As part of our ongoing maintenance for Bolt 2.1, we've resolved some issues, quirks and bugs that have been discovered. This release has a small list of changes, but we've fixes two issues regarding Cookies and Timezone settings. If you bumped in to these quirks, updating to 2.1.7 will resolve them.

Update: Today we've been made aware of a security-related issue, regarding information disclosure. Thank you, JeromeBreizhtorm! We've fixed this issue, and bumped the version to 2.1.8. As always with security issues: updating to the latest version is strongly recommended, regardless of the perceived severity.

Changes in this release, since 2.1.6:

  • Check if folder exists first, when using it for uploads (See #3450)
  • Allow 'duplicate' and 'delete' from contextual menu, when a Record has relationships. Fixes #3431
  • Don't trigger DBCheck for changed indexes. Fixes #3426
  • Make Application::unsetSessionCookie() optional and Backwards-compatibility friendly (see #3427)
  • Make the removal / stripping of   characters in CKEditor fields optional. (see #3373)
  • Fixed: Allow editing of empty files. (Thanks, @SahAssar, see #3391)
  • Added: Always have a fallback for a timezone when it isn't set in either php.ini or config.yml (See #3394)
  • Only show the "delete" button if the page has been saved already. Fixes #3444
  • Fixed: prevent error message in _sub_menu.twig if strict_variables is set. (See #3462)
  • Security: Make sure we set the status correctly for 'async' requests. (See #3463)

To install this version from scratch, follow the instructions on the updated installation page in the documentation, as can be found here: Installing Bolt. To upgrade an existing site, see Updating. Be sure to get the correct versions, though: bolt-latest.tar.gz or

For the lazy:

curl -O
tar -xzf bolt-latest.tar.gz --strip-components=1
chmod -R 777 files/ app/database/ app/cache/ app/config/ theme/ extensions/
comments powered by Disqus