Releases: owen2345/camaleon-cms
Releases · owen2345/camaleon-cms
2.8.3
- Remove unused underscore.js
- Bump IntroJS to 7.2.0
- Upgrade jquery-validate to 1.21.0
- Add messages for Arabic language
- Add
methods_ln.jsfiles with regexps for DE, NL, and PT languages - Modify admin layout view to load the
methods_ln.jsfile with ajavascript_include_tagif the file exists
- Fix uploads to AWS S3 folders
- Also, introduced the path traversal validation to the add_folder method, which was found unsafe
Full Changelog: 2.8.2...2.8.3
2.8.2
- Bump AdminLTE to 2.3.11
- Has several CSS fixes and doesn't yet require jQuery 3.x
- Fix
TermTaxonomyattributes sanitizing to not remove translation tags in [#1091] (#1091) - Add bootstrap.min.css.map
- Works OK in the development environment if the
config.assets.debug = trueis set.
- Works OK in the development environment if the
Full Changelog: 2.8.1...2.8.2
2.8.1
This release is fixing several security vulnerabilities! Please, upgrade ASAP!
What's Changed
- Replace sass-rails with dartsass-sprockets
- Remove
sassandsass-railsgems from the main app's Gemfile when upgradingcamaleon_cmsto this version
- Remove
- Fix colorpicker missing admin asset, adding it to
admin-manifest.css - Security fix: Mitigate arbitrary path write in uploader (GHSL-2024-182)
- Thanks Peter Stöckli for reporting and providing clear reproduction steps
- Add Rails 7.2 to stable testing on CI, point rails_edge to main branch
- Security fix: Mitigate arbitrary path traversal in download_private_file (GHSL-2024-183)
- Thanks Peter Stöckli for reporting and providing clear reproduction steps
- Security fix: Mitigate stored XSS through user file upload (GHSL-2024-184)
- Thanks Peter Stöckli for reporting and providing clear reproduction steps
- Security fix: Mitigate remote code execution through code injection (GHSL-2024-185)
- Thanks Peter Stöckli for reporting and providing clear reproduction steps
- Security fix: Mitigate arbitrary file delete vulnerability (GHSL-2024-186)
- Thanks Peter Stöckli for reporting and providing clear reproduction steps
- Use actions/checkout@v4 on CI to remove warning about deprecated Node JS version
Full Changelog: 2.8.0...2.8.1
2.8.0
What's Changed
- Use jQuery 2.x - 2.2.4
- If there are
//= require jqueryclauses in the main application, replace them with//= require jquery2
- If there are
- Add Ruby 3.3 and Rails 7.2 to CI
- Replace Tuzitio links with
camaleon.websiteandhttpwithhttps - On cama_site_check_existence, if site is unknown, use
allow_other_host: truefor redirection to main site- Starting from Rails 7.0 a redirection to other host will raise an exception unless the
redirect_tomethod is
called with theallow_other_host: trueoption
- Starting from Rails 7.0 a redirection to other host will raise an exception unless the
- Set sprocket-rails version to be at least 3.5.1
- Use MiniMime for mime types, because the MiniMagick 5.0 has no Image#mime_type
- Reimplement the temporary uploaded file removing, wrapping it in a bl…ock to make possible overriding the block in the app initializer to use an async job
- Sanitize name and description attrs of TermTaxonomy classes to prevent XSS attacks
- Potentially breaking change: Fix ActiveRecord deprecations from Rails 6.1
fields,field_values, andfield_groupsassociations have been removed from the CustomFieldsRead mixin modulecustom_fields,custom_field_values, andcustom_field_groupsassociations should be used instead- Beware that the CustomFieldsRead mixin is included into the TermTaxonomy base model, PostDefault model, and UserMethods mixin
Full Changelog: 2.7.5...2.8.0
2.7.5
What's Changed
- Fix the test email for non-main sites by @brian-kephart in #1050
- Bump semver from 7.3.8 to 7.5.3 by @dependabot in #1057
- UserUrlValidator for SSRF mitigation by @texpert in #1048
- Bump word-wrap from 1.2.3 to 1.2.4 by @dependabot in #1059
- Remove webdrivers gem, which has no support for Chrome v115 by @texpert in #1060
- Fix JS after conversion from CoffeeScript by @texpert in #1062
Full Changelog: 2.7.4...2.7.5
Contributors
texpert, brian-kephart, and dependabot
Assets 2
2.7.4
b83efee
This commit was signed with the committer’s verified signature.
brian-kephart
Brian Kephart
Full Changelog: 2.7.3...2.7.4
This release contains security fixes.
2.7.3
8e5a0d2
This commit was signed with the committer’s verified signature.
brian-kephart
Brian Kephart
What's Changed
- Fix error rendering category pages by @brian-kephart in #1045
- Inclusion of CommonRelationships into subclasses is now performed in an inherited hook by @texpert in #1046
Full Changelog: 2.7.2...2.7.3
Contributors
texpert and brian-kephart
Assets 2
2.7.2
7ea956d
This commit was signed with the committer’s verified signature.
brian-kephart
Brian Kephart
Fixes an issue rendering category pages.
Full Changelog: 2.7.1...2.7.2
2.7.1
8f0ef38
This commit was signed with the committer’s verified signature.
brian-kephart
Brian Kephart
This release fixes a bug introduced in 2.7.0.
Full Changelog: 2.7.0...2.7.1
2.7.0
f39a357
This commit was signed with the committer’s verified signature.
brian-kephart
Brian Kephart
What's Changed
- Remove Database Cleaner and share FactoryBot factories by @texpert in #1028
- Feature/improve app settings for rails7 by @owen2345 in #1026
- Migrate existing CoffeeScript files to JavaScript by @texpert in #1029
- Start using RuboCop by @brian-kephart in #1041
- Fix seo_canonical option to be translated for the frontend, and some optimizations by @texpert in #1042
- Refactor AR models to inherit from ApplicationRecord and extract the CommonRelationships concern by @texpert in #1043
Full Changelog: 2.6.4...2.7.0
Contributors
owen2345, texpert, and brian-kephart