Headline
CVE-2021-46363: Release notes for Magnolia CMS 6.2.4 :: Magnolia CMS Docs
An issue in the Export function of Magnolia v6.2.3 and below allows attackers to perform Formula Injection attacks via crafted CSV/XLS files. These formulas may result in arbitrary code execution on a victim’s computer when opening the exported files with Microsoft Excel.
Support for OPTIONS method for CORS preflight requests
In this release, Magnolia brings two new filter implementations that handle CORS preflight requests:
info.magnolia.module.site.filters.SiteAwareCorsFilter
info.magnolia.cors.SelfConfiguredCorsFilter
When an OPTIONS HTTP request is received, Magnolia responds with headers that describe delivery capabilities based on the URI of the request and on active security and site configurations.
Developers can now configure CORS headers to be returned for such requests via either a site configuration or a configuration on the CORS filter.
Example configuration for a site called foo:
/modules/multisite/config/sites/foo/cors.yaml
rest:
allowedHeaders:
- '*'
allowedMethods:
- GET
- POST
- OPTIONS
allowedOrigins:
- https://magnolia-cms.com
- https://example.com
uris:
rest:
patternString: /.rest/*
Same configuration on the CORS filter:
Resolver of asset links in rich text fields
When configuring a Magnolia v2 delivery endpoint, you can use a reference resolver for asset links in rich text fields. The resolver converts UUID-based asset links to links with an absolute or relative URL. For the resolver properties, see Resolving asset links in rich text fields.
Example fragment of a REST response with the word Kyoto functioning as a link to an asset called kyoto.jpg and with the UUID 0a3bb34f-b49f-4e02-a9e9-e46cf860b612:
<p>Experience the still beauty that permeates and surrounds <a href=\"${link:{uuid:{0a3bb34f-b49f-4e02-a9e9-e46cf860b612},repository:{dam},path:{/untitled}}}\">Kyoto</a>.</p>
A fragment showing the converted link:
<p>Experience the still beauty that permeates and surrounds <a href=\"http://localhost:8080/magnoliaAuthor/fallback/dam/jcr:0a3bb34f-b49f-4e02-a9e9-e46cf860b612/kyoto.jpg\">Kyoto</a>.</p>
Asset names numbered on duplication
If you duplicate an asset, a number will be appended to its name (left). Previously, with no such number, it was difficult to tell the original and the duplicate apart (right).
Timeout for locking mechanism
There is now a five-minute timeout for the locking mechanism to mitigate an issue where nodes are locked even after publishing. For more details about this issue, see EEPUBLISH-28.
In addition, logging of publishing operations on the Receiver has been moved from the TRACE level to the DEBUG level.
Improved observation mechanism
When a new version of a content node is created in one workspace, the improved Magnolia observation mechanism (info.magnolia.observation.*) makes sure that Magnolia does not react unnecessarily to any event that creates a node in /jcr:system.
Better user experience in tree view
To improve column filtering in the tree view, the following has been implemented:
When at least one column filter is active, the tree view uses a flat structure. This is similar to the Magnolia 5 UI search view, but now the views are not switched.
When all column filters are empty, the tree view reverts to the default structure.
New API to configure default values in form fields
Default values must be applied to form fields explicitly. To facilitate this, the EditorView#applyDefaults() API has been introduced.
A select field that uses an option list can now specify an option (string) as a default value, while a JCR select field can specify a UUID or path.
Deprecated upload field
Do not use UploadFieldDefinition to upload assets directly to an app workspace. It is best to store your assets in the DAM workspace and link to them using a link field.
DamUploadFieldDefinition makes only sense in the context of the Magnolia Assets subapp. Do not use it generically in any other context.
New password field for Magnolia 6 UI
PasswordFieldDefinition renders a text field that masks input values when used only with custom actions. Note that passwords can be revealed in plain text when the field is used in dialogs with a standard commit action.
jcrChildNodeProvider used by default with JCR multi field
New availability rule to check depth of JCR item
The jcrDepthRule action availability type returns true if the item is within the specified depth range.
Clear node name behavior in content type apps
To avoid any confusion between the name and jcrName properties:
Apps generated from content types use name instead of jcrName.
The JCR Browser app shows only real node names regardless of whether jcrName is configured.
Support for Java 7 locale IDs
From this release, you can use Java 8 or Java 7 locale IDs in configuration. To refer to the Dutch spoken in Belgium, for example, you may use either nl-BE or nl_BE.