Merge branch 'release/1.7.52'

rhukster · rhukster · commit f17d90370c1c · 2026-04-29T18:47:42.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,11 @@
+# v1.7.52
+## 04/29/2026
+
+1. [](#new)
+    * GPM client now sends the running PHP version with index requests so the server can substitute PHP-aware compat fallbacks when a plugin's latest release requires a newer PHP than the client can run.
+1. [](#bugfix)
+    * [security] Extended default `uploads_dangerous_extensions` to include `md`, `yaml`, `yml`, `json`, `twig`, `ini` — page-content extensions that can be weaponised via permissive form-upload `accept` policies (GHSA-w4rc-p66m-x6qq, defense-in-depth alongside the Form 9.1.0 plugin fix).
+
 # v1.7.51
 ## 04/28/2026
 
diff --git a/system/config/security.yaml b/system/config/security.yaml
@@ -44,4 +44,12 @@ uploads_dangerous_extensions:
     - shtm
     - js
     - exe
+    # Page-content extensions: writing these into a page directory turns
+    # an upload into arbitrary page-content takeover (GHSA-w4rc-p66m-x6qq).
+    - md
+    - yaml
+    - yml
+    - json
+    - twig
+    - ini
 sanitize_svg: true
diff --git a/system/defines.php b/system/defines.php
@@ -9,7 +9,7 @@
 
 // Some standard defines
 define('GRAV', true);
-define('GRAV_VERSION', '1.7.51');
+define('GRAV_VERSION', '1.7.52');
 define('GRAV_SCHEMA', '1.7.0_2020-11-20_1');
 define('GRAV_TESTING', false);
 
diff --git a/system/src/Grav/Common/GPM/Remote/AbstractPackageCollection.php b/system/src/Grav/Common/GPM/Remote/AbstractPackageCollection.php
@@ -49,7 +49,7 @@ public function __construct($repository = null, $refresh = false, $callback = nu
         $cache_dir = Grav::instance()['locator']->findResource('cache://gpm', true, true);
         $this->cache = new FilesystemCache($cache_dir);
 
-        $this->repository = $repository . '?v=' . GRAV_VERSION . '&' . $channel . '=1';
+        $this->repository = $repository . '?v=' . GRAV_VERSION . '&php=' . PHP_VERSION . '&' . $channel . '=1';
         $this->raw        = $this->cache->fetch(md5($this->repository));
 
         $this->fetch($refresh, $callback);
diff --git a/system/src/Grav/Common/GPM/Remote/GravCore.php b/system/src/Grav/Common/GPM/Remote/GravCore.php
@@ -43,7 +43,7 @@ public function __construct($refresh = false, $callback = null)
         $channel = Grav::instance()['config']->get('system.gpm.releases', 'stable');
         $cache_dir   = Grav::instance()['locator']->findResource('cache://gpm', true, true);
         $this->cache = new FilesystemCache($cache_dir);
-        $this->repository .= '?v=' . GRAV_VERSION . '&' . $channel . '=1';
+        $this->repository .= '?v=' . GRAV_VERSION . '&php=' . PHP_VERSION . '&' . $channel . '=1';
         $this->raw = $this->cache->fetch(md5($this->repository));
 
         $this->fetch($refresh, $callback);
