We're pleased to announce 2.4.1, our first update to the 2.4 codebase. You can check a full list of changes in our changelog, but here are some highlights:
- Fixed a bug where logged-in CMS authors were allowed to rename files with harmful extensions in the "Files & Images" section
- Improved installer security by disallowing re-installation when a configuration file is already present.
- Installing in "live mode" instead of "dev mode" by default, and avoid setting certain domains as "dev mode" by default. This fixes an issue where attackers were able to force a site into "dev mode" by spoofing the domain name on certain server configurations.
- Fixed password encryption when saving members through the "Add Member" dialog in the "Security" admin. The saving process was disregarding password encyrption and saving them as plaintext (issue was introduced in 2.4.0)
- Fixed potential information disclosure on misconfigured servers by disallowing direct execution of *.php files in "sapphire", "cms" and "mysite" folders. If PHP was configured to show errors on screen (development setting), attackers could find out server paths and other environment information.
- Allow CMS authors to set their own localized date and time formats, independently from the defaults set through their interface language.
- More useable date picker (jQuery UI) for date form fields (both in the CMS and in website forms)
- Better URL "transliteration" of special characters like Umlauts or Macrons (Example URL in German: "Brötchen für alle!", URL in 2.4.0: "brtchen-fr-alle", URL in 2.4.1: "broetchen-fuer-alle")
- Better batch editing of comments in the admin interface (e.g. marking multiple comments as "spam")
- More sophisticated access control for decorators on page types (tri-state permissions checks: allow, deny, ignore).
- Added a Latvian translation of the CMS interface (thanks Kristaps and Andris!)
Mostly, however, 2.4.1 is a security release for vulnerabilities discovered recently and contains all enhancements and bugfixes since the 2.4.0 release.
We'd also like to thank those in our community who took the time to submit bug reports and test SilverStripe!
If you're still using the 2.3.x version of SilverStripe CMS, you can check out the 2.3.8 changelog here.