We've just released Bolt 2.2.5 as an ongoing maintenance release for Bolt. This release comes with a bunch of new features, bugfixes and one minor security fix.

New Features

A Chrome quirk

A recent update in Chrome came with a weird quirk that shows up in the Bolt backend. This quirk causes the dashboard listings to become too wide, which looks slightly broken. Since this only appears in Chrome 44, and not in older versions of Chrome or other browsers, we're pretty sure that it's a bug in Chrome itself. However, that doesn't help you much right now, so we've implemented a workaround for it.


A security fix

A minor security issue was brought to our attention by Tim Coen of Curesec GMBH. An authenticated user can upload files in Bolt, that are checked against a whitelist of allowed extensions. However, the user could then rename this file to another extension, bypassing the whitelist. While this issue is not exploitable "from the outside", we still recommend you upgrade to the latest version.

Faster Dashboard

We've implemented a few optimizations, that affect how users are retrieved, and how permissions are specified. This optimization means that a lot less database queries are required to do these things, leading to shorter response times. While this means an overall boost in efficiency, this is most notable on the dashboard, where a lot of permissions are determined for a lot of different records. See the screenshot for a comparison.


Detailed changes since Bolt 2.2.0:

  • Performance: Don't request users if we don't have to, and streamline isAllowed() functionality. (#3847)
  • Fixed / security: If a user is not root, do not allow them to change the file extension on rename in UI. (Thanks to Tim Coen of Curesec GmbH for bringing this issue to our attention. See #3815)
  • Fixed: Layout issue in Chrome 44. Pretty sure it's a weird bug in Chrome. (#3856)
  • Changed: Update JS Markdown Options to match Parsedown for consistency. (#3820)
  • Added: A Nut command to rebuild the extension autoloaders. (#3786)
  • Changed: Send "New Bolt site" e-mail upon first user creation only. (Thanks Fabschurt, see #3792)
  • Fixed: Issue in Geolocation field, where it would 'forget' the retrieved address. (#3813)
  • Fixed / Added: Have the Async file/directory routes return useful JSON responses. Display an UI alert on file/directory request failures. (#3815)
  • Fixed: Trigger database update notifications for changed field names (#3816)
  • Added: Add caching for the translation provider (#3753)
  • Fixed: If vendor/autoload.php is missing, include LowlevelException.php manually.
  • Fixed: Logic preventing building of local extension autoloader (Thanks timcooper, see #3699)
  • Fixed: Clipboard paste issue with fileuploader (Thanks timcooper, see #3702)
  • Added: Now possibile to use the search feature for specific contenttype(s) (Thanks sbani, see #3713)
  • Fixed: Wrong interpretation of max_upload_filesize / post_max_size (Thanks tvlooy, see #3732)
  • Fixed: Password reset "Error: Divide by zero" (see #3730)
  • Fixed: Yaml config read and write fixed for other indentations than '2 spaces'. (See #3682)
  • Fixed: In menus: Don't assume root URL is '/'
  • Fixed: Generate search pager link
  • Fixed: Set link of item in Menu properly, and fixes bug in populateItemFromRecord. (See #3655)
  • Update: Silex is now version 1.3.0
  • Added: Implement title_format:, to control the behaviour of what's seen as the 'title' in overviews and listings. See #3635
  • Changed: Create the extension's composer.json if only a local extension exists. See #3627
  • Fixed: Use the Silex HttpFragmentServiceProvider as TwigCoreExtension has been removed in Silex 1.3. See #3632
  • Fixed: Extend SSL/TLS Handling. Fixes bug/warnings in Packagemanager. See #3633
  • Fixed: Generated <meta>-tags always stay in the <head> section, now. See #3637

Install & Upgrade

To install this version from scratch, follow the instructions on the updated installation page in the documentation, as can be found here: Installing Bolt. To upgrade an existing site, see Updating. Be sure to get the correct versions, though: bolt-latest.tar.gz or bolt-latest.zip.

For the lazy:

curl -O http://bolt.cm/distribution/bolt-latest.tar.gz
tar -xzf bolt-latest.tar.gz --strip-components=1
chmod -R 777 files/ app/database/ app/cache/ app/config/ theme/ extensions/
comments powered by Disqus