Software Update: Bolt 2.2.5

Bolt is an open source content management system and is in some ways comparable to programs such as WordPress and Drupal. Bolt is easy to use, for both installation and management, has several good looking templates that work with Twig are customizable, and optimized for both desktop and mobile environments. Version 2.2.5 includes a display issue in Google Chrome 44, performance improvements in the Dashboard, and a security issue. The release notes look like this:

A Chrome Quirk
A recent update in Chrome came with a weird quirk that shows up in the Bolt backend. This quirk causes the dashboard listings to become too wide, which looks slightly broken. Since this only appears in Chrome 44, and not in older versions of Chrome or other browsers, we’re pretty sure that it’s a bug in Chrome itself. However, that doesn’t help you much right now, so we’ve implemented a workaround for it.

A security fix
A minor security issue was brought to our attention by Tim Coen of Securesec GMBH. An authenticated user can upload files in Bolt, as specified bu a whitelist of allowed extensions. However, the user could then rename this file to another extension, bypassing the whitelist. While this issue is not exploitable “from the outside”, we still recommend you upgrade to the latest version.

Faster Dashboard
We’ve implemented a few optimizations, that affect how users are retrieved, and how permissions are specified. This optimization means that a lot less database queries are required to do these things, leading to shorter response times. While this means an overall boost in efficiency, this is most notable on the dashboard, where a lot of permissions are determined for a lot of different records.

Detailed changes since Bolt 2.2.0:

• Performance: Don’t request users if we don’t have to, and streamline isAllowed() functionality. (#3847)
• Fixed / security: If a user is not root, do not allow them to change the file extension on rename in UI. (Thanks to Tim Coen of Curesec GmbH for bringing this issue to our attention. See #3815)
• Fixed: Layout issue in Chrome 44. Pretty sure it’s a weird bug in Chrome. (#3856)
• Changed: Update JS Markdown Options to match Parsedown for consistency. (#3820)
• Added: A Nut command to rebuild the extension autoloaders. (#3786)
• Changed: Send “New Bolt site” email upon first user creation only. (Thanks Fabschurt, see #3792)
• Fixed: Issue in Geolocation field, where it would ‘forget’ the retrieved address. (#3813)
• Fixed / Added: Have the Async file/directory routes return useful JSON responses. Display an UI alert on file/directory request failures. (#3815)
• Fixed: Trigger database update notifications for changed field names (#3816)
• Added: Add caching for the translation provider (#3753)
• Fixed: If vendor/autoload.php is missing, include LowlevelException.php manually.
• Fixed: Logic preventing building of local extension autoloader (Thanks timcooper, see #3699)
• Fixed: Clipboard paste issue with fileuploader (Thanks timcooper, see #3702)
• Added: Now possibile to use the search feature for specific contenttype(s) (Thanks sbani, see #3713)
• Fixed: Wrong interpretation of max_upload_filesize / post_max_size (Thanks tvlooy, see #3732)
• Fixed: Password reset “Error: Divide by zero” (see #3730)
• Fixed: Yaml config read and write fixed for other indentations than ‘2 spaces’. (See #3682)
• Fixed: In menus: Don’t assume root URL is ‘/’
• Fixed: Generate search pager link
• Fixed: Set link of item in Menu properly, and fixes bug in populateItemFromRecord. (See #3655)
• Update: Silex is now version 1.3.0
• Added: Implement title_format:, to control the behavior of what’s seen as the ‘title’ in overviews and listings. See #3635
• Changed: Create the extension’s composer.json if only a local extension exists. See #3627
• Fixed: Use the Silex HttpFragmentServiceProvider as TwigCoreExtension has been removed in Silex 1.3. See #3632
• Fixed: Extend SSL/TLS Handling. Fixes bug/warnings in Packagemanager. See #3633
• Fixed: Generated tags always stay in the section, now. See #3637