Kirby os windows 10

🚨 Security

This release fixes three path traversal vulnerabilities in the Kirby core:

TL;DR

The first two vulnerabilities only affect Kirby sites that call the snippet() or collection() helpers with dynamic name values that could be controlled by an attacker. Sites that only use fixed calls to the snippet() or collection() helpers (i.e. calls with a simple string for the snippet/collection name) are not affected.

The last vulnerability only affects Kirby setups that use PHP’s built-in server. Such setups are commonly only used during local development.

Impact

All three vulnerabilities have in common that they can be exploited via path traversal. By using special elements such as .. and / separators, attackers can escape outside of the restricted location to access files or directories that are elsewhere on the system. One of the most common special elements is the ../ sequence, which in most modern operating systems is interpreted as the parent directory of the current location.

The missing path traversal checks allowed attackers to navigate and access all files on the server that were accessible to the PHP process, including files outside of the relevant system roots or even outside of the Kirby installation. Depending on the vulnerability, the existence of the traversed file could be revealed or contained PHP code could be executed.

You can read more about the vulnerabilities and their impact in the security advisories linked above.

Credits

Thanks to Bruno Meilick (@bnomei) and Tobias Möritz (@tobimori) for their responsible disclosure and for bringing this type of attack vector to our attention.

✨ Enhancements

• Improve $page->dirname()/diruri() docblocks #7102

🐛 Bug fixes

• Fix block selector not closing after pasting block #7087 (thanks to @fnwbr)
• Media::thumb(): Fix passing File $model and test logic #7142
• Fix duplicated slash in the router.php for the built-in PHP server #7188

🧹 Housekeeping

• Fix local unit tests when run in a Herd setup #7141
• Reset Vite dev mode after PHPUnit tests #7143

🚨 Security

This release fixes three path traversal vulnerabilities in the Kirby core:

TL;DR

The first two vulnerabilities only affect Kirby sites that call the snippet() or collection() helpers with dynamic name values that could be controlled by an attacker. Sites that only use fixed calls to the snippet() or collection() helpers (i.e. calls with a simple string for the snippet/collection name) are not affected.

The last vulnerability only affects Kirby setups that use PHP’s built-in server. Such setups are commonly only used during local development.

Impact

All three vulnerabilities have in common that they can be exploited via path traversal. By using special elements such as .. and / separators, attackers can escape outside of the restricted location to access files or directories that are elsewhere on the system. One of the most common special elements is the ../ sequence, which in most modern operating systems is interpreted as the parent directory of the current location.

The missing path traversal checks allowed attackers to navigate and access all files on the server that were accessible to the PHP process, including files outside of the relevant system roots or even outside of the Kirby installation. Depending on the vulnerability, the existence of the traversed file could be revealed or contained PHP code could be executed.

You can read more about the vulnerabilities and their impact in the security advisories linked above.

Credits

Thanks to Bruno Meilick (@bnomei) and Tobias Möritz (@tobimori) for their responsible disclosure and for bringing this type of attack vector to our attention.

🚨 Security

This release fixes three path traversal vulnerabilities in the Kirby core:

TL;DR

The first two vulnerabilities only affect Kirby sites that call the snippet() or collection() helpers with dynamic name values that could be controlled by an attacker. Sites that only use fixed calls to the snippet() or collection() helpers (i.e. calls with a simple string for the snippet/collection name) are not affected.

The last vulnerability only affects Kirby setups that use PHP’s built-in server. Such setups are commonly only used during local development.

Impact

All three vulnerabilities have in common that they can be exploited via path traversal. By using special elements such as .. and / separators, attackers can escape outside of the restricted location to access files or directories that are elsewhere on the system. One of the most common special elements is the ../ sequence, which in most modern operating systems is interpreted as the parent directory of the current location.

The missing path traversal checks allowed attackers to navigate and access all files on the server that were accessible to the PHP process, including files outside of the relevant system roots or even outside of the Kirby installation. Depending on the vulnerability, the existence of the traversed file could be revealed or contained PHP code could be executed.

You can read more about the vulnerabilities and their impact in the security advisories linked above.

Credits

Thanks to Bruno Meilick (@bnomei) and Tobias Möritz (@tobimori) for their responsible disclosure and for bringing this type of attack vector to our attention.

Pre-release notes: https://getkirby.com/releases/5

Changelog since 5.0.0-beta.5

✨ Enhancements

• Form improvements #7114 #7115 #7125 #7126
  • New Fields::validate() method
  • New Form::validate() method, which is a proxy for Fields::validate()
  • Use Form::validate() in ModelWithContent::update()
  • New ::isTranslatable($language) method for Field and FieldClass
  • New ::extendModels() method in HasModels trait.
  • New ::isSubmittable method for Field and FieldClass

✨Enhancements from previous betas

• Form and Field improvements #7117 #7123
  • FieldClass::fill() now returns static instead of void. This no longer introduces a difference to the Field class and also makes ::fill() chainable, which can be handy.
  • Value-related methods and properties are now all moved to the Value mixin
  • Required methods and properties are now moved to the Validation mixin
  • ::fill() is no longer setting a null default value, which makes no sense.

🐛 Fixed regressions from previous betas

• Fixed notice issue in the Field::fill() method when no computed properties exist. #7113
• Avoid broken field component state after :fill() method call #7113
• Fixed named exports on global Vue constructor for plugins (thx @johannschopplich)
• Fix App::$events initialization #7121
• User and page models can be registered without lowercase keys again #7124

🚨 Breaking changes

• All Kirby\Blueprint classes have been removed. Those classes never were involved in rendering Blueprints. We used a small part of it for the field options, but had them mostly in there in preparation for a Blueprint code refactoring that never happend as planned. The removal should not cause any damage, because the code was internal and never useful for plugins. But we still want to mention it here. #7119
• The Field class no longer exposes public properties value and default. Public access to properties has not been documented or encouraged anywhere, so it technically should not have been used anyway. #7123
• ::isSaveable has been renamed to ::hasValue in the FieldClass class. #7125

♻️ Refactored

• k-panel-menu: simplify gap #7108

♻️ Refactored from previous betas

• ::isSaveable has been renamed to ::hasValue in all form classes. #7125

🧹 Housekeeping

• Update JS dependencies

Pre-release notes: https://getkirby.com/releases/5

Changelog since 5.0.0-beta.4

✨ Enhancements

• Make Vue bundle accessible as JS Import map #7107
• Use type hinting in A::get() instead of the is_array check. Results in a 2% improvement of total execution time according to tests by @bnomei #7096

🐛 Bug fixes

• Users field preview: displays HTML correctly #7065
• The site preview button is now hidden when the home page preview is disabled #7070
• Fixed cases where after resorting a page, the parent’s children collection was incomplete #7044
• Ensure same listing style (breaking or not) in list view #6904

🐛 Bug fixes from previous betas

• Image preview: fix coords input squeezing image #7048
• Fixed return type issue when a page has a custom model #7084
• Pages with drafts can now be deleted properly again #7097

🚨 Breaking changes

• A::get() no longer accepts a first argument that is not an array

🧹 Housekeeping

• Removed deprecated icons #7046
  • Removed circle-outline. Use circle instead
  • Removed circle-funnel. Use filter instead
  • Removed heart-outline. Use heart instead
  • Removed image-outline. Use image instead
• Small Vue fixes in preparation for Vue 3. We plan to add Vue 3 support in Kirby 6, but already add step by step preparations with every release #7106

✨ Enhancements

• New session::store core component: return your custom SessionStore handler #6961
• Show info text when variable is an array #6930
• The Vue template compiler can be switched off in the config. This will load the vue runtime version. Plugins and the lab views that rely on the template compiler will no longer work.

  // `/site/config/config.php`
  return [
    'panel' => [
      'vue' => [
        'compiler' => false
      ]
    ]
  ];

• Panel: user needs to confirm current password when changing their own password or the password of another user (e.g. as admins) #6971
• Panel system view: Some security checks will be skipped on local setups #6932
• The security check for an accessible kirby folder now uses the LICENSE.mdfile instead of composer.json to avoid false-positive blocks by web application firewalls #6932

🐛 Bug fixes

• Custom sections: fixed issue where Vue mixin would overwrite load method #6809
• Requests for a page’s html representation get redirected to the normal page URL without extension #6509
• Panel menu: fixed backdrop on narrow viewports #6983
• Link dialog: fixed permalinks for default language #6982
• Fixed file template wrongfully being written to secondary language content file #6739
• Add missing title for toolbar buttons #6998

Pre-release notes: https://getkirby.com/releases/5

Changelog since 5.0.0-beta.3

🎉 Features

• New ::toEntries() field method #6993 for the new Entries field.

<ul>
    <?php foreach ($page->myEntries()->toEntries() as $entry): ?>
        <li><?= $entry->upper() ?></li>
    <?php endforeach ?>
</ul>

✨ Enhancements

• New ExceptionField class #7002
• Multiple storage reads are avoided with a new VersionCache class. #6989
• New icons: #7055
  • accessibility
  • ai
  • cloud
  • info-card
  • kirby
  • rocket
  • rss
  • shield
  • shut-down
  • terminal
  • wallet
• New $model->versions() method returning a versions collection (currently changes and latest) #7059
• New Language::is() method to compare Language objects
• Pick up new model objects when a model is updated within a hook, even if the new model object is not returned by the hook

✨ Enhancements from previous betas

• New wildcard option for Version::delete('*')
• New PlainTextStorage::isSameStorageLocation() implementation, which compares text file locations for more accurate results.
• ModelWithContent::changeStorage() has a new second, boolean $copy argument, which is false by default. Storage is thus moved by default, but can be copied on demand.
• ModelWithContent::save() and ModelWithContent::convertTo() use that new $copy flag to create a fully in-memory copy for the old instance.

🐛 Bug fixes

• Fix writer update issue #6959
• Fixed password reset dialog in dark mode #7003
• Fix tree branch color in move dialog #6952
• k-item: fix non-selectable state #7024
• Hide label and counter for fields in the entries field #7039
• User::delete() will now properly call file.delete hooks for deleted user files.

🐛 Fixed regressions and issues from previous betas

• Page blueprint: changeTemplate doesn’t produce multiple content files anymore #7008
• Fix generating redundant image data in content files #6992
• Virtual content is no longer ignored when actual content file exists #7010
• Cancel running requests when discarding or publishing content #6869
• Fixed nested ::update calls in hooks #6869
• Versions will be properly deleted for all storage handlers when Model delete actions are executed
• Enforce pages.preview permission again

🚨 Breaking changes

• Removed Kirby\Form\Form::exceptionField() #7002
• When working with old model instances in hooks, the models can no longer overwrite their content. This will now throw an exception if you try. Use the new model instances instead.
• $page::translation() returns a single translation in single language mode. This is also included in the $page::toArray() method
• $page::translation() returns a new Kirby\Content\Translation object instead of the old Kirby\Content\ContentTranslation object.
• The Kirby\Content\ContentTranslation class has been removed and repalced with Kirby\Content\Translation
• $page::translations() returns a new Kirby\Content\Translations collection instead of a generic Kirby\Content\Collection It will always include at least one language — even in single language mode.
• Kirby\Content\Content::update() is actively deprecated and must no longer be used. It will throw an exception to find usage early on.
• The ModelWithContent::$content and ModelWithContent::$translations cache props have been removed.
• User::create() does no longer accept null as argument.
• Setting a name field in User::update does no longer have any effect. Use User::changeName() instead.
• HasMethods::hasMethod() and HasMethods::callMethod() are now protected methods #7058
• ModelWithContent::versions() is no longer available as direct field accessor. You need to use $model->content()->versions() instead if you are using a field with the name versions. #7059
• The internal $originalEvent parameters for App::apply() and App::trigger() have been removed as they are no longer used in the core.

☠️ Deprecated

• ModelWithContent::readContent: Use $model->version()->read() instead #7013
• ModelWithContent::writeContent Use $model->version()->write() instead #7013

♻️ Refactored

• Model improvements #7020 #7021 #7023 #7029
  • Make sure that the template in the Page::factory() method is always lowercase
  • Make sure that the model name in Page::model() is always lowercase
  • Make sure that the template name is always lowercase in the Page::setTemplate method
  • Call ::setBlueprint in Model constructors before setting content
  • Use Page::updateParentCollections in the ::commit method and remove redundant calls.
  • Add ::updateParentCollection methods to FileActions and UserActions and use them in their commit methods
  • Replace User:: with static:: in user actions.
  • Add a unit test for creating a user with a password
  • Move pagesMethods tests into Pages/PagesMethodsTest.php
  • Use PHPUnit attributes for Model Blueprint tests
  • Improve the cache id in the MemoryStorage class
  • Undeprecate useful methods in the Translation class
  • Replace Page:: with static:: in PageActions
  • Simplify Page::createNum
  • Improve indentation in the Site class
  • Remove ::hardcopy from ::commit in model actions
  • New HasModels trait
  • App::setSite() is now public and can be used to overwrite the current site instance
  • New Page::normalizeProps()
  • New File::noramlizeProps()
  • New User::normalizeProps()
  • New ModelWithContent::changeStorage() method.
  • New virtual page tests
  • Unit tests for Models have been reorganized and cleaned up
  • New Kirby\Cms\ModelCommit class
  • New Kirby\Cms\ModelState class
  • Uses the new ModelCommit class in all action classes
• New Kirby\Cms\Collection::update($object) method
• New Kirby\Cms\Events class that handles low-level hook execution

♻️ Refactored from previous betas

• The MemoryStorage class uses the object id for guaranteed uniqueness
• A couple methods in Kirby\Content\Translation have been undeprecated because they turn out to be useful
  • ::code()
  • ::content()
  • ::exists()
• Moved the folder clean up logic into the Kirby\Content\PlainTextStorage handler
• RefactorUser::delete(), Page::delete() and File::delete() to delete the Versions properly

🧹 Housekeeping

• Clean up @see tag consistency in the core code

Pre-release notes: https://getkirby.com/releases/5

Changelog since 5.0.0-beta.2

🎉 Features

New entries field

Картинка с сайта: github.com

Read more …

Batch delete mode

New option for pages and files sections, to delete multiple files or pages at once https://kirby.nolt.io/38

Картинка с сайта: github.com

Read more …

PDF file preview

In addition to audio and video files, we’ve now also added a PDF preview to the core:

Картинка с сайта: github.com

Read more …

✨ Enhancements

• Support for content representation specific site controllers, e.g. site.rss.php #6950
• New Kirby\Cms\Pages::delete(array $ids) and Kirby\Cms\Files::delete(array $ids) methods to handle batch delete for multiple files in a collection.
• New batch mixin for model sections (pages & files), which introduces the batch option and a computed property to check for supported layouts.
• New selectable property for the <k-item> and <k-items> components. When set to true, the items show checkboxes and emit an select event, when the checkbox is clicked.
• The files and pages sections introduce new delete API endpoints. Those endpoints can take a set of page or file ids and will delete each one. Errors will be caught and sent back in the details array of the final thrown exception.

✨ Enhancements for earlier beta features

• View buttons: support name: true notation #6928
• UI component class: support non-pre-defined props #6929

🐛 Bug fixes

• Select, radio and toggles field: values that include a comma will not be split into two tags in the structure field preview anymore #5800
• Blocks field: fix empty display #6951
• Fix Drag & Drop between block fields #5290
• Drawers + Fields block: collapse tabs in header correctly into dropdown for narrow columns #6914

🐛 Fixed regressions from earlier betas

• Languages dropdown: fix changing language #6945
• Sticky column offset from sticky header
• Always use date handler for changes timestamp #6937

🚨 Breaking changes

• File drag texts in the Panel always use the file UUID, if UUIDs are not disabled #6948
• api.methodOverwrite option has been renamed to api.methodOverride

☠️ Deprecated

• Color field: the text => value notation for options has been deprecated and will be removed in Kirby 6. Please rewrite your options as value => text. #6913

🧹 Housekeeping

• Updated dependencies
• Updated todo comments #6987

✨ Enhancements

• Add a single space after colon in headers in Response class for better server support (FrankenPHP) #6976 Thanks to @rasteiner

🐛 Bug fixes

• Fix disappearing writer content when a page is moved or the slug is changed #6507

✨ Enhancements

• PHP 8.4 support
• New bluesky icon

🐛 Bug fixes

• Fixed CSS rules messing up grid styling inside the gallery block drawer #6838
• Fix alt attribute for FileVersion instances #6852
• Using single quotes in sqlite table discovery query fixes #6769
• Fix console error when no buttons available #6863
• Structure field: fix label of remove dropdown item #6899
• Block options: fix tabbing from sort handle #6893
• Structure field: fix preview input when paginated #6894
• Set require: true on image block location field #6905
• Blueprint image option: fixed support for query string #6916
• System view: fixed too long server software names #6917
• Pages and files sections: fixed page option #6735
• Role blueprints get properly extended #6918
• Link field: fixed handling of invalid options #6919
• Fixed js()/css() helpers parameters

🧹 Housekeeping

• Update the list of export ignores to keep unneeded files out of the Kirby ZIP downloads #6931
• Update JS dependencies #6933
• Removed remaining meta account from the readme and added Bluesky instead.