Download Latest Version v0.44.1 source code.tar.gz (34.4 MB)
Email in envelope

Get an email when there's a new version of SQLpage

Home / v0.44.1
Name Modified Size InfoDownloads / Week
Parent folder
sqlpage-aws-lambda.zip 2026-06-11 17.0 MB
sqlpage-linux.tgz 2026-06-11 13.0 MB
sqlpage-macos.tgz 2026-06-11 12.6 MB
sqlpage-windows.zip 2026-06-11 11.0 MB
README.md 2026-06-11 1.9 kB
v0.44.1 source code.tar.gz 2026-06-11 34.4 MB
v0.44.1 source code.zip 2026-06-11 34.7 MB
Totals: 7 Items   122.7 MB 1

An AI-assisted security audit found three vulnerabilities: one authentication bypass that is high severity for affected OIDC deployments, and two lower-severity issues. It also led to three hardening changes. Upgrade now if you use custom OIDC protected paths.

Security fixes:

  • High severity for affected OIDC deployments: protected path bypass.
  • Affected: sites using OIDC with custom oidc_protected_paths, such as ["/admin"], to protect only part of the site.
  • Not affected: sites not using OIDC, or using the default oidc_protected_paths = ["/"] to protect the whole site.
  • Impact: an unauthenticated attacker could use percent-encoded URLs to access pages that should require login. The fix checks decoded request paths against decoded oidc_protected_paths and oidc_public_paths.
  • Medium severity: private SQL files could be served after privileged run_sql includes.
  • Affected: apps that call sqlpage.run_sql(...) on private paths such as sqlpage/, dotfiles, absolute paths, or ../ paths.
  • Impact: an attacker who knew the path could request the cached file directly and run it as a public page for a few milliseconds.
  • Low severity: debug error messages displayed in production
  • Affected: environment = "production" and pages that can error while serving JSON, NDJSON, SSE, or CSV contents.
  • Impact: an attacker could gather private information about your database schema through error messages.

Additional hardening:

  • Safely quote csv and download filename values in Content-Disposition, preventing download filename corruption.
  • Reject unsafe OIDC redirect targets containing backslashes or control characters, affecting user-controlled login return targets and sqlpage.oidc_logout_url.
  • Bind sqlpage.oidc_logout_url links to the current session, preventing forced logout of another browser.
Source: README.md, updated 2026-06-11