10.4.16
Cerb (10.4.16) is a maintenance update released on June 06, 2024. It includes 9 minor fixes and security improvements from community feedback covering the 10.4 update. You can follow these instructions to upgrade.
Changelog
Deprecated
- [Portals/Templates] Custom templates in portals are deprecated and will be removed in a future version. A new
APP_OPT_DEPRECATED_PORTAL_CUSTOM_TEMPLATES
setting inframework.config.php
temporarily enables the feature. It will default to disabled in the 10.5 update.
Fixed
-
[Portals/Templates] Fixed an issue that prevented reverting custom templates in the Support Center portal configuration.
-
[Automations/Editor/UX] In the automation editor, added output for HTTP error status codes (401, 403, 504). This also ensures the simulator spinner stops on error.
Security
-
[Security] A potential security issue was discovered by Cure53 in a review initiated by Kindness.
-
[Platform/Developers/Security] In the Devblocks
http
service, added a->setHeader($name,$value)
method to safely wrap PHP’sheader()
for setting response HTTP headers. -
[Security/Portals/Support Center] In the Support Center portal, attachment downloads now use an approved list of MIME types (e.g.
image/png
). -
[Security/Files] Attachment filenames are sanitized by removing disallowed characters on Windows/Linux/macOS.
-
[Security/Files] HTML file attachments are always downloaded in
text/plain
format. -
[Security/Platform] Added the
X-Content-Type-Options: nosniff
header to all HTTP responses. This prevents the browser from attempting to auto-detect MIME types based on file extensions or content.