[security] block page-content extensions in uploads (GHSA-w4rc-p66m-x6qq)

rhukster · rhukster · commit 07751dc84746 · 2026-04-29T17:41:17.000+01:00
Adds md, yaml, yml, json, twig, ini to the default
security.uploads_dangerous_extensions so any code path calling
Utils::checkFilename() rejects them by default. Pairs with the
Form 9.1.0 plugin fix as defense-in-depth — this protects sites
running older Form releases that haven't yet been upgraded.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,9 @@
+# v2.0.0-beta.4
+## 04/29/2026
+
+1. [](#bugfix)
+    * [security] Extended default `uploads_dangerous_extensions` to include `md`, `yaml`, `yml`, `json`, `twig`, `ini` — page-content extensions that can be weaponised via permissive form-upload `accept` policies (GHSA-w4rc-p66m-x6qq, defense-in-depth alongside the Form 9.1.0 plugin fix).
+
 # v2.0.0-beta.3
 ## 04/28/2026
 
diff --git a/system/config/security.yaml b/system/config/security.yaml
@@ -56,6 +56,15 @@ uploads_dangerous_extensions:
   - shtm
   - js
   - exe
+  # GHSA-w4rc-p66m-x6qq: writing these into a page directory (e.g. via a
+  # form upload with destination: self@) turns an upload into arbitrary
+  # page-content takeover. Block by default alongside the Form 9.1.0 fix.
+  - md
+  - yaml
+  - yml
+  - json
+  - twig
+  - ini
 sanitize_svg: true
 # Twig sandbox for editor-authored page content. Applies to Twig::processPage()
 # and Twig::processString() — theme templates on disk are unaffected. When
diff --git a/system/defines.php b/system/defines.php
@@ -9,7 +9,7 @@
 
 // Some standard defines
 define('GRAV', true);
-define('GRAV_VERSION', '2.0.0-beta.3');
+define('GRAV_VERSION', '2.0.0-beta.4');
 define('GRAV_SCHEMA', '1.8.0_2026-04-15_0');
 define('GRAV_TESTING', true);
 
