RSS: Prevent RSS folder from being moved into itself (glassez) WEBUI: Reject requests that contain backslash in path (glassez) WEBUI: Allow to set read-only directory as torrent location (glassez) WEBUI: Allow only TLS 1.2+ in the server (sledgehammer999) WEBUI: Blacklist bad ciphers for TLS in the server (sledgehammer999) WEBUI: Migrate away from unsafe function (Chocobo1) BUGFIX: Be more likely to allow the system to use power saving modes (glassez) BUGFIX: Update the cached torrent state once recheck is started (glassez) BUGFIX: Don't unexpectedly activate queued torrents when prefetching metadata for added magnets (glassez) It seems to affect only v4.5.0 and v4.5.1. This affects users that have enabled the WebUI/WebAPI. The bug allowed for any file on the user's filesystem to be served without any authentication. V4.5.2 contains a security bugfix in the web server.
