Merge pull request from GHSA-23r4-5mxp-c7g5

hulab · Aug 18, 2021 · 1306da7 · 1306da7
1 parent 3c00bcd
commit 1306da7
Show file tree

Hide file tree

Showing 5 changed files with 2,056 additions and 3,508 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,7 +1,16 @@
 ## Parse Server Changelog
 
 ### master
-[Full Changelog](https://github.com/parse-community/parse-server/compare/4.5.0...master)
+[Full Changelog](https://github.com/parse-community/parse-server/compare/4.5.2...master)
+
+### 4.5.2
+[Full Changelog](https://github.com/parse-community/parse-server/compare/4.5.1...4.5.2)
+
+### Security Fixes
+- SECURITY FIX: Fixes incorrect session property `authProvider: password` of anonymous users. When signing up an anonymous user, the session field `createdWith` indicates incorrectly that the session has been created using username and password with `authProvider: password`, instead of an anonymous sign-up with `authProvider: anonymous`. This fixes the issue by setting the correct `authProvider: anonymous` for future sign-ups of anonymous users. This fix does not fix incorrect `authProvider: password` for existing sessions of anonymous users. Consider this if your app logic depends on the `authProvider` field. (Corey Baker) [GHSA-23r4-5mxp-c7g5](https://github.com/parse-community/parse-server/security/advisories/GHSA-23r4-5mxp-c7g5)
+
+### 4.5.1
+*This version was published by mistake and was deprecated.*
 
 ### 4.5.0
 [Full Changelog](https://github.com/parse-community/parse-server/compare/4.4.0...4.5.0)