on EventManager to execute system commands, you should add the commands to the allowed list like this: