来源:Drupal官网
发布日期:2023-04-19
阅读次数:8679
评论:0
更新详情
This is a security release of the Drupal 9 series.
This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcement:
Drupal core - Moderately critical - Access bypass - SA-CORE-2023-005
No other fixes are included.
Which release do I choose? Security coverage information
Drupal 9.4.x will receive security coverage until June 2023 when Drupal 10.1.0 is released. Update to Drupal 9.5 soon, and plan to update to Drupal 10 by November 2023, to continue receiving security coverage.
Versions of Drupal 9 prior to 9.4.x are end-of-life and do not receive security coverage.
Drupal 8 is end-of-life and does not receive security coverage.
Important update information
Changes to site-owner-managed files
Following this release, Drupal will block access to private files at certain specially crafted paths. Previous versions of Drupal allowed access to these paths, and in most cases blocking access is the correct behavior.
There may be some sites that rely on allowing access to these paths, or the changes in this release may cause other problems with file access. These sites can add the following line to settings.php:
$settings['file_sa_core_2023_005_schemes'] = ['private'];
This will preserve the old behavior for files saved in the private files directory, using the private stream wrapper from Drupal core. Sites that need to preserve the old behavior for files using other stream wrappers, from contributed or custom modules, should list those stream wrappers instead of 'private'.
The comments in default.settings.php have additional information.
Using this setting will bypass the access checks added in this release, which may allow public access to files that are meant to be private. This setting is a temporary backward-compatibility layer for misconfigured sites. It will be removed in a future release since it is insecure.
Release type: Security update
软件描述
Drupal是使用PHP语言编写的开源内容管理框架(CMF),它由内容管理系统(CMS)和PHP开发框架(Framework)共同构成。
评论