Cerb (10.4.16) is a maintenance update released on June 06, 2024. It includes 9 minor fixes and security improvements from community feedback covering the 10.4 update. You can follow these instructions to upgrade.

Changelog

Deprecated

• [Portals/Templates] Custom templates in portals are deprecated and will be removed in a future version. A new APP_OPT_DEPRECATED_PORTAL_CUSTOM_TEMPLATES setting in framework.config.php temporarily enables the feature. It will default to disabled in the 10.5 update.

Fixed

• [Portals/Templates] Fixed an issue that prevented reverting custom templates in the Support Center portal configuration.

• [Automations/Editor/UX] In the automation editor, added output for HTTP error status codes (401, 403, 504). This also ensures the simulator spinner stops on error.

Security

• [Security] A potential security issue was discovered by Cure53 in a review initiated by Kindness.

• [Platform/Developers/Security] In the Devblocks http service, added a ->setHeader($name,$value) method to safely wrap PHP’s header() for setting response HTTP headers.

• [Security/Portals/Support Center] In the Support Center portal, attachment downloads now use an approved list of MIME types (e.g. image/png).

• [Security/Files] Attachment filenames are sanitized by removing disallowed characters on Windows/Linux/macOS.

• [Security/Files] HTML file attachments are always downloaded in text/plain format.

• [Security/Platform] Added the X-Content-Type-Options: nosniff header to all HTTP responses. This prevents the browser from attempting to auto-detect MIME types based on file extensions or content.