Repository: TribalSystems/Zenario · Tag: 9.3.57754 · Commit: d0f5b56 · Released by: TribalSystems
This update sees some security-related changes to what is available to administrators in admin mode .
In this update, we've done a review of which functions administrators have access to when writing Twig Snippet plugins and frameworks. Twig Snippets can be written by administrators, and frameworks can be edited by developers. We have decided to remove some of these functions from Zenario's whitelist of callable Twig functions to tighten security.
The functions that let frameworks and Twig Snippet plugins look up values of specific columns from the database have been removed.
The functions that let frameworks and Twig Snippet plugins look up extranet user data and permissions have been removed. However, there is a new version of this function now available that checks the current extranet user's permissions.
The function that let Twig Snippet plugins look up the values of site settings has been removed, but there is a new version of this function now available when writing frameworks only.
Plugin developers writing frameworks can still call public functions from their own module, this has not changed.
Fixed a small security vulnerability in admin mode, where calling the refreshPluginSlot()
function for plugins in admin mode was able to bypass the plugin's init()
check.
If you have deleted/trashed a content item, you can now create a spare alias to another content item using its tag ID, e.g. html_12
.
—
This release has 2 assets:
Visit the download page to download them.