Security Hotfix: Critical RCE Patch & File Manager Hardening

⚠️ Security Critical Update

This release addresses critical security vulnerabilities. All users are strongly advised to upgrade immediately.

🔒 Security Patches

• Critical (RCE): Patched a Remote Code Execution vulnerability in the File Manager rename endpoint that allowed bypassing extension whitelists (Reported by Lars van Mil).
• High: Fixed a Directory Displacement vulnerability by disabling arbitrary folder move operations.
• Medium: Enforced stricter blacklist rules for system directories. Sensitive paths like .env, .git, .github, and vendor are now explicitly blocked from listing and access.
• Medium: Implemented missing CSRF token validation for File Manager AJAX operations (Delete, Save, Rename).

🛠 Improvements & Changes

• File Manager: Disabled "Drag & Drop" functionality to prevent accidental directory structure changes and improve stability.
• UI/UX: Updated Monaco Editor file tree configuration; folders now default to a collapsed state for better navigation.
• Refactor: Centralized file extension validation logic for better consistency across endpoints.

🏆 Credits

Special thanks to security researcher Lars van Mil for responsibly disclosing the vulnerabilities and assisting in the validation of these fixes.

0.26.3.1

Highlights

• The backend now includes a bundled Log Viewer module on fresh installs; you can review writable/logs/ straight from /backend/logs.
• README and architecture docs now reflect the expanded Composer dependency set and clarify that module scaffolding uses php spark make:module.

Documentation

• The Developer Handbook and Architecture Guide were refreshed to cover the log viewer module, the composer-driven module generator, and related workflows.
• docs/index.html gained a changelog quick link, and the new CHANGELOG.md is maintained starting with this release.

Technical Notes

• InstallService seeds the log viewer menu/permission entry so new environments expose it immediately.
• Composer dependencies now explicitly list ci4commonmodel, sql2migration, ci4-cms-erp/ext_module_generator, claviska/simpleimage, seunmatt/codeigniter-log-viewer, and the existing utilities.

0.26.3.0

• Highlight: Added backend log viewer module using CI Log Viewer, accessible under backend navigation once SweetAlert assets are available globally.
• Highlight: Method management UI now captures CRUD permissions as JSON flags, offers module-aware dropdowns, and improves action buttons/navigation.
• Highlight: Composer gains ci4commonmodel, sql2migration, ext_module_generator, claviska/simpleimage, and seunmatt/codeigniter-log-viewer; legacy module:create CLI is removed in favor of these packages.
• Docs: Internal documentation links now point at their GitHub equivalents; changelog introduced for version tracking.
• Tech notes: After pulling, run composer install to sync dependencies and clear caches if necessary.

0.21.3.7

Full Changelog: 0.21.3.6...0.21.3.7

0.21.3.4

Full Changelog: 0.21.3.3...0.21.3.4

0.21.3.3

bugs fixed.