4.3.14 (2019-02-10)

Overview of merged pull requests

TASK: Avoid code migration error if source file does not exist

This avoids errors like fatal: bad source, source=Packages/Sites/Acme.AcmeCom/Resources/Private/Fusion/Root.ts2, destination=Packages/Sites/Acme.AcmeCom/Resources/Private/Fusion/Root.fusion during core:migrate.

  • Packages: Flow

TASK: Use proper dummy hash in PersistedUsernamePasswordProvider

This replaces the dummy hash used to prevent timing based attacks by a valid hash for a random password that was never actually stored somewhere.

This avoids problems with PHP’s encryption methods. With the previous hash, the hashing was sometimes not applied properly and the method returns early so that the time-based information disclosure vulnerability still exists.

  • Packages: Flow

BUGFIX: Support “/” in file upload fields

Adds support for file uploads with “/”s in their names. Adds a Request::calculateFieldPathsAsArray method returning the paths as arrays instead of “/”-separated strings (later “/”-split again). Keeps the calculateFieldPaths method returning the paths as strings for backwards-compatibility.

Fixes #1467

  • Packages: Flow