Downloads

Download tar.gz 103.65 KB
MD5: 2d7711f337750672591786f6b869ee91
SHA-1: f73ac9c6b9000f3dbb3a99df2b4c94a4528ffbcd
SHA-256: 1bb96b1319d23ae89458fed9934b4b0f00eafe8257c071b892e5a1a32e707487
Download zip 115.12 KB
MD5: d8a62571ea82ae14a20456836bd7f438
SHA-1: c5cd5a32bf294be5a69fe8e93a9b5981d448c9d2
SHA-256: ce5fda0367ae8e821439fac0dd1d5deb156af2da92cdc2beaa726315941bd2d5

Release notes

  • Added feature in settings page: "respect node access" option which requires the hotblocks admin to have view access of any node that they want to add or remove from the hotblock. Previously, being able to administer a hotblock did not restrict the nodes available to use with it.
  • Non-admin users that did not have view access to a node could still be capable of viewing it within the context of a hotblock, but now they will either need node access to do so, or the "respect node access" option must be turned off.
  • On admin/settings/hotblocks the "Term for hotblocks item" setting did not sanitize the user input, so a malicious admin would be able to inject unintended markup or javascript.
  • The URLs to add or remove an item from a hotblock were vulnerable to use in a CSRF attack - so a person who had discovered the necessary URL (for example /hotblocks/remove/1/2) could embed this URL into an image src on a remote page and trick an administrator into inadvertently affecting the content in a hotblock.
Created by: justindodge
Created on: 2 Nov 2011 at 15:16 UTC
Last updated: 1 Aug 2018 at 23:20 UTC
Git tag 6.x-1.6
Security update
New features
Insecure
Unsupported

Other releases