2013-09-26 11:33:27 +02:00
|
|
|
# 3.0.6
|
2013-04-21 03:18:18 +02:00
|
|
|
|
2013-07-18 07:09:21 +02:00
|
|
|
## Overview
|
|
|
|
|
|
|
|
* Security: Require ADMIN for `?flush=1` (stop denial of service attacks)
|
|
|
|
([#1692](https://github.com/silverstripe/silverstripe-framework/issues/1692))
|
2013-08-03 16:15:52 +02:00
|
|
|
* API: Disable discontinued Google Spellcheck in TinyMCE. Replaced by browser-based spellchecking if available (Chrome, Firefox)
|
2013-07-18 07:09:21 +02:00
|
|
|
|
|
|
|
## Details
|
|
|
|
|
2013-08-30 13:58:37 +02:00
|
|
|
### Security: Require ADMIN for ?flush=1 (SS-2013-001)
|
2013-07-18 07:09:21 +02:00
|
|
|
|
2013-08-30 14:39:46 +02:00
|
|
|
See [announcement](http://www.silverstripe.org/ss-2013-001-require-admin-for-flush1/)
|
2013-07-18 07:09:21 +02:00
|
|
|
|
2013-08-30 13:58:37 +02:00
|
|
|
### Security: Privilege escalation through Group hierarchy setting (SS-2013-003)
|
|
|
|
|
|
|
|
See [announcement](http://www.silverstripe.org/ss-2013-003-privilege-escalation-through-group-hierarchy-setting/)
|
2013-08-30 13:59:05 +02:00
|
|
|
|
|
|
|
### Security: Privilege escalation through Group and Member CSV upload (SS-2013-004)
|
|
|
|
|
|
|
|
See [announcement](http://www.silverstripe.org/ss-2013-004-privilege-escalation-through-group-and-member-csv-upload/)
|
2013-08-30 13:59:38 +02:00
|
|
|
|
|
|
|
### Security: Privilege escalation through APPLY_ROLES assignment (SS-2013-005)
|
|
|
|
|
|
|
|
See [announcement](http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/)
|
|
|
|
|
2013-09-13 00:34:51 +02:00
|
|
|
### Security: Information disclosure in Versioned.php (SS-2013-006)
|
|
|
|
|
|
|
|
See [announcement](http://www.silverstripe.org/ss-2013-006-information-disclosure-in-versioned/)
|
|
|
|
|
2013-04-21 03:18:18 +02:00
|
|
|
## Upgrading
|
|
|
|
|
2013-07-18 07:09:21 +02:00
|
|
|
* If you have created your own composite database fields, then you should amend the setValue() to allow the passing of
|
|
|
|
an object (usually DataObject) as well as an array.
|
|
|
|
* If you have provided your own startup scripts (ones that include core/Core.php) that can be accessed via a web
|
|
|
|
request, you should ensure that you limit use of the flush parameter
|
2013-08-03 20:18:06 +02:00
|
|
|
* Translation entity namespaces can no longer contain dots, since it conflicts with the YAML format.
|
|
|
|
* Translation entities defined in templates now use their fully qualified entity name without dots.
|
|
|
|
Before: `BackLink_Button.ss.Back`, after `BackLink_Button_ss.Back`. Please fix any custom language
|
|
|
|
files or uses of those entities in custom code.
|
|
|
|
* If using "Māori/Te Reo" (mi_NZ) as your CMS locale, please re-select it in `admin/myprofile`
|
2013-09-13 00:34:51 +02:00
|
|
|
to ensure correct operation (it has changed its locale identifier)
|