| Name | Modified | Size | Downloads / Week |
|---|---|---|---|
| Parent folder | |||
| sqlpage-aws-lambda.zip | 2026-06-11 | 17.0 MB | |
| sqlpage-linux.tgz | 2026-06-11 | 13.0 MB | |
| sqlpage-macos.tgz | 2026-06-11 | 12.6 MB | |
| sqlpage-windows.zip | 2026-06-11 | 11.0 MB | |
| README.md | 2026-06-11 | 1.9 kB | |
| v0.44.1 source code.tar.gz | 2026-06-11 | 34.4 MB | |
| v0.44.1 source code.zip | 2026-06-11 | 34.7 MB | |
| Totals: 7 Items | 122.7 MB | 1 | |
An AI-assisted security audit found three vulnerabilities: one authentication bypass that is high severity for affected OIDC deployments, and two lower-severity issues. It also led to three hardening changes. Upgrade now if you use custom OIDC protected paths.
Security fixes:
- High severity for affected OIDC deployments: protected path bypass.
- Affected: sites using OIDC with custom
oidc_protected_paths, such as["/admin"], to protect only part of the site. - Not affected: sites not using OIDC, or using the default
oidc_protected_paths = ["/"]to protect the whole site. - Impact: an unauthenticated attacker could use percent-encoded URLs to access pages that should require login. The fix checks decoded request paths against decoded
oidc_protected_pathsandoidc_public_paths. - Medium severity: private SQL files could be served after privileged
run_sqlincludes. - Affected: apps that call
sqlpage.run_sql(...)on private paths such assqlpage/, dotfiles, absolute paths, or../paths. - Impact: an attacker who knew the path could request the cached file directly and run it as a public page for a few milliseconds.
- Low severity: debug error messages displayed in production
- Affected:
environment = "production"and pages that can error while serving JSON, NDJSON, SSE, or CSV contents. - Impact: an attacker could gather private information about your database schema through error messages.
Additional hardening:
- Safely quote
csvanddownloadfilenamevalues inContent-Disposition, preventing download filename corruption. - Reject unsafe OIDC redirect targets containing backslashes or control characters, affecting user-controlled login return targets and
sqlpage.oidc_logout_url. - Bind
sqlpage.oidc_logout_urllinks to the current session, preventing forced logout of another browser.