Any release notes (not just commit log) available?


(Jeremy Howard) #1

I’m always a little nervous of upgrading something when it’s working well, so was looking to see if there are release notes for 1.8 that mention if there are any critical security fixes or major feature additions that might make the upgrade a priority. All I found were the git commit messages, which are a little long, are not prioritized, and frequently don’t provide enough info for regular folks to know what they’re about.

Could anyone summarize what the major changes in 1.8 were, and whether there are any important security fixes? Is this something that may be able to be included in future releases, since I assume that a lot of people would be interested… :slight_smile:


(Vinoth Kannan) #2

You may get some ideas if you look at the topics in #releases category


(Joshua Rosenfeld) #3

The best summary would be the blog post:

Yes, there were security fixes. They’re listed in the releases topic that Vinoth mentioned. Here they are:

  • Do cookie auth rate limiting earlier
  • Escape image title in lightbox
  • Escape HTML in filename
  • Upgrade Rails
  • Don’t allow re-using the current password during password reset
  • Add filename validation for backup uploads
  • Escape advanced search term
  • Don’t grant same privileges to user_api and api access
  • Fix reflected XSS with safe_mode param
  • Protect upload params, only allow very strict filenames
  • Prevent reuse of password reset
  • Users can only bookmark posts which they can see

(Jeremy Howard) #4

Many thanks to you both.