### CVE-2020-9309 Script execution on protected files {#CVE-2020-9309}
Silverstripe can be susceptible to script execution from malicious upload
contents under allowed file extensions (for example HTML code in a TXT file).
When these files are stored as protected or draft files, the MIME detection can
cause browsers to execute the file contents.
#### Risk factors
If your project already includes the `silverstripe/mimevalidator` module, it's
already protected. CWP projects are already protected.
If your project includes the `silverstripe/userforms` module or allows anonymous
users to upload files, it's at a higher risk because malicious users can create
files without requiring a CMS access.
#### Actions you need to take
Upgrading to `silverstripe/recipe-core` 4.6.0 will automatically install the
`silverstripe/mimevalidator` module.
Read [MIME validator is now part of recipe-core](#MimeValidator) to understand
how this will impact your project.
### CVE-2019-19326 Web Cache Poisoning {#CVE-2019-19326}
Silverstripe sites using HTTP cache headers and HTTP caching proxies (e.g. CDNs) can be susceptible to web cache poisoning through the:
*`X-Original-Url` HTTP header
*`X-HTTP-Method-Override` HTTP header
*`_method` POST variable.
In order to remedy this vulnerability, Silverstripe Framework 4.6.0 removes native support for these features. While this is technically a semantic versioning breakage, these features are inherently insecure and date back to a time when browsers didn't natively support the full range of HTTP methods. Sites who still require these features will have highly unusual requirements that are best served by a tailored solution.
### Re-enabling the support for removed features
These features are best implemented by defining a `Middleware`.
The following example illustrates how to implement an `HTTPMiddleware` that restores support for the `X-Original-Url` header and the `_method` POST parameter for requests originating from a trusted proxy.
```php
<?php
use SilverStripe\Control\Middleware\HTTPMiddleware;
use SilverStripe\Control\HTTPRequest;
/**
* This is meant to illustrate how to implement an HTTPMiddleware. If you blindly
* copy-paste this in in your code base, you'll simply replicate the vulnerability.
*/
class InsecureHeaderMiddleware implements HTTPMiddleware
{
public function process(HTTPRequest $request, callable $delegate)
{
// Normally, you would validate that the request is coming from a trusted source at this point.
// View SilverStripe\Control\Middleware\TrustedProxyMiddleware for an example.
if ($methodOverride && in_array(strtoupper($methodOverride), $validMethods)) {
$request->setHttpMethod($methodOverride);
}
}
return $delegate($request);
}
}
```
To learn more about re-implementing support for the disabled features:
* read [how to configure trusted proxies](/developer_guides/security/secure_coding/#request-hostname-forgery) on the Silverstripe documentation.
* read the [documentation about HTTP Middlewares](/developer_guides/controllers/middlewares/).
### CVE-2020-6164 Information disclosure on /interactive URL path
A specific URL path configured by default through the silverstripe/framework module can be used to disclose the fact that a domain is hosting a Silverstripe application. There is no disclosure of the specific version. The functionality on this URL path is limited to execution in a CLI context, and is not known to present a vulnerability through web-based access. As a side-effect, this preconfigured path also blocks the creation of other resources on this path (e.g. a page).
The automatic permission checking mechanism in the silverstripe/graphql module does not provide complete protection against lists that are limited (e.g. through pagination), resulting in records that should fail the permission check being added to the final result set.
If your project implements custom GraphQL queries using the `CanViewPermissionChecker`, you should validate that they still work as expected after the upgrade.
Read [Controlling who can view results in a GraphQL result set](/Developer_Guides/GraphQL/Verifying_CanView_Permission)
for more information on updating your GraphQL queries.
## Solr no longer indexes draft/restricted content {#solr-updates}
At the time of this release a new version of the popular [silverstripe/fulltextsearch module](https://github.com/silverstripe/silverstripe-fulltextsearch) is also available, introducing more secure defaults. Most notably, draft and restricted content will no longer be indexed by default, due to a `canView()` check being performed against an anonymous user prior to (re)indexing. Restricted content means that it has a permission level of either 'Logged-in users' or 'Only these groups'.
If your project uses this module, after upgrading your website, ensure that you run the `Solr_Reindex` task on your production environment to remove previously indexed content that should no longer be there.
If your website requires draft or restricted content to be indexed, you can opt-out of the new secure defaults on a per-model basis.
This is a great opportunity to make sure that any custom indexes/search controllers in your project are correctly filtering results based on permissions and search visibility, which you can now achieve via a unified method (see `SilverStripe\FullTextSearch\Search\Services\SearchableService::isSearchable()`.)
The [silverstripe/fulltextsearch module readme provides additional information](https://github.com/silverstripe/silverstripe-fulltextsearch).
## Simplify customisation of ModelAdmin {#modeladmin-customisation}
`ModelAdmin::getEditForm()` has been split into smaller more discrete protected methods:
*`getGridField()`
*`getGridFieldConfig()`.
Two matching extension hooks have been added as well:
*`updateGridField()`
*`updateGridFieldConfig()`.
This will make it easier for developers to customise GridFields in their ModelAdmins.
Learn how to [alter the ModelAdmin GridField or Form](/developer_guides/customising_the_admin_interface/modeladmin/#altering-the-modeladmin-gridfield-or-form)
This release supports PHP 7.4, as does version 4.5.3 which was released at the same time. At the time of this release, all [commercially supported modules](https://www.silverstripe.org/software/addons/silverstripe-commercially-supported-module-list/) also support PHP 7.4.
* 2020-05-13 [996c1b571](https://github.com/silverstripe/silverstripe-framework/commit/996c1b57195029ef2d385123e22a3222cd7e5f18) Remove/deprecate unused controllers that can potentially give away some information about the underlying project. (Maxime Rainville) - See [cve-2020-6164](https://www.silverstripe.org/download/security-releases/cve-2020-6164)
* 2020-05-11 [71db45b18](https://github.com/silverstripe/silverstripe-framework/commit/71db45b18b4a3bce6a4630ff3a6c116c15f35874) Stop honouring X-HTTP-Method-Override header, X-Original-Url header and _method POST variable. Add SS_HTTPRequest::setHttpMethod() (Maxime Rainville) - See [cve-2019-19326](https://www.silverstripe.org/download/security-releases/cve-2019-19326)
* 2020-02-17 [6c3a619](https://github.com/silverstripe/silverstripe-asset-admin/commit/6c3a6197e5bd5bb8f45e007338b4c2c3b4f3a6c6) Move the query resolution after the DataListQuery has been altered (Maxime Rainville) - See [cve-2020-6165](https://www.silverstripe.org/download/security-releases/cve-2020-6165)
* 2020-02-11 [044eb43](https://github.com/silverstripe/silverstripe-graphql/commit/044eb43ad02428b17a881e47a0ff8aa8d159eb9c) Ensure canView() check is run on items (Steve Boyd) - See [cve-2020-6165](https://www.silverstripe.org/download/security-releases/cve-2020-6165)
### API Changes
* 2020-05-28 [422a9a2](https://github.com/silverstripe/recipe-core/commit/422a9a23dc7b16f635fbc3a7fe5e6ec0d2fba77a) Bump to require 4.6.x-dev branches (Steve Boyd)
* 2020-04-28 [df8004b](https://github.com/silverstripe/silverstripe-versioned-admin/commit/df8004bebd0ac8008f4ae23889bcfc110271085e) Bump @silverstripe/webpack-config to 1.5.0 (Maxime Rainville)
* 2020-04-24 [d513932](https://github.com/silverstripe/silverstripe-admin/commit/d51393203a65ae2f102de6940be1660a89e75c89) Bump @silverstripe/webpack-config to 1.5.0 (Maxime Rainville)
* 2020-04-17 [99eeb59](https://github.com/silverstripe/silverstripe-assets/commit/99eeb5920b500b7dbda04367c617c76da8083a6f) Add new updateResponse hook to allow extension to update the response (Maxime Rainville)
* 2020-02-14 [29943f904](https://github.com/silverstripe/silverstripe-framework/commit/29943f9049e7e9ec8b99f7def34a7fc9656d4fe3) TestSession request methods now use the correct HTTP method (#8987) (Garion Herman)
* 2019-11-20 [0c9be1b](https://github.com/silverstripe/silverstripe-admin/commit/0c9be1b522644e835aea39732c2d2c426a79569e) Add updateGridFieldConfig and updateGridField hooks to ModelAdmin (Maxime Rainville)
* 2019-11-19 [ba831dc](https://github.com/silverstripe/silverstripe-admin/commit/ba831dc41efbd13f4cb065f201681976c36aea5f) Break up ModelAdmin::getEditForm into getGridField and getGridFieldConfig (Maxime Rainville)
* 2019-10-16 [67398ed](https://github.com/silverstripe/silverstripe-admin/commit/67398edb9050b75638a40b042cc0eaa5d12e99be) Add Silverstripe specific button UI (Maxime Rainville)
### Features and Enhancements
* 2020-06-12 [ae97a20](https://github.com/silverstripe/silverstripe-admin/commit/ae97a2000e44c5cc1a67b7dcbc523d062aff5785) Update gridfield sort to use text default on focus (#1055) (Sacha Judd)
* 2020-06-12 [05e0e5c](https://github.com/silverstripe/silverstripe-asset-admin/commit/05e0e5c522f8bf46d3f3c44e060c2df9cf41fea2) Update draft state indicator on thumbnails to use correct background colour (#1104) (Sacha Judd)
* 2020-05-25 [5a1b634](https://github.com/silverstripe/silverstripe-admin/commit/5a1b63447d32725dcf455cc473c6303265d7b40a) Add new variations of block icons and update existing (Sacha Judd)
* 2020-05-25 [da241a2](https://github.com/silverstripe/silverstripe-asset-admin/commit/da241a28edfd8561bccdd993688e8d1cabd199d5) Add file status icons to file manager (#1087) (Steve Boyd)
* 2020-05-21 [5220dc1](https://github.com/silverstripe/silverstripe-admin/commit/5220dc1c6d8ae4999d3bed07346a8e2c68b174b6) Separate storybook icons into different sections for people to easily see where different icons belong (Scott Hutchinson)
* 2020-05-21 [239c559](https://github.com/silverstripe/silverstripe-assets/commit/239c559fda6c89b9ed50d3269258480ea3930dfd) Methods to support file status icons (Steve Boyd)
* 2020-05-11 [39f3032](https://github.com/silverstripe/silverstripe-admin/commit/39f303209ed2f35920825ed555b37e78d337bafb) Add Bootstrap Tooltip support outside of React contexts (Garion Herman)
* 2020-05-08 [0874950](https://github.com/silverstripe/recipe-core/commit/0874950373c380c49836b517e1c71fe8e09d7b37) Add MIME type validation out of the box (Maxime Rainville)
* 2020-05-01 [77b896f](https://github.com/silverstripe/silverstripe-admin/commit/77b896fe4cfb75dd9195ff8b9d12dc278c954b7a) Add mid-blue colour, update info elements to match designs (Garion Herman)
* 2020-04-06 [c6b698cb0](https://github.com/silverstripe/silverstripe-framework/commit/c6b698cb027a14e9b0a2ce3e403ce12d1bc132d3) Allow InnoDB for FULLTEXT indexes (Ingo Schommer)
* 2020-04-04 [2bbc280c](https://github.com/silverstripe/silverstripe-cms/commit/2bbc280ce6b7d8a9dd44bc09598f6d37dfd010c6) Remove unused $controller from lambda function (mattclegg)
* 2020-03-13 [159a42a](https://github.com/silverstripe/silverstripe-graphql/commit/159a42af05507c7bd56e5d03bc80539f87839c2c) Allow instance override of CORS config (Aaron Carlino)
* 2020-02-14 [30c3b127c](https://github.com/silverstripe/silverstripe-framework/commit/30c3b127c1fdef2de66ec13cdb423ba7e4f76c43) Add ClassInfo method to get all classes with a given extension applied (Michal Kleiner)
* 2019-12-17 [5449014](https://github.com/silverstripe/silverstripe-asset-admin/commit/544901433e5688dc094f7ee03d8753ab547bcd5d) Update language and conditions in BulkDeleteConfirmation (Garion Herman)
* 2019-11-18 [688890146](https://github.com/silverstripe/silverstripe-framework/commit/688890146863704d0942f76d830624bad0395ffa) Update docs to be compliant with Gatsby site (#9314) (Aaron Carlino)
* 2020-05-26 [09d2061](https://github.com/silverstripe/silverstripe-asset-admin/commit/09d20617620571650509b2b250117c295d58d5bb) Asset revision timestamps are no longer underlined in asset admin history tabs (Robbie Averill)
* 2020-05-25 [32e7b46](https://github.com/silverstripe/recipe-core/commit/32e7b464bd96d567160f4b0b8ea3fc7ca032d19e) Make sure the new mime validator config does not clash with the cwp config (#54) (Maxime Rainville)
* 2020-05-19 [b9de9e6](https://github.com/silverstripe/silverstripe-asset-admin/commit/b9de9e6d608aa2b7f6d01e9c609369998d3ab0d8) Remove direct descendant selector to apply correct margins (Sacha Judd)
* 2020-05-13 [b1b61f866](https://github.com/silverstripe/silverstripe-framework/commit/b1b61f866eb1ae0d9ef86255458277d6ba2cfd57) Set nonce style on unit tests (Steve Boyd)
* 2020-05-01 [e344b66db](https://github.com/silverstripe/silverstripe-framework/commit/e344b66dbe64436815236350387159b52322fd4e) Fixed broken link to the module creation docs (Dustin Quam)
* 2020-05-01 [b1f6e52](https://github.com/silverstripe/silverstripe-asset-admin/commit/b1f6e521aac9bc17ee400593724e4a9290678938) Remove grid view sorting hack to correct initial state (Garion Herman)
* 2020-05-01 [891f0682](https://github.com/silverstripe/silverstripe-cms/commit/891f068202a3c7926a813c994b2802eacb7847f0) Correct placement of 'Page location' field title (Garion Herman)
* 2020-04-30 [fff806ca](https://github.com/silverstripe/silverstripe-cms/commit/fff806ca33cf6cdfd17c073f736e0faba42964a3) Prevent Treeview from always reloading (Maxime Rainville)
* 2020-04-29 [ed4c436](https://github.com/silverstripe/silverstripe-admin/commit/ed4c436dd1e2171820c97a8bc996bbfbf90f080d) built dist files (Niklas Forsdahl)
* 2020-04-27 [5bcc574](https://github.com/silverstripe/silverstripe-admin/commit/5bcc574060cba305523d237462a92650119914cc) GET parameter handling in GridField reload (Niklas Forsdahl)
* 2020-04-27 [eac547a](https://github.com/silverstripe/silverstripe-admin/commit/eac547a2411c406841cb648d763f6c090f39cf11) Grid field reload always triggers change event if request has GET parameters (Niklas Forsdahl)
* 2020-04-21 [bb0fc12](https://github.com/silverstripe/silverstripe-asset-admin/commit/bb0fc12522107dc6bd890a7a475027c203e1cb53) Stops an image's "Title text (tooltip)" being set to the filename by default (#1058) (James Cocker)
* 2020-04-20 [080ce157c](https://github.com/silverstripe/silverstripe-framework/commit/080ce157ce2c97f0d3a2347d4fe6c58b28358aaa) Fix various typos in comments (Daniel Hensby)
* 2020-04-18 [216989165](https://github.com/silverstripe/silverstripe-framework/commit/2169891651aded4defe33a1d08e1b07f79b9f086) Ensure realpath returns a string for stripos (mattclegg)
* 2020-04-10 [ab87bdc04](https://github.com/silverstripe/silverstripe-framework/commit/ab87bdc04466cf9da95da3670a5db9e30cfce64d) Fix SS_BASE_URL logic when undefined and docroot without public folder (Michal Kleiner)
* 2020-04-09 [a50e15e5e](https://github.com/silverstripe/silverstripe-framework/commit/a50e15e5eec7406e6034875ec9c3d8da6788daee) Avoid VACUUM on test dbs in Postgres (Ingo Schommer)
* 2020-04-08 [2c5deceeb](https://github.com/silverstripe/silverstripe-framework/commit/2c5deceeb475a6842c30dd42ff3a9990dda50707) Filter out all FULLTEXT BOOLEAN chars (Ingo Schommer)
* 2020-04-08 [e51bd421](https://github.com/silverstripe/silverstripe-cms/commit/e51bd421a6996e0a2794799c9475ef115bcf7673) InnoDB FULLTEXT compat in tests (Ingo Schommer)
* 2020-04-08 [dd839ca2](https://github.com/silverstripe/silverstripe-cms/commit/dd839ca2d9b8cc56501e466da9421b11d76fa967) Remove searchEngine() test that's using API wrong (Ingo Schommer)
* 2020-04-05 [d6fc7fe80](https://github.com/silverstripe/silverstripe-framework/commit/d6fc7fe8040a9701a380bfa9c25497a9dc63fbe9) Fix issue with the GridField documenation - many_many_extraFields code example (tdenev)
* 2020-04-02 [9e0ed0a50](https://github.com/silverstripe/silverstripe-framework/commit/9e0ed0a50a383bd83f405d3cb8fb091708bd251d) Fix spaces around concatenation operator (Dan Hensby)
* 2020-03-23 [5002f514b](https://github.com/silverstripe/silverstripe-framework/commit/5002f514b3fde8e4ef75a72c964d649f46ab31f0) Capitalisation fixes in welcome back message (#9439) (Robbie Averill)
* 2020-03-23 [e5aa94c](https://github.com/silverstripe/silverstripe-admin/commit/e5aa94cfdd4fadcc87db3eee127f2f4f751ef6a7) "My profile" title in CMS is now vertical centered as other LeftAndMain screens are (Robbie Averill)
* 2020-03-20 [14fd29a](https://github.com/silverstripe/silverstripe-admin/commit/14fd29ad2c607951eff1bab65921748916a6c72e) Switch incorrect modified and draft state indicator colours (Sacha Judd)
* 2020-03-18 [fe5f965](https://github.com/silverstripe/silverstripe-assets/commit/fe5f9651942c7a1bcbb1f69d1da1ccf9565d7aee) Update FileIDHelpers to replace backslashes with forward slashes (Maxime Rainville)
* 2020-03-17 [7ad5f1bb1](https://github.com/silverstripe/silverstripe-framework/commit/7ad5f1bb14814bd05c6fe97e11b94c9f34936b15) Ensure diff arrays are one-dimensional (Aaron Carlino)
* 2020-03-08 [b269d8749](https://github.com/silverstripe/silverstripe-framework/commit/b269d874909cd70bb60c1a2974ea5446b43b0436) Register new sub tasks to fix files affected by CVE-2020-9280 and CVE-2019-12245 (Serge Latyntcev)
* 2020-03-05 [6c25480](https://github.com/silverstripe/silverstripe-admin/commit/6c254803e6dac4fe58aa59166c35a8dc506f5027) Rename exposed url module to node-url to avoid API clash (Garion Herman)
* 2020-03-04 [12ea7cd](https://github.com/silverstripe/silverstripe-assets/commit/12ea7cd2037bebcb3196dd5e3aaa72e6dbc7c7b2) Create NormaliseAccessMigrationHelper to fix files affected by CVE-2019-12245 (Maxime Rainville)
* 2020-02-27 [fe14d39](https://github.com/silverstripe/silverstripe-graphql/commit/fe14d39dd39015f4dafc1028035e573563e4b4df) Increment targeted version of recipe-cms on travis build (Maxime Rainville)
* 2020-02-24 [bba0f2f72](https://github.com/silverstripe/silverstripe-framework/commit/bba0f2f72fa2e631dbf60357a908d5d57d4467ee) Fixed issue where TimeField_Readonly would only show "(not set)" instead of the value (UndefinedOffset)
* 2020-02-21 [9733060d1](https://github.com/silverstripe/silverstripe-framework/commit/9733060d1ca74c22416fba4134eb82e7266a8331) Fix Related section at bottom of document (Zubair)
* 2020-02-20 [ff417ca](https://github.com/silverstripe/silverstripe-asset-admin/commit/ff417ca53405a4022c4fece82d50638e72940d4f) Fix last file upload showing as errored when uploading multiple files. (bergice)
* 2020-02-19 [7455d14](https://github.com/silverstripe/silverstripe-asset-admin/commit/7455d141aa6340e33674f72516e0e6b97d6d6232) Handle case where provided $context is null (Garion Herman)
* 2020-02-18 [e0de15f](https://github.com/silverstripe/silverstripe-errorpage/commit/e0de15f85a09ac848cb110f49cef58624d1e892f) Fix broken test when FulltextSearchable is enabled (Maxime Rainville)
* 2020-02-14 [939cb93](https://github.com/silverstripe/silverstripe-assets/commit/939cb932873936fa33d874738f23211f6360c2b8) Fix wording in comment in assets htaccess (aNickzz)
* 2020-02-12 [202d061](https://github.com/silverstripe/silverstripe-asset-admin/commit/202d061e6019aab381901e99257c571b7f71ded0) Display bulk publish button on modified files as well as draft file (Maxime Rainville)
* 2020-02-05 [c92e3b9d](https://github.com/silverstripe/silverstripe-cms/commit/c92e3b9d7967142ce59c918916441fce796c9fd8) Prioritise same-level pages in OldPageRedirector (Klemen Dolinšek)
* 2020-01-14 [64bf56a](https://github.com/silverstripe/silverstripe-asset-admin/commit/64bf56a79776632c1eb5177132d5f8d5a859a8fb) Improve grammar in BulkDeleteMessage strings (Garion Herman)
* 2020-01-13 [e294214](https://github.com/silverstripe/silverstripe-asset-admin/commit/e29421499be38318ee2b56a95f5a2db653917ffb) Behat test should now verify that folder in use CAN be deleted (Garion Herman)
* 2019-12-23 [c8c1c86d7](https://github.com/silverstripe/silverstripe-framework/commit/c8c1c86d701f58ee779d36f19649fb08342306f6) module link "recaptcha" not found (Valentino Pesce)
* 2019-12-20 [1d7a0b7](https://github.com/silverstripe/silverstripe-versioned-admin/commit/1d7a0b71edcbea9b4380a8808785f340c40ac1cd) Use more resilient method to manipulate URL of preview (#137) (Maxime Rainville)
* 2019-12-19 [944cf5a](https://github.com/silverstripe/silverstripe-admin/commit/944cf5a16e693edbbeda0bc2b0ce79aa205ed76d) Upgrade webpack config to 1.4 (Maxime Rainville)
* 2019-12-18 [8d69cf9f7](https://github.com/silverstripe/silverstripe-framework/commit/8d69cf9f758abe7e495ba300a8bd81cc624a29c3) Remove bad default when scaffolding form field for DBHTMLVarchar (Maxime Rainville)
* 2019-12-04 [de96188c](https://github.com/silverstripe/silverstripe-cms/commit/de96188c8a724ff33a31e1bbe8618f52836bd00c) If no parent in RelativeLink() return null (Amol Wankhede)
* 2019-11-18 [6ff0f3f46](https://github.com/silverstripe/silverstripe-framework/commit/6ff0f3f4664b9af0ebf8a55a7f84fa4031e235a2) The "Link existing" should be disabled rather than readonly. (Maxime Rainville)
* 2019-11-18 [48f9ec3](https://github.com/silverstripe/silverstripe-admin/commit/48f9ec3590b5060c8a847faae03d9c9bb16b4566) Set min-width on loading button to avoid having the loading indicator break over 2 lines (Maxime Rainville)
* 2019-11-18 [5e611341](https://github.com/silverstripe/silverstripe-cms/commit/5e6113414fc50498e78728a15ddb5494ab250852) Fixed 404s in Contributing doc (Rob Mac Neil)
* 2019-09-02 [6d8a4bc](https://github.com/silverstripe/silverstripe-assets/commit/6d8a4bc4f4178c0b56ede1b01f87b162066d550a) Make AbsoluteLink work with manipulated images (fixes #322) (Loz Calver)
* 2019-03-20 [1d406c64b](https://github.com/silverstripe/silverstripe-framework/commit/1d406c64b99065461f4fdd47e8731e36b1fa7944) Fix: Allow editing of relation if item is created. (Kong Jin Jie)