Download context-7.x-3.0.tar.gztar.gz 69.86 KB
MD5: 4522891bcd393c93f0c00e396fc57d2d
SHA-1: 9c7c6dafee82d77ac7f7ff9d755ca91e2ea03092
SHA-256: fb6fd3eaba5fbd4dcf551738d66b88e744fbba45892fb48064709517d7c99ed0
Download context-7.x-3.0.zipzip 92.8 KB
MD5: 4c79f5aa0ae27f2de3b008322354e667
SHA-1: 63b825b6ab8bf51f7f96190243d279b5ce129731
SHA-256: d4d9e6958295a9962c02a6e85fce48e8fc074944bb9860787304c59d394748fa

Release info

Created by: tekante
Created on: 16 Oct 2013 at 02:40 UTC
Last updated: 7 Jan 2015 at 20:47 UTC
Core compatibility: 7.x
Release type: Security update, Bug fixes

Release notes

This release of Context addresses two security vulnerabilities and a bug introduced in rc1.

* Vulnerability one - remote code execution possibility through json_decode implementation in the block reaction. In practical use this vulnerability should not be executable as the native PHP json_decode function should be getting used instead. This update removes the implementation in the block reaction.
* Vulnerability two - insufficient access control for ajax rendering of a block. The token based system has been removed. Users which have administer contexts permissions will have access to all blocks, a new permission has been added should the need arise to give users access to the ajax rendering of blocks without administering contexts and a hook has been added to allow for fine grained access control should it be desired. See the context.api.php file for hook details.
* Issue #2099717: Trying to get property of non-object in context_entity_prepare_view() by Peacog, derekw: Trying to get property of non-object in context_entity_prepare_view()


The selected release is the release that will be used for automated testing. Optional projects are only used for testing.



No optional projects