Ghost Release: 5.87.1

TL;DR

Ghost v5.87.1: Enhanced Security, UI Improvements, and Bug Fixes

This release adds important security enhancements to webhooks, improves the member experience with better activity tracking, and fixes several critical bugs affecting the editor, analytics, and subscription management. The update includes UI refinements across settings pages and introduces better error handling for theme activation.

Highlight of the Release

• Added timestamp to webhook signature hash for improved security
• Fixed image editing not saving changes in the editor
• Added new member activity events for email changes and payment failures
• Fixed case sensitivity issues in analytics sources
• Improved copy/paste experience from Google Docs
• Unified UI patterns for settings modals

Migration Guide

Webhook Signature Changes

If you're consuming Ghost webhooks and verifying signatures, you'll need to update your verification logic to account for the new timestamp in the hash. The signature format has changed from a simple hash to include a timestamp component:

Old format:

sha256=hash

New format:

sha256=hash, t=timestamp

Example verification code:

const crypto = require('crypto');

// Webhook secret from Ghost Admin
const WEBHOOK_SECRET = 'YOUR_WEBHOOK_SECRET'

// Extract the hash and timestamp from the x-ghost-signature header
const {sha256: hash, t: timestamp} = req.headers['x-ghost-signature']
    .split(', ')
    .map((x) => x.split('='))
    .reduce((acc, [key, value]) => ({ ...acc, [key]: value }), {})

// Get the request body as a JSON string
const reqBodyJSON = JSON.stringify(req.body);

// Recreate the hash using the secret, request body, and timestamp and compare it to the hash from the header
const isValid = crypto.createHmac('sha256', WEBHOOK_SECRET).update(`${reqBodyJSON}${timestamp}`).digest('hex') === hash

if (isValid) {
    console.log('Valid signature!')
}

Upgrade Recommendations

This release contains important security enhancements and bug fixes, making it a recommended upgrade for all Ghost installations.

The webhook signature change is a breaking change for webhook consumers, so if you're using webhooks with signature verification, you should coordinate the upgrade with updates to your webhook consumers.

For most users, this is a straightforward upgrade with no additional steps required beyond the standard update process:

1. Back up your Ghost installation
2. Update Ghost using the Ghost CLI: ghost update
3. If you're using webhooks with signature verification, update your verification logic as described in the migration guide

Bug Fixes

Editor Improvements

• Fixed image editing not saving changes
• Fixed unwanted extra blank paragraphs when copy/pasting from Google Docs
• Fixed staff user modal not showing correct example URL for author slugs

Analytics and Member Management

• Fixed analytics sources to not be case sensitive, ensuring more accurate reporting
• Fixed incorrect member subscription details in Admin, particularly for canceled subscriptions
• Fixed URL decoding issue where URLs sent in emails containing a % character couldn't be updated

Navigation and UI

• Fixed infinite loop when changing value of new navigation item's field
• Fixed scroll issues on settings page for editor users
• Changed "commented" link in member feed to redirect to the actual post with comments instead of analytics page
• Fixed browser tests to account for renamed buttons

New Features

Enhanced Member Activity Tracking

• Added 'Changed email address' event to Member Activity for better audit trails
• Added 'Payment failed' subscription cancellation reason to provide clearer context when subscriptions are canceled automatically

Improved UI Consistency

• Unified "Save" and "Close" buttons across all settings modals for a more consistent experience
• Updated integration modals to follow the same pattern as other settings

Enhanced Email Templates

• Center-aligned feature images in email templates for better aesthetics
• Updated feature image CSS in editor to better display image overlay and improve caption spacing
• Improved typography and spacing for callout cards and blockquotes

Security Updates

Webhook Signature Enhancement

Added timestamp to webhook signature hash to prevent replay attacks. This is a breaking change for webhook consumers as signature verification logic will need to be updated to account for the timestamp in the hash.

Custom Redirects Protection

Added validation to prevent RegEx patterns susceptible to Regular Expression Denial of Service (ReDoS) from being used with custom redirects, protecting against potential server overload.

Performance Improvements

• Optimized aggregating member attribution statistics by reducing redundant moment.js operations
• Removed unused dependencies and cleaned up code:
  • Switched from faker to @faker-js/faker
  • Removed duplicate email template and styles files
  • Cleaned up websockets experiment that was no longer in use
  • Removed GA feature flags for features that are now generally available
  • Bumped @tryghost/metrics package to remove unnecessary dependencies

Impact Summary

This release significantly enhances Ghost's security posture by adding timestamp-based protection against replay attacks for webhooks and implementing ReDoS protection for custom redirects. It improves the user experience with more consistent UI patterns across settings pages and fixes several critical bugs affecting the editor, member management, and analytics.

Content creators will benefit from improved editor functionality, particularly when pasting content from Google Docs and editing images. Site administrators gain better insights into member activity with new tracking events and more accurate analytics reporting. The unified UI patterns across settings modals create a more intuitive and consistent experience.

While the webhook signature change requires updates to webhook consumers, the security benefits justify this breaking change. Overall, this release represents an important step forward in Ghost's ongoing commitment to security, usability, and performance.

Full Release Notes