Releases: getkirby/kirby
5.0.0-rc.6
Pre-release notes
https://getkirby.com/releases/5
✨ Enhancements
- Add root for plugin licenses (
$kirby→root('licenses')) (Thanks @nilshoerrmann) #6767 - New protected
IsFile::assetFactory()method to create a new asset instance based on the file type, but without adding it to the property cache. This enhancement is related to the bug fix for #7289
🐛 Bug fixes
F::type()does no longer interpret.tmpas valid file extension, but uses mime detection to get the correct type.
🐛 Fixed regressions
File::create()does no longer throw a missing extension error #7289File::create()does no longer remove the content file of an existing file if a duplicate error is thrown.- Use
WeakMapforVersionCacheto avoid cache collisions due to a behavior inspl_object_hashthat will sometimes reuse cache ids for new instances. #7302
Contributors
Assets 2
5.0.0-rc.5
Pre-release notes
https://getkirby.com/releases/5
✨ Enhancements
- New
$forceargument forKirby\Form\Fields::submit()andKirby\Form\Form::submit()to submit any value, even if the field is disabled, inactive or not translatable. #7283 This enhancement is related to the regression fix for disabled fields (see below) - Lab: overview is filterable via a search input #7293
- Lab: internal components are hidden from docs; unstable components are marked as such #7295
🐛 Bug Fixes
- Dialogs:
Cmd+Sdoesn't re-submit the dialog when its already submitting #7258
🐛 Fixed regressions from previous pre-releases
- Passing
falseas label value to<k-field>will no longer throw a console error. We use this in the new<k-entries-field>to disable labels for nested fields. - The new
<k-entries-field>checks for a valid array as given value and will no longer throw a console error ifnullis passed. #7265 - Fixed illegible text after using autofill in the login view in dark mode #7287
- Fixed referencing view buttons from config file in blueprint. #7278
- Properly resolve plugin's
extends#7253 Kirby\Cms\ModelWithContent::update()will accept disabled fields again, unless$validateis switched on. #7268- Remove colored borders on buttons in collapsed button group #7279 (thanks to @adamkiss)
🩹 Unbreaking change
You can use Kirby\Content\Content::update() again to update a content object in memory. As before, this will not write anything to disk, but will only assign temporary content values that might be useful in a template, controller or other parts of your code. With this change, updating content in structures, blocks or entry fields will work as expected. With our new v5 content architecture, you have to adapt your code slightly though if you update content objects of models (pages, users, files, site). The content objects in models are longer cached and you can only keep on working with the updated objects if you assign them to a variable and work with that. #7285 #7250
Before
$page->title();
// Foo
$page->content()->update([
'title' => 'Bar'
]);
$page->title();
// BarAfter
$page->title();
// Foo
$content = $page->content()->update([
'title' => 'Bar'
]);
$page->title();
// Foo
$content->title();
// BarContributors
Assets 2
5.0.0-rc.4
Pre-release notes
https://getkirby.com/releases/5
Changelog since 5.0.0-rc.3
✨ Enhancements
The following enhancements have been made to fix file upload regressions:
- New async
TextareaInput.restoreSelection()method - New
panel.upload.announce()method, which sends the success notification andmodel.updateevent after uploads have successfully completed. - The upload module now sends a
file.upload.errorevent for every file that could not be uploaded. - Various TextareaInput methods have been turned into async methods
for more stable async/await control throughout all TextareaInput
methods.insertinsertFileinsertUploadprependtogglewrap
🐛 Fixed regressions from previous pre-releases
panel.content.save()now callspanel.content.cancelSaving()to make sure that any old scheduled save requests are properly
cancelled. This could have lead to potential race conditions before.- The
FilesFieldno longer sends unnecessaryfile.uploadandmodel.updateemitters after upload. Those lead to duplicate section reload requests so far. After uploads, thepanel.upload.done()already takes care of reloading the current view and all its sections. - The
TextareaInput.insertUpload()method now usesawait panel.content.update()to push text value changes directly to the changes API and to reload the view correctly. This fixes #7249 - The upload module sends the
file.uploadevent directly when a file has been uploaded and passes the file object correctly. Before this change, the file.upload event was only called in the FilesField and FilesSection components when all uploads finished. - Both the
upload.done()andupload.cancel()handlers now properly emit thecompleteevent if there are any completed uploads. - Make
HasMethods::hasMethod()public again #7266 - Select & radio field previews: Show option text instead of value #7273
- Adjust the background color of the mobile back button in the file browser in dark mode. #7280
☠️ Deprecated
TextareaInput.restoreSelectionCallback()UseTextareaInput.restoreSelection().
♻️ Refactored
- Move trait template annotations to class doc #7272
TextareaInput.selectionRangeandTextareaInput.restoreSelection()are used to replace the oldrestoreSelectionCallbackmethod in dialog events for better async control.- Removed unnecessary complete handler in
FilesSection. The upload module already takes care of the notifications and events.
5.0.0-rc.3
Pre-release notes
https://getkirby.com/releases/5
Changelog since 5.0.0-rc.2
✨ Enhancements
- Add Taiwanese translation (thanks to Ralph)
🐛 Bug fixes
- The
Uriclass now properly serializes URIs of the form/subfolder/. #7255
🐛 Fixed regressions from previous pre-releases
- Fixed empty state in the Writer field when a value gets changed #7246
- It is now possible again to use external preview URLs #7240
- Enter works again as shortcut in the date field #7257
🚨 Breaking changes from previous pre-releases
Change the underlying logic for preview tokens (breaking preview URLs created in previous v5 pre-releases). #7256
Note
This breaking change is not adding to the list of breaking changes in the final release notes. This change was necessary to fix the new preview URLs before the final release. You are only affected if you used a v5 pre-release in production.
🧹 Housekeeping
- Normalize timezone during unit tests #7248
- Updated PHP dependencies
- Updated JS dependencies
- Merged the latest state from 4.8.0
4.8.0
🚨 Security Enhancement
We've added a new option to disable clean file redirects to original files in your content folder. Currently, you can access the original file (rather than a generated thumbnail) via the URL https://yourdomain.com/some-page/some-file.jpg, which redirects you to the full file URL in the media folder. This is useful when you need clean URLs for your files. However, depending on your files and filenames, such URLs could be guessable. If you want to add an extra layer of protection for your original files, you can now disable this feature.
return [
'content' => [
'fileRedirects' => false
]
];If you only want to switch it off for individual files, you can also pass a function.
return [
'content' => [
'fileRedirects' => function ($file) {
if ($file->filename() === 'supersecret.jpg') {
return false;
}
return true;
}
]
];✨ Enhancements
- Added numeric support for image
ratiooption #7083 - Validate boolean options for
KIRBY_RENDERenv #7146
🐛 Bug fixes
- Panel: larger save button on mobile #7157
- Number input:
step: anyis now supported, allowing for any amount of decimals (e.g. great for lat/lng coordinates) #7158 - Select field:
placeholderoption is translatable now - Tags in multiselect fields do no longer overflow #7221
🧹 Housekeeping
- Updated PHP dependencies
- Updated JS dependencies
- Normalized timezone during unit tests
5.0.0-rc.2
Pre-release notes
https://getkirby.com/releases/5
Changelog since 5.0.0-rc.1
✨ Enhancements
page.changeTitleandpage.changeSlughooks receive a new optional$languageparameter, which passes a fullLanguageobject. #7227- New
$filenamearguments forAsset::mediaPath(),Asset::mediaUrl()andAsset::mediaRoot()to keep the Asset class consistent with the v5 changes in theFileclass #7241 - New
_previewparam for preview iframe URLs. This new parameter can now be used in the frontend to adjust the UI for when being shown inside Panel preview view. #7225
🐛 Fixed regressions from RC-1
- When changing the title for a
Pageor theSiteor the slug for aPage(in a secondary language) , the::changeTitle()and::changeSlug()methods will check for an existingchangesversion and store them there as well. Otherwise, the changed title or slug would get reverted as soon as thechangesversion is published. #7227 - When changing the sort value for a
File, theFile::changeSort(), the method will check for an existingchangesversion and store it there as well. Otherwise, the changed sorting number would get lost as soon as the changes are published. #7230 - Added missing
Asset::mediaDir()method. Thumbnails for assets can now be generated properly again. #7238 - Fixed empty writer toolbar when marks are disabled and inline mode is activated #7231
- When a structure field has disabled fields with a default value, the default value is now properly submitted and saved again. #7233
- Title fields in forms are no longer removed by accident #7232
Kirby\Form\FieldandKirby\Form\FieldClassnormalize type and name attributes and set the name to lowercase. This will now bring back the default column setup in structure fields if you use camelCase or anything else than lowercase for field names. #7236
🧹 Housekeeping
- Updated outdated JS dependencies
5.0.0-rc.1
Pre-release notes
https://getkirby.com/releases/5
Changelog since 5.0.0-beta.6
We are only listing the differences here from previous betas. For the full changelog for v5, please check out: https://getkirby.com/releases/5/changelog
🎉 Features since previous betas
- Language variables with multiple translation strings (for different counts) can now be edited in the Panel using the new entries field #7173
✨ Enhancements from previous betas
- New
Model::versions()method, which returns an array with the two versionslatestandchanges. If there's no changes version, thelatestwill be used. #7153 - New
Version::sibling()method to fetch a different version for the same model #7161 - The Fields class constructor now accepts a string value for the language parameter #7164
- The Fields class will fall back to the site if no model is given. #7164
Fields::passthrough()will resolve closure values (just like fill and submit) #7164- Add missing since tags to Fields class methods. #7164
- Added missing since tags to Form class methods. #7165
- Support for named parameters in Form constructor. Passing the
$propsarray is still supported but deprecated. #7166 - Support for named parameters in
Form::for(). Passing the$propsarray is still supported here as well, but also deprecated. #7166 panel.content.changes()has been renamed topanel.content.diff()- New
panel.content.hasDiff()method. - New
panel.content.version(versionId)method - New
panel.content.versions()method - The
contentandoriginalprops have been removed from all model views. - A new
versionsprop has been added instead withlatestandchangesas child objects. - The
changesproperty in the<k-model-tabs>component has been renamed todiff. - hasChanges has been renamed to hasDiff in all components.
- The PreviewView component and backend code has been radically simplified and its UX has been improved. You can now switch between versions and languages easily. #7220
changes.mp4
- The old open button is back in each model view and a new preview button has been added. #7220
🐛 Fixed regressions and issues from previous betas
- Support
falseto disable view buttons ****[#7139](#7139) - Fixed file template change [#7145](#7145)
- Fields with null values will be removed again when saving changes. This
will also fix the removal of the focus point for images. [#7022](#7022) - The content.js module no longer merges changes with the originals.
- The content.js module now also recognizes removed fields when finding changes to show the form controls.
- The
Fields::passthrough()method no longer supports passing an empty array to reset all passthrough values. [#7164](#7164) - Tags field preview: is selectable again [#7176](#7176)
- Fix UUID access in after hook [#7180](#7180)
- Creating a file content translation no longer throws an exception [#7184](#7184)
- Latest content file for translations is no longer created too early [#7185](#7185)
- Custom slug in secondary language is no longer overwritten on publish [#7183](#7183)
- Deleting pages and files no longer results in a PHP warning when PHP is compiled with localized warning messages [#7209](#7209)
- Grouping collections by closure works again [#7215](#7215)
- Fix
LC_MESSAGESconstant check [#7224](#7224)
🚨 Breaking changes from/since previous betas
- Removed the new ExceptionField class again [#7167](#7167)
- The
contentprop has been removed from all model views. - Removed
Kirby\Content\Version::prepareForContent()again [#7192](#7192) - The PreviewButton class now uses
previewas icon andPreviewas text. [#7220](#7220) - All model views now use the new
OpenButtoninstead of thePreviewButtonand the refactoredPreviewButtonin addition to that. [#7220](#7220) - The
PreviewDropdownButtonhas been removed [#7220](#7220)
☠️ Deprecated since previous betas
Kirby\Panel\Model::content()is deprecated. UseModel::versions()[’changes’]instead. [#7153](#7153)Form::content()is deprecated. UseForm::toStoredValues()instead. [#7166](#7166)Form::data()is deprecated. UseForm::toStoredValues()instead. [#7166](#7166)Form::strings()is deprecated. UseForm::toStoredValues()instead. [#7166](#7166)Form::values()is deprecated. UseForm::toFormValues()instead. [#7166](#7166)
♻️ Refactored since previous betas
- Remove
$defaultsargument from form and field methods wherever possible, to clean up default value handling [#7134](#7134)- Removed from
Field::toFormValue - Removed from
Field::toStoredValue - Removed from
FieldClass::toFormValue - Removed from
FieldClass::toStoredValue - Removed from
Fields::toFormValues - Removed from
Fields::toStoredValues - Removed from
Form::toFormValues - Removed from
Form::toStoredValues
- Removed from
- Use
Fields::formethod to simplify theModelWithContent::createDefaultContentmethod and get rid of the Form class usage. [#7149](#7149) - Use the Fields class to improve Version comparison. This will especially help to improve the performance of comparing two versions, as the field instances can be reused. [#7150](#7150)
- New
Version::errors()method [#7155](#7155) - New
Version::isValid()method, which is now used inModelWithContent::isValid()instead of the Form class. [#7155](#7155) - The Fields class is now used instead of Form in the Changes controller to save changes. [#7156](#7156)
- Refactor form and toStoredValue code in the EntriesField class [#7175](#7175)
- Consistent VersionId code style [#7181](#7181)
🧹 Housekeeping since previous betas
- Updated JS and PHP dependencies
4.8.0-rc.1
4.7.2
4.7.1
Update:
Unfortunately, this security release contains a regression in thumbnail generation for public folder setups. If you are working with a public folder setup, please use version 4.7.2.
🚨 Security
This release fixes three path traversal vulnerabilities in the Kirby core:
| Description | Severity | CVE ID |
|---|---|---|
| Path traversal of snippet names during file system lookup | Medium (6.3) | CVE-2025-30159 |
| Path traversal of collection names during file system lookup | Medium (6.3) | CVE-2025-31493 |
| Path traversal in the router for PHP's built-in server | Low (2.3) | CVE-2025-30207 |
TL;DR
The first two vulnerabilities only affect Kirby sites that call the snippet() or collection() helpers with dynamic name values that could be controlled by an attacker. Sites that only use fixed calls to the snippet() or collection() helpers (i.e. calls with a simple string for the snippet/collection name) are not affected.
The last vulnerability only affects Kirby setups that use PHP's built-in server. Such setups are commonly only used during local development.
Impact
All three vulnerabilities have in common that they can be exploited via path traversal. By using special elements such as .. and / separators, attackers can escape outside of the restricted location to access files or directories that are elsewhere on the system. One of the most common special elements is the ../ sequence, which in most modern operating systems is interpreted as the parent directory of the current location.
The missing path traversal checks allowed attackers to navigate and access all files on the server that were accessible to the PHP process, including files outside of the relevant system roots or even outside of the Kirby installation. Depending on the vulnerability, the existence of the traversed file could be revealed or contained PHP code could be executed.
You can read more about the vulnerabilities and their impact in the security advisories linked above.
Credits
Thanks to Bruno Meilick (@bnomei) and Tobias Möritz (@tobimori) for their responsible disclosure and for bringing this type of attack vector to our attention.
Note
If you deliberately use path traversal with the snippet() helper in your projects, these uses will break after updating to this patched version. You can read more about this and possible alternatives in the security advisory.
✨ Enhancements
- Improve
$page->dirname()/diruri()docblocks #7102
🐛 Bug fixes
- Fix block selector not closing after pasting block #7087 (thanks to @fnwbr)
Media::thumb(): Fix passingFile $modeland test logic #7142- Fix duplicated slash in the
router.phpfor the built-in PHP server #7188