3.6.3
UPDATE: Patch available
Unfortunately, we introduced a regression in this release that broke parameters in URLs. I.e. https://example.com/blog/page:2 and thus also pagination and all kinds of URL filters based on such parameters. A patch is now available: https://github.com/getkirby/kirby/releases/tag/3.6.3.1
🎉 Features
Allow list of secure URLs
Kirby auto-detects the base URL for your site unless you hard-code it in your config with the url
option. This auto-detection is based on the your SERVER_NAME
settings by default. This is totally safe unless your server is not correctly configured. In order to protect you from security issues with an insecure server configuration, you get more options to set allowed base URLs now. By default, the auto-detection will just work as before. Here are the new and existing options you have.
Auto-detected URL based on the SERVER_NAME
Just like before, you can just ignore the URL option or use the Server::HOST_FROM_SERVER
constant to let Kirby find the correct base URL, based on the SERVER_NAME
.
return [
];
// or
return [
'url' => Server::HOST_FROM_SERVER
];
This can be combined with the new Server::HOST_ALLOW_EMPTY
option to accept empty hostnames. This will lead to relative URLs i.e. /some-url
for your installation:
return [
'url' => Server::HOST_FROM_SERVER | Server::HOST_ALLOW_EMPTY
];
Hard-coded URL
You can also still set the base URL for your site. This will disable any form of auto-detection of URLs. But it also means that you might have to keep different versions for your local installation, staging and your production server.
return [
'url' => 'https://example.com'
];
This also still works for relative URLs without a host.
return [
'url' => '/'
];
URL allow list
With the new option to define a set of allowed base URLs, your Kirby installation will automatically pick the right one based on HTTP_HOST
, HTTP_X_FORWARDED_HOST
or SERVER_NAME
(whatever is provided) and makes sure to send an error on an invalid hosts. This is perfect when you cannot fully trust your server configurations on various environments.
return [
'url' => [
'https://example.com',
'https://staging.example.com',
'http://example.test'
]
];
Wildcard option
If you fully trust your server setup, you can allow any host name coming from HTTP_HOST
or HTTP_X_FORWARDED_HOST
. This could be necessary in some situations, but is insecure if you don't know what you are doing with your server configuration.
return [
'url' => Server::HOST_FROM_HEADER
];
Again, this can be combined with the Server::HOST_ALLOW_EMPTY
option to allow the host name to be left empty. It will lead to relative URLs for your installation:
return [
'url' => Server::HOST_FROM_HEADER | Server::HOST_ALLOW_EMPTY
];
✨ Enhancements
- Upgraded JS dependencies
- Switched to PSR-12 code style for PHP
- Improved table block preview #4096
- Supports
$locale
parameter int()
andtc()
helpers #4160 - Updated PR template & contributing guidelines #4153
- More accessible style for the selected data in the calendar #4202
- Updated
contributing.md
#4197 - New
license.md
which replicates the license terms on our site contributing.md
&readme.md
are now back in the main directory of the repo instead of the.github
subdirectory- Improved imagemagick performance thanks to @silllli #4106
- Updated translations
🐛 Fixes
- Continues passing
$inline
parameter to Markdown component plugins #4127 - Fixed today’s date is no longer highlighted on date picker #4124
- Fix vertical alignment for today text in calendar #4205
- Fixed
npm run dev
#4134 - Fixed path ending with params separator #4138
- Focussing a
k-button-link
element in dropdown now works #4148 - Fixed copying of multiple blocks #4129
- Fixed removing multiple blocks #4131
- Fixed copying blocks with Writer preview in Chrome #3941
- Fixed table block throws error when value is empty #4164
- Fixed Kirby and PHPMailer differ in their
$text
initialisation which fails in PHP8.1 #4155 - Fixes javascript mime type detection in
Mime
class. #4174 - Fixed layout/reading direction for Korean and Esperanto #4159
- Overwriting the URL in the config is now correctly working in the Panel as well. #4185
- The new Environment class now checks for correct subfolder installations #4191
- Fixed inactive Whoops debugger when throwing an exception in the Environment class #4180
- Fixed Vimeo ID extraction thanks to @Basics09 #4187
- Fixed phpmailer message body empty exception #4183
📈 Stats
- 128 commits
- 49 closed issues and PRs
👨💻 Contributors
(in alphabetical order)