Release v1.7.9 - Fix arbitrary PHP file inclusion, HTML injection/XSS vulnerability in filenames of attached files & self-XSS vulnerabilities

[elrido]

• CHANGED: Upgrading libraries to: base-x 5.0.1, bootstrap 5.3.8, DOMpurify 3.2.7, ip-lib 1.21.0 & kjua 0.10.0
• CHANGED: Refactored jQuery DOM element creation into plain JavaScript
• FIXED: Prevent arbitrary PHP file inclusion when enabling template switching
• FIXED: Malicious filename can be used for self-XSS / HTML injection locally for users
• FIXED: Sanitize file name in attachment size hint
• FIXED: Unable to create a new paste from the cloned one when a JSON file attached (Unable to create a new paste from the cloned one when a JSON file attached #1585)
• FIXED: traffic limiter not working when using Filesystem storage and PHP opcache
• FIXED: Configuration combinations test errors

This release addresses issues with arbitrary PHP file inclusion when enabling template switching and lacking sanitation of file names when drag-&-dropping files into PrivateBin with malicious filenames. More details on this issue can be found in the security advisories:

• Template-switching feature allowing arbitrary local file inclusion through path traversal (CVE-2025-64714)
• Malicious filename can be used for self-XSS / HTML injection locally for users (CVE-2025-64711)
• Missing HTML sanitisation of attached filename in file size hint enabling persistent XSS, defacement, open redirect attacks etc. (CVE-2025-62796)

Note that as per our security policy, we only consider the latest release to be supported, so do consider upgrading your 1.7 install to 2.x as soon as possible. This backport was provided due to the major changes that come with the 2.x release and for use in installations that don't yet have PHP 7.4 or later support available.

---

This discussion was created from the release Release v1.7.9 - Fix arbitrary PHP file inclusion, HTML injection/XSS vulnerability in filenames of attached files & self-XSS vulnerabilities.

[elrido]

If anyone uses the 1.7 container images, which all should already be using PHP 8.x and has some other reason not to upgrade to 2.x, please speak up here.

If you provide me a sensible reason, I'll see about creating backport container images as well, though that will be a bit messier, as the latest tag will then briefly point to an older release, before I re-tag the 2.0.3 ones (manually or via re-tagging it in git).

[rugk]

Uhm yeah tagging the latest to an old release should be avoided if possible. Because I think we have learned people have automation on that automatically pulling it. 🙂

Maybe the GitHub action could be adjusted to have a mode not to tag latest for exactly such backport releases.

(note git has nothing to do with it, the got tags are completely unrelated to docker tags technically)

[elrido]

Ok, then we'll better not do that - that is a lot of (untested) changes just to accommodate this exceptional backport. AFAIK the only other time we bothered doing those were on 1.2.