Update Security.MD

Update Security.MD to reflect fixes in 0.9.7.2
opencats · Apr 17, 2023 · fde38e7 · fde38e7
1 parent 132cb89
commit fde38e7
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/Security.MD b/Security.MD
@@ -12,15 +12,16 @@ OpenCATS uses MD5 hashing to store passwords. This will be replaced in future ve
 
 ### XSS
 
-The main vector for [XSS](https://en.wikipedia.org/wiki/Cross-site_scripting) attacks is via the career portal (which is disabled by default). htmlspecialchars is used to protect career portal form submissions. Back-end (non-public) web-pages remain vulnerable to XSS. This will be deployed in future releases.
+The main vector for [XSS](https://en.wikipedia.org/wiki/Cross-site_scripting) attacks is via the career portal (which is disabled by default). htmlspecialchars is used to protect career portal form submissions. Back-end (non-public) web-pages remain vulnerable to XSS. This internal page protection was deployed in v0.9.7.2
 
 ### Malicious uploads
 
 The OpenCATS career portal permits resume uploads. Please review and configure .htaccess as per the [security guidance](https://documentation.opencats.org/technical-configuration-options/vital-security-restrict-access-to-upload-folders-.htaccess) to restrict malicious uploads.
+Since version 0.9.7 this is no longer required, as a whitelist of 'good' filetypes is used during upload. However, htaccess restrictions and file permissions should be reviewed and deployed.
 
 ### Composer
 
-Composer vulnerabilities are released often and will require a review of the Composer.lock file to move to known good versions of dependencies. Other dependencies within the Composer requiements are needed only for testing and can be removed from produciton systems. These remain to be documented.
+Composer vulnerabilities are released often and will require a review of the Composer.lock file to move to known good versions of dependencies. Other dependencies within the Composer requiements are needed only for testing and can be removed from produciton systems. These development packages are removed from the releases since version 0.9.7.2, however if you pull in dependencies by using composer (rather than use the releases - ensure you use the --no-dev option as documented here https://documentation.opencats.org/#which-package-to-install)  
 
 ### Deployment concerns