CVE-2023-31045: Release 1.24.2 · backdrop/backdrop

Security release for Backdrop CMS. This release fixes 1 security vulnerability:

• Backdrop core - Moderately critical - Access bypass - BACKDROP-SA-CORE-2023-005

This release also includes a handful of bug fixes and other improvements.

Notes for updating

• This release does modify the settings.php file located outside the core directory. Updating your customized copy of this file is recommended, but not necessary. To update, copy the new section onfile_not_normalized_schemes from the latest file to your site’s settings.php file.
• It will be necessary to run the update script (located at /core/update.php) for this release.

Changes to site-owner-managed files

Following this release, Backdrop will block access to private files at certain specially crafted paths. Previous versions of Backdrop allowed access to these paths, and in most cases blocking access is the correct behavior.

There may be some sites that rely on allowing access to these paths. It is also possible that the changes in this release may cause other problems with file access. Sites that experience problems with private files after this change should add the following line to settings.php:

$config['system.core']['file_not_normalized_schemes'] = array('private');`

This will preserve the old behavior for files saved in the private files directory, using the private stream wrapper from Backdrop core. Sites that need to preserve the old behavior for files using other stream wrappers, from contributed or custom modules, should list those stream wrappers instead of 'private’.

The comments in the default settings.php file have additional information.

Using this setting will bypass the access checks added in this release, which may allow public access to files that are meant to be private. This setting is a temporary backward-compatibility layer for misconfigured sites. It will be removed in a future release since it is insecure.

Changes since version 1.24.1 are listed below.

Bug Fixes

• Fixed: Adjust autocomplete dropdown positioning on iPad and iPhone #6050
• Fixed: “More” link on permissions page should toggle description. #6053
• Fixed: Sanitize text format names in hint below editor #6065
• Fixed: Message type not set properly for deprecated system message #6041
• Fixed: EntityReference invokes deprecated Drupal function instead of Backdrop alternative. #6036

Documentation updates

• Docblocks updated with Proper @return statements. #6042
• Document $require_settings for find_conf_path(). #6002

User experience improvements

• Display container style on rows in flexible layout template builder. #5523

Miscellaneous changes

• Disable the Drupal compatibility layer when running tests. #6037
• Update l() to use the provided arguments instead of a new $variables array. #5996
• Add a GitHub Action to run cspell. #5811
• Remove the position key from hook_menu(). #5903