Update Feed

Contao 3.2.5

3 February 2014

Contao version 3.2.5 is now available (security release).

Upgrading to Contao 3.2.5

Contao 3.2.5 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply Contao updates as new versions are released, or use Installatron's Clone feature to duplicate an existing Contao install to test the 3.2.5 upgrade prior to applying it live. Get started managing your Contao installations with Installatron

What's New in Contao 3.2.5

This bugfix release fixes a potential PHP object injection vulnerability (thanks to Pedro Ribeiro). The vulnerability exists, because POST data is passed to the deserialize() function, which was the case in the core multiple times. However, we were not able to exploit the vulnerability if the POST data was accessed via the Contao Input class. This does not mean that it cannot be accomplished though.

Bugs Fixed:

Correctly load the parent pages in the navigation modules (see #6696).
Correctly encode URLs with GET parameters in the syndication links (see #6683).
Do not pass POST data to the deserialize() function, so it is not vulnerable to PHP object injection. Thanks to Pedro Ribeiro for his input (see #6695).
Allow any character in passwords, especially the less-than symbol (see #6447).
Purge the image cache if a file is being renamed (see #6641).
Preserve tags in custom CSS definitions (see #6667).
Make the swipe CSS selectors more specific (see #6666).
Correctly optimize floating-point numbers in style sheets (see #6674).