This security release fixes an issue allowing users with file upload permissions to upload and execute malicious files. It introduces a new configuration option, security.file_blacklist, which is a regular expression used to filter uploaded files by name. It also restricts access to uploaded files at the web server level, where supported.

Users on nginx should add a new location block to their configuration:

location ~ ^/uploads/ {
    deny all;
}

Big thanks to @niebardzo for reporting this issue, with an example of the exploit on our demo environment, and for responsible disclosure.

See the Advisory

Phproject 1.7.7 adds a number of fixes and improvements, and updates some of the core code to make better use of modern PHP standards and features.

Also included are a number of updated translations:

• Spanish additions by Alan Hardman
• Polish additions from Piotrek Icikowski
• Chinese additions from CuanPo Lee

Phproject 1.7.6 adds support for PHP 7.3 and includes a variety of bug fixes.

Also, this may be the last release for some time, as I am not currently able to dedicate significant time to this project. If anyone is interested in contributor access to keep Phproject maintained, let me know via email ([email protected]).

Phproject v1.7.5 includes several bug fixes and new translations, including a complete Estonian translation from bss on Crowdin.

Changelog

Includes most bug fixes and changes up to v1.7.5

Version 1.7.4 includes a bug fix for v1.7.3 and earlier's session management on PHP 7, as well as the latest version of the Fat-free framework, which includes several bug fixes and feature enhancements. Upgrading directly to this release instead of v1.7.3 is recommended to avoid session errors.

Release 1.7.3 fixes an issue with updating older versions to 1.7.2.

Phproject 1.7.2 includes several bug fixes primarily focused on PHP 7.2 compatibility.

Phproject 1.7.1 fixes a critical bug in Phproject 1.7. All 1.7 users should upgrade immediately.

Phproject 1.7 includes several bug fixes, security enhancements, and feature updates.

• Keyboard focus and Esc key handling are improved for quick edits to issues
• Potential XSS vulnerability on dashboard widgets fixed
• Better text to Emoji conversion
• Project overview optimized to load much faster on large projects
• Third-party libraries updated to their latest compatible versions

Full changelog