Hi everyone,
A release candidate for phpList 3.5.5 is now available for testing.
This release includes additional security enhancements to avoid abuse from an authenticated user.
Changes have been made to address the following issues:
- Cross Site Scripting Vulnerability on āSend a campaignā page: The āSend a web pageā URL value has now been encoded and the emails set to receive the notifications are verified. You can check the following GitHub issues for details ā 1, 2
- Cross Site Scripting Vulnerability on āManage administratorsā ā the email address of an admin has now been sanitized
- Cross Site Scripting Vulnerability on āBounce rulesā ā unnecessary JS action has now been removed
- Cross Site Scripting Vulnerability on āName of the organisationā option of āSettingsā page ā the use of tags has now been restricted and JS disallowed
- Cross Site Scripting Vulnerability on āImport subscribersā via SVG upload ā tags in CSV import headers have now been ignored
Thanks to @Songohan22 for reporting the issues.
Other changes to look for
- Avoided warnings about $pageroot when phplist is installed in the web root, and improved warning message to include values that donāt match ā thanks to @duncanc, see the pull request
- Removed redundant code following changes included in phpList 3.5.4 ā thanks to @duncanc, see the pull request
- added SameSite to the browsetrail cookie to handle warnings in Firefox ā The SameSite attribute of the Set-Cookie HTTP response header allows you to declare if your cookie should be restricted to a first-party or same-site context ā more information in the mantis issue, thanks to @duncanc for raising this
If you have experienced issues with previous installations please install this update and see if those issues are resolved.
Download the Release Candidate here (see also āUpgradingā).
Guidelines
Upgrading
Upgrade from releases older than phpList 3.3.7-RC1 following the usual upgrade process
Use the Automatic Updater if you are running phpList 3.3.7 or later.
Use your phpList as normal, and report any new problems that you find.
Activating the REST API
If you havenāt checked the REST API yet, you can see the dedicated chapter in the manual to help you get started with it: API and Integrations
Reporting issues
Report any issues you find with phpList3 to the phpList Bugtracker, selecting ā3.5.5-RC1ā as the Product Version.
Use the usual bug fixing process if you know how to fix it.
Report any issues you find with phpList 4 core or REST API to the corresponding repo on GitHub.
Please read the contribution guide on how to contribute and how to run the unit tests and style checks locally.
Happy testing!