Alvaro Folgado identified several security issues in Publify that are fixed in this release:
- Rails’ protection from CSRF was not active for all actions. This was fixed.
- Devise’ password recovery feature was configured to behave differently for existing and non-existing email addresses. This has been changed to use Devise’ ‘paranoid’ mode.
- Publify was vulnerable to CVE-2016–3714, a vulnerability in ImageMagick, on servers that have affected versions of ImageMagick installed. It now checks the mime type of uploaded files based on their content before processing with ImageMagick.
- Publify used Rails’ cookie session store, making it possible to effectively log back in by using an older value of the session cookie. Publify now stores the session data in the database.
- The blog name was not properly escaped in the views used for Devise.
Additionally, the following small bugs were fixed:
- There was an error on the sign-in due to the use of a deprecated method in Devise.
- Failed resource uploads were reported as succesful.
It is recommended you update to this release as soon as possible.
Trackbacks are disabled