Shopware 5.5.2
22 October 2018
Shopware version 5.5.2 is now available (security release).
What's New in Shopware 5.5.2
Security
- SW-22065: Allows XSS attack when CSRF protection is disabled. Many thanks to mschop and uehler for this report.
- SW-22386: Authenticated backend or API user can execute malicious code via image upload. Many thanks to Simon Scannell from RIPS Technologies for this report.
Changelog
- SW-22575 - Improved the support for custom order- and payment-statuses
- SW-20804 - Meta description length is now configurable
- SW-19767 - Fixes problems with incremented failed login counts on guest accounts
- SW-19914 - Added pagination to order country select
- SW-21967 - Replace file-protocol of file-URL with empty string
- SW-21236 - The shop url is no longer added multiple times in shopping worlds media elements
- SW-22462 - Privacy checkbox will be now correct displayed in Edge
- SW-22138 - Added voteAverage.average mapping for elastic search indexing
- SW-22326 - Added index.max_result_window for ES to config.php to have the possibility to change the maximum amount of shown articles per category
- SW-22320 - Fixed the "Immediate delivery"-filter condition for ElasticSearch use
- SW-22481 - Added new smarty block to emotion index tpl
- SW-18792 - Variants of a product can now be sorted by stock (pascalheidman-bedarf)
- SW-20226 - Added column "active" for product feed-list in the backend (shyim)
- SW-20233 - Plugin Manager reloads now on plugin update failures (niklasbuechner)
- SW-20325 - Alert window added when overwriting or deleting documents (windaishi)
- SW-20552 - Voucher Extjs Model definition fixed (windaishi)
- SW-20765 - Company and department will be shown in pdf documents if corresponding variables are filled (buddhaCode)
- SW-20766 - Added some newsletter events for un-/subscribe and sendMail (shyim)
- SW-20801 - Remove overlay-class from body-tag in any case while closing the overlay (removed the if-condition) (fzuellich)
- SW-20870 - Removed article link and delete button for rebate articles from offcanvas (tinect)
- SW-20968 - Added instance check for ES category facet (barbieswimcrew)
- SW-21019 - Removed unused code that was used for checking the vat-id during registration (nlubisch)
- SW-21228 - Fixed default value of required in config.xsd (oktupol)
- SW-21304 - Plugin configurations are sorted by their order in config.xml (shyim)
- SW-21305 - Added `Theme` typehint to class `LessDefinition` (shyim)
- SW-21306 - Add possibility to remove a supplier image via REST API (Guenzn)
- SW-21359 - Retry-After header added to maintenance page (tinect)
- SW-21447 - Added method 'getListQueryBuilder' to 'Shopware/Models/Order/Repository.php' (marcop73)
- SW-21586 - Filling the href-attribute of the wrapping a-tag of the thumbnails on detail page with the correct image url (shyim)
- SW-21605 - Use `getRawBody()` instead of `php://input` in `JsonRequest` (shyim)
- SW-21813 - Take the current configuration values for thumbnail quality, high-res thumbnail quality and generation of high-res thumbnails into account when creating a new sub-album. (EtienneBruines)
- SW-21925 - In the article module preview now the standard shop is preselected (Crease29)
- SW-21949 - Article Slider can now be sorted by random products (stephan4p)
- SW-22016 - Added event to the variant generation (larsbo)
- SW-22081 - Removed unused function in Emotion widget (jinnoflife)
- SW-22234 - Added new block `frontend_listing_box_article_image_attributes` in `listing/product-box/product-image.tpl` (JoshuaBehrens)
- SW-22311 - Added new entries for `curl_exec` and `curl_multi_exec` to the system requirements list. (larsbo)
- SW-22341 - Added paging compatibility for the custom "sPage" short parameter (buddhaCode)
- SW-22357 - Fixes generation of DOI link in non-frontend contexts (fixpunkt)
- SW-22359 - Added numeric amounts for basket items (kleinmann)
- SW-22361 - `\Shopware\Models\Form\Repository::getListQueryBuilder` can now be called without parameters (Gugiman)
- SW-22373 - Added amountNumeric and priceNumeric to order items in template (kleinmann)
- SW-22409 - Time difference of MySQL and PHP is now displayed in system info (shopwarrior)
- SW-22471 - Added scrollbar to shopping world attributes (kekster)
- SW-22487 - Added event in the notification plugin to be able to modify the QueryBuilder (larsbo)
- SW-22522 - Outsourced variant link change to own method (sebastianlenz)
- SW-22525 - Improves migration from Shopware 4 to 5 (jkrzefski)
- SW-22555 - Parameters in data-attributes are now applied automatically in the `swRegister` plugin (aragon999)
- SW-22570 - Productstreams in categories are now translatable (tinect)