Grav Changelog

v1.7.52

3 weeks ago

1. • GPM client now sends the running PHP version with index requests so the server can substitute PHP-aware compat fallbacks when a plugin's latest release requires a newer PHP than the client can run.
2. • [security] Extended default uploads_dangerous_extensions to include md, yaml, yml, json, twig, ini — page-content extensions that can be weaponised via permissive form-upload accept policies (GHSA-w4rc-p66m-x6qq, defense-in-depth alongside the Form 9.1.0 plugin fix).

v1.7.51

4 weeks ago

1. • Added foundation for migrating to Grav 2.0: cross-major auto-upgrades are blocked in GPM, and core now surfaces a next_major hint so admin can point users at the new migrate-grav plugin
   • Added compatibility: blueprint support so plugins/themes can declare which Grav versions they support
   • Added self-upgrade preflight that flags incompatible plugins/themes and psr/log / Monolog conflicts before proceeding
   • Added upgrade resilience with automatic maintenance mode and opcache reset during self-upgrade
   • Added new cache-cleanup CLI command to prune obsolete cache entries
   • Added new onFlexDirectoryConfigBeforeSave event for Flex
2. • More readable time output in bin/grav logviewer #4009
   • Removed legacy standalone binary build
   • Updated vendor libraries to latest versions
3. • Fixed selectize field losing values when keyed options were used
   • Fixed wrong date output in bin/grav logviewer #4007
   • Fixed undefined array key error triggered by URL-encoded characters in paths #4012
   • Fixed assorted issues in the revamped scheduler
   • Fixed schedule flag not being honored in backup profiles
   • Fixed default-language loading when using the session-based language store
   • Allow lang query parameter to switch back to the default language

v1.7.49.5

8 months ago

1. • Backup not honoring ignored paths #3952

v1.7.49.4

9 months ago

1. • Fixed cron force running jobs severy minute! #3951

v1.7.49.3

9 months ago

1. • Fixed an error in ZipArchive that was causing issues on some systems
   • Fixed namespace change for Cron\Expression
   • Removed broken cron install field... use 'instructions' instead
   • Fixed duplicate jobs listing in some CLI commands

v1.7.49.2

9 months ago

1. • Fix translation of key for image adapter #3944

v1.7.49.1

9 months ago

1. • Rerelease to include all updated plugins/theme etc.

v1.7.49

9 months ago

1. • Revamped Grav Scheduler to support webhook to call call scheduler + concurrent jobs + jobs queue + logging, and other improvements
   • Revamped Grav Cache purge capabilities to only clear obsolete old cache items
   • Added full imagick support in Grav Image library
   • Added support for Validate match and match_any in forms
2. • Handle empty values on require with ignore fields in Forms
   • Use actions/cache@v4 in github workflows
   • Use actions/checkout@v4in github workflows #3867
   • Update code block in README.md #3886
   • Updated vendor libs to latest
3. • Bug in exif_read_data #3878
   • Fix parser error in URI: #3894

v1.7.48

2 years ago

1. • New Trait for fetchPriority attribute on images #3850
2. • Fix for #3164. Adds aliases as possible commands during lookup #3863
3. • Fix style conflict with Clockwork and tooltips #3861

v1.7.47

2 years ago

1. • New Utils::toAscii() method
   • Added support for Clockwork Debugger to allow web UI (requires new clockwork-web plugin)
2. • Include modular sub-pages in last-modification date computation #3562
   • Updated vendor libs to latest versions
   • Updated JQuery to 3.7.1 #3787
   • Updated vendor libraries to latest versions
   • Support for Fediverse Creator meta tag #3844
3. • Fixes deprecated for return type in Filesystem with PHP 8.3.6 #3831
   • Fix for exif_imagtetype() throwing an exception when file doesn't exist
   • Fix JSON output comments check with content type #3859

v1.7.46

2 years ago

1. • Better handling of external protocols in Utils::url() such as mailto:, tel:, etc.
   • Handle GRAV_ROOT or GRAV_WEBROOT when / #3667
2. • Fixes for multi-lang taxonomy when reinitializing the languages (e.g. LangSwitcher plugin)
   • Ensure the full filepath is checked for invalid filename in MediaUploadTrait::checkFileMetadata()
   • Fixed a bug in the on_events REGEX pattern of Security::detectXss() as it was not matching correctly.
   • Fixed an issue where read_file() Twig function could be used nefariously in content #GHSA-f8v5-jmfh-pr69

v1.7.45

2 years ago

1. • Added new Image trait for decoding attribute #3796
2. • Fixed some multibyte issues in Inflector class #732
   • Fallback to page modified date if Page date provided is invalid and can't be parsed getgrav/grav-plugin-admin#2394
   • Fixed a path traversal vulnerability with file uploads #GHSA-m7hx-hw6h-mqmc
   • Fixed a security issue with insecure Twig functions be processed #GHSA-2m7x-c7px-hp58 #GHSA-r6vw-8v8r-pmp4 #GHSA-qfv4-q44r-g7rv #GHSA-c9gp-64c4-2rrh
3. • Updated composer packages
   • Updated bin/composer.phar to latest 2.7.2

v1.7.44

2 years ago

1. • Added PHP 8.3 to tests #3782
   • Added debugger messages when Page routes conflict
   • Added ISO 8601 date format #3721
   • Added support for .vcf (vCard) in media configuration #3772
2. • Update jQuery to v3.6.4 #3713
   • Updated vendor libraries including Dom-Sanitizer v1.0.7 that addresses an XSS issue
   • Updated bin/composer.phar to latest 2.6.6
   • Updated vendor libraries to latest
   • Updated language files
   • Updated copyright year
3. • Fixed a math rounding issue with number validation when using floating point steps #3761
   • Fixed an issue with Inflector::ordinalize() not working as expected #3759
   • Fixed various issues with file extension checking with dangerous extensions [#3756(https://github.com/getgrav/grav/pull/3756)]
   • Fix for invalid input to foreach in UserGroupObject #3724
   • Fixed exception: Property 'jsmodule_pipeline_include_externals' does not exist in object #3661
   • Fixed too few arguments exception in FlexObjects #3658

v1.7.43

3 years ago

1. • Add the ability to programatically set a page's modified timestamp via a modified: frontmatter entry
2. • Update vendor libraries
   • Include phar in the list of security.uploads_dangerous_extensions
   • When enabled system.languages.debug now dumps Key -> Value to debugger #3752
   • Updated built-in composer to latest 2.6.4 #3748
   • Added support for @import to ensure paths are rewritten correctly in CSS pipeline #3750

v1.7.42.3

3 years ago

2. • Fixed a typo in Utils::isDangerousFunction

v1.7.42.2

3 years ago

2. • In Utils::isDangerousFunction, handle double \\ in |map twig filter to mitigate SSTI attack
   • Better handle empty email in Validatoin::typeEmail()

v1.7.42.1

3 years ago

2. • Quick fix for isDangerousFunction when $name was a closure #3727

v1.7.42

3 years ago

1. • Added a new system.languages.debug option that adds a <span class="translate-debug"></span> around strings translated with |t. This can be styled by the theme as needed.
2. • More robust SSTI handling in filter, map, and reduce Twig filters and functions
   • Various SSTI improvements Utils::isDangerousFunction()
3. • Fixed Twig |map() allowing code execution
   • Fixed Twig |reduce() allowing code execution

v1.7.41.2

3 years ago

1. • Added the ability to set a configurable 'key' for the Twig Cache Tag: {% cache 'my-key' 600 %}
2. • Fixed an issue with special characters in slug's would cause redirect loops