Contao 3.5.28
20 September 2017
Contao version 3.5.28 is now available (security release).
Upgrading to Contao 3.5.28
Contao 3.5.28 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply Contao updates as new versions are released, or use Installatron's Clone feature to duplicate an existing Contao install to test the 3.5.28 upgrade prior to applying it live. Get started managing your Contao installations with Installatron
What's New in Contao 3.5.28
3.5.28
This bugfix release fixes an arbitrary PHP file inclusion vulnerability in the back end.
Highlights
- Prevent arbitrary PHP file inclusions in the back end (see CVE-2017-10993).
- Improve the accessibility of the CAPTCHA widget (see #8709).
- Fixed the iOS scrolling bug in the simple modal script (see #8708).
- Correctly cache the unique keys in the SQL cache (see #8712).
3.5.27
This bugfix release fixes a problem with using IDN domains.
Highlights
- Revert the Punycode library changes (see #8693).
3.5.26
This bugfix release fixes several minor issues and improves the e-mail address extraction in text elements.
Highlights
- Prevent endless loops in the book navigation module (see #8665).
- Limit the maximum size of dimensionless SVGs in the back end (see #8684).
- Correctly handle custom namespaces when combining DCA files (see #8682).
- Also check the X-Forwarded-Proto header when determining HTTPS (see #8691).
- Correctly support 64 character template names everywhere (see #6819).
- Updated the Punycode library to version 2 (see #8693).
- Correctly use the en dash in the calendar modules (see #8690).
- Remove the UTF-8 BOM when combining files (see #8689).
- Do not add the CORS headers in the install tool (see #8681).
- Correctly move folders with an "@" in their name (see #8674).
- Correctly redirect to the last page visited upon login (see #8632).
- Back port the e-mail extraction improvements (see #8679).
3.5.25
This bugfix release fixes several issues, including a problem with the page indexer and with rebuilding the search index in a multi-domain installation.
Highlights
- Only show error messages to authenticated users in the install tool (see #8666).
- Always show the modal windows in full height (see #8631).
- Support cross domain requests when rebuilding the search index (see #8597).
- Correctly store numbers with leading zero in the Config class (see #4035).
- Delete an old search entry if the new URL is more canonical (see #8647).
- Also make Folder::$dirname an absolute path again (see #8325).
- Support using namespaces and use statements in DCA/config files (see #8635).