Version 4 supported


This security release removes the following file extensions from the default whitelist of accepted types for uploaded files: dotm, potm, jar, css, js and xltm.

If you require the ability to upload these file types in your projects, you will need to add them back in again. For more information, see "Configuring: File types".

Change Log


  • 2018-04-26 299131ed2 File security documentation (Damian Mooyman) - See ss-2018-012
  • 2018-04-25 be96858 Remove jar, dotm, potm, xltm from file extension whitelist, hard-code CSS and JS for TinyMCE support (Robbie Averill) - See ss-2018-014
  • 2018-04-24 f847f186b Remove password text from session data on failed submission (Aaron Carlino) - See ss-2018-013
  • 2018-04-23 aa365e0 Remove dotm, potm, jar, css, js, xltm from default File.allowed_extensions (Robbie Averill) - See ss-2018-014
  • 2018-04-23 f9c03fa Prevent php code execution in assets folder (Damian Mooyman) - See ss-2018-012
  • 2018-04-23 1e27835 Prevent php code execution in assets folder (Damian Mooyman) - See ss-2018-012
  • 2018-04-22 beec0c0d4 regression of SS-2017-002 (Robbie Averill) - See ss-2018-010
  • 2018-04-11 e409d6f67 Restrict non-admins from being assigned to admin groups (Damian Mooyman) - See ss-2018-001
  • 2018-04-10 9053014a7 Validate against malformed urls (Damian Mooyman) - See ss-2018-008
  • 2018-04-10 2e13ae746 Prevent code execution in template value resolution (Damian Mooyman) - See ss-2018-006
  • 2018-04-09 db04ed9 Remove on* events as allowed properties (Damian Mooyman) - See ss-2018-004
  • 2018-04-08 d935140a9 Prevent unauthenticated isDev / isTest being allowed (Damian Mooyman) - See ss-2018-005


  • 2018-05-23 e7e32d13a Add namespace and encryptor to tests that expect blowfish to be available (Robbie Averill)
  • 2018-02-13 c6095cf word boundary issue with pathname matching (Christopher Joe)
  • 2018-02-06 5bff64b47 Fix Director::test() not persisting removed session keys on teardown (Damian Mooyman)