• update version
• Merge pull request #1989 from emoncms/service-runner-whitelist
• support post process and sync module
• Hardening: whitelist for service runner

Full commit diff

• fix github actions failure
• exclude AntiXSS from scanning, exclude abstract naming
• phpcbf changes

Full commit diff

• fix incorrect mysql db view path
• test fix for github workflow

Full commit diff

• update version
• php 7 compatibility
• update version

Full commit diff

• Merge pull request #1987 from emoncms/fix/trusted-proxy-host-header-injection
• fix log escapeshell issue
• remove escapeshell from logfile
• fix redis error
• update version (modular admin)
• minor fixes
• include local changes tag
• fix core info
• fix access to directories
• use components directly for core as well
• clean up camel case
• consistent model names
• re-organise
• log model, clean up
• fix routes
• clean up
• seperate services class
• extended sysinfo to match original
• second system info class test
• latest sys info
• refactor system info method
• refinements
• fix translations
• refactored admin info view
• json systeminfo end point
• remove serial monitor, serial cofig ui is sufficient
• move view calls to relevant sections
• modularise serial
• modularise update and components
• component model
• remove post body http method over-ride option and add comment cors preflight for reference
• avoid filepath variable override in view()
• harden db_check with prepared statement
• fix: only trust X-Forwarded-* headers from local/LAN proxies
• remember me module tests
• update version
• readme for tests
• remove old tests, replace with php user model tests as a POC
• option to disable rate limiting for local testing
• require_once on remember me

Full commit diff

• update version
• handle migration from sha1 to sha256
• fix timezone login error

Full commit diff

• update version

Full commit diff

Emoncms 11.11 Release — Security Hardening & Refactoring

Note from @TrystanLea:

This release addresses a range of security issues identified using LLM assisted security auditing together with careful checking of every proposed change by a fallible.. human. Additional review is welcome! Most of the following is hardening, defense in depth and following better practice.

Please also update modules: dashboard, device, graph, postprocess, sync, app & account for related fixes.

LLM Generated summary:

• Shell/Command Injection (Admin module) — Multiple exec(), passthru(), and shell redirect calls in the admin module have been hardened. Arguments are now wrapped with escapeshellarg(), cat calls for log output have been replaced with file_get_contents(), awk parsing of diskstats has been replaced with native PHP, and the vcgencmd path is now validated against an allowlist before use.
• File Upload — Firmware upload now uses move_uploaded_file() instead of fopen()/fwrite(), ensuring files must have originated from a legitimate HTTP upload.
• Redis Version Check — Replaced a shell_exec("php -i | grep ...") call with phpversion('redis') to retrieve the Redis extension version without spawning a shell.
• Service Execution — Removed a silent exec() fallback in runService() when Redis is unavailable; an error is now returned instead of running commands directly as the web process user.
• XSS — Colour field — Fixed a broken sanitise-then-store pattern where a colour value was sanitised on read but stored unsanitised, allowing a stored XSS payload.
• XSS / Open Redirect — Referrer parameter — Fixed htmlspecialchars() being misapplied to a URL in the logout flow, and fixed an open redirect / potential XSS via the referrer parameter. Referrer validation is now centralised.
• Session Corruption — setUser() now validates that the user exists in the database before writing to $_SESSION, preventing fatal errors and corrupt session state.
• Username/User Enumeration — Timing-safe responses are now used on login and password reset to prevent user enumeration attacks.
• Rate Limiting — Rate limiting has been added and centralised across login, authentication, registration, password reset, and change password flows. Timezone validation and IP checks have also been tightened in the rate-limit path.
• Remember Me Token — Upgraded the remember-me cookie token to SHA-256, switched to hash_equals() for timing-safe comparison, removed logging of the raw cookie value, and ensured prepared statement handles are closed properly.
• API Key Validation — Tightened API key validation and removed SQL error output from responses.
• Missing Auth Check — Added a missing authentication check on the multigraph getlist endpoint (previously it would just return an empty array, but the check is now explicit).
• UUID Hardening — Hardened get_uuid() and fixed an edge case in UUID setting.
• Email Verification Link — Removed the email address from the email verification link; the security key alone provides sufficient security.
• DB Schema Update Page — A warning is now logged when the DB schema update page is accessed via the updatelogin bypass rather than a proper admin session.

Defence-in-Depth (SQL)

Several additional layers of protection have been applied to database interactions even where inputs were already validated upstream:

• Prepared statements added to schedule create.
• Prepared statements and explicit casting added to process list MySQL timeseries engine methods.
• Additional prepared statements and defensive casts added across other query sites.

Refactoring

• exec() and passthru() calls across the admin module have been centralised to make future auditing easier.
• get_rpi_info() has been refactored for clarity.
• Admin user functionality has been broken out into a dedicated AdminUserModel class.
• Validation logic has been centralised across the user module.

Other

• Minor consistency changes for compatibility with emoncms.org.
• Small miscellaneous fixes and readability improvements.

Full commit diff

• update version
• fix vactive hide inactive

Full commit diff

• update version
• remove setting of session variable
• support changing feed/data route

Full commit diff