From 114df8a3a5e4800ef7586c5d9c8d79798fd2a11d Mon Sep 17 00:00:00 2001
From: Stephen Shkardoon <stephen@silverstripe.com>
Date: Wed, 19 Mar 2014 19:03:26 +1300
Subject: [PATCH 1/2] FIX Prevent SQLi when no URL filters are applied

---
 code/model/SiteTree.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/code/model/SiteTree.php b/code/model/SiteTree.php
index 5f27fd8a..02b51681 100644
--- a/code/model/SiteTree.php
+++ b/code/model/SiteTree.php
@@ -1584,9 +1584,10 @@ class SiteTree extends DataObject implements PermissionProvider,i18nEntityProvid
 			}
 		}
 		
+		$segment = Convert::raw2sql($this->URLSegment);
 		$existingPage = DataObject::get_one(
 			'SiteTree', 
-			"\"URLSegment\" = '$this->URLSegment' $IDFilter $parentFilter"
+			"\"URLSegment\" = '$segment' $IDFilter $parentFilter"
 		);
 		if ($existingPage) {
 			return false;

From bf9b22fd4331a6f78cec12a75262f570b025ec2d Mon Sep 17 00:00:00 2001
From: Stephen Shkardoon <stephen@silverstripe.com>
Date: Wed, 19 Mar 2014 19:26:18 +1300
Subject: [PATCH 2/2] FIX Do now allow arbitary class creation in CMS

---
 code/controllers/CMSMain.php     |  9 +++++++++
 tests/controller/CMSMainTest.php | 23 ++++++++++++++++++++++-
 2 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/code/controllers/CMSMain.php b/code/controllers/CMSMain.php
index c1d9c9eb..28d19548 100644
--- a/code/controllers/CMSMain.php
+++ b/code/controllers/CMSMain.php
@@ -865,8 +865,17 @@ class CMSMain extends LeftAndMain implements CurrentPageIdentifier, PermissionPr
 	 * @uses LeftAndMainExtension->augmentNewSiteTreeItem()
 	 */
 	public function getNewItem($id, $setID = true) {
+		$parentClass = $this->stat('tree_class');
 		list($dummy, $className, $parentID, $suffix) = array_pad(explode('-',$id),4,null);
 		
+		if(!is_subclass_of($className, $parentClass) && strcasecmp($className, $parentClass) != 0) {
+			$response = Security::permissionFailure($this);
+			if (!$response) {
+				$response = $this->response;
+			}
+			throw new SS_HTTPResponse_Exception($response);
+		}
+
 		$newItem = new $className();
 
 	    if( !$suffix ) {
diff --git a/tests/controller/CMSMainTest.php b/tests/controller/CMSMainTest.php
index a634e92f..a561761e 100644
--- a/tests/controller/CMSMainTest.php
+++ b/tests/controller/CMSMainTest.php
@@ -284,6 +284,27 @@ class CMSMainTest extends FunctionalTest {
 
 		$this->session()->inst_set('loggedInAs', null);
 	}
+
+	public function testGetNewItem() {
+		$controller = new CMSMain();
+		$id = 'new-Page-0';
+
+		// Test success
+		$page = $controller->getNewItem($id, false);
+
+		$this->assertEquals($page->Title, 'New Page');
+		$this->assertNotEquals($page->Sort, 0);
+		$this->assertInstanceOf('Page', $page);
+
+		// Test failure
+		try {
+			$id = 'new-Member-0';
+			$member = $controller->getNewItem($id, false);
+			$this->fail('Should not be able to create a Member object');
+		} catch (SS_HTTPResponse_Exception $e) {
+			$this->assertEquals($controller->getResponse()->getStatusCode(), 302);
+		}
+	}
 }
 
 class CMSMainTest_ClassA extends Page implements TestOnly {
@@ -292,4 +313,4 @@ class CMSMainTest_ClassA extends Page implements TestOnly {
 
 class CMSMainTest_ClassB extends Page implements TestOnly {
 	
-}
\ No newline at end of file
+}