silverstripe-framework/docs/en/04_Changelogs/4.3.6.md

90 lines
10 KiB
Markdown
Raw Normal View History

2019-09-24 07:01:19 +02:00
# 4.3.6
2019-09-25 01:23:57 +02:00
Embedding files with shortcodes (`FileShortcodeProvider`) no longer provides a session grant
by default. This is because it has the potential to escalate file access
to users who otherwise should not have viewing permissions for the file.
There is a minor performance trade-off for disabling these grants. If you have a page with a lot of
images that are in a draft state or have custom viewing permissions, it adds an extra database
query for each embedded image. With session grants enabled, the first permission check persists
the grant into the session, meaning there is no need to query the database on every single file.
Unless you have a lot of shortcode images embedded with protected or draft status on a single page,
this setting is best left to its default value of `false`.
To revert to the old behaviour:
```
SilverStripe\Assets\Shortcodes\FileShortcodeProvider:
allow_session_grant: true
```
## If you were using the versionedfiles on your 3.x site
This release includes a security fix for users who migrated from a 3.x site that used
the [versionedfiles](https://github.com/symbiote/silverstripe-versionedfiles) module.
The file migration would have left the `_versions` folders in your public filesystem
as artefacts, leaving all the unpublished versions of your old files publicly accessible
under a guessable URL.
To work around this, you can use the `VersionedFilesMigrationTask`:
`$ vendor/bin/sake dev/tasks/migrate-versionedfiles strategy=[delete|protect]`
If you choose the `delete` strategy (default), the task will delete all `_versions`
files for you. Be sure to take a snapshot of your `public/assets` folder before
doing so. If you choose the `protect` strategy, the task will drop an `.htaccess` file
in your old `_versions` directories. **This method only works if you are using Apache
to serve your static files**. If you are using another server such as Nginx, these files
will remain publicly exposed. It is recommended you use the `delete` strategy if you are
not using Apache.
2019-09-24 07:01:19 +02:00
## Change Log
### Security
* 2019-09-23 [5af205993](https://github.com/silverstripe/silverstripe-framework/commit/5af205993d24b4bafc00dea94efc2c31305bca83) Fix access escalation for CMS users with limited access through permission cache pollution (Serge Latyntcev) - See [cve-2019-12617](https://www.silverstripe.org/download/security-releases/cve-2019-12617)
* 2019-09-16 [569237c0f](https://github.com/silverstripe/silverstripe-framework/commit/569237c0f4d16ac6f927aeb0ed8c9b8787490080) Session fixation in "change password" form (Serge Latyntcev) - See [cve-2019-12203](https://www.silverstripe.org/download/security-releases/cve-2019-12203)
* 2019-08-20 [f98a59de](https://github.com/silverstripe/silverstripe-cms/commit/f98a59deb58d3c9c739f5b32de16472f6ef4a69c) install.php warning does not account for public dir (Aaron Carlino) - See [cve-2019-12204](https://www.silverstripe.org/download/security-releases/cve-2019-12204)
* 2019-08-17 [fddf889](https://github.com/silverstripe/silverstripe-assets/commit/fddf889917c4e58d32a3e6f476bddaf3fa595e41) Broken access control on files due to session grant (Aaron Carlino) - See [cve-2019-14273](https://www.silverstripe.org/download/security-releases/cve-2019-14273)
* 2019-05-21 [73e0cc6](https://github.com/silverstripe/silverstripe-assets/commit/73e0cc69dc499c24aa706af9eddd8a2db2ac93e0) Fix incorrect access control vulnerability with unwritten files in protected folders (Robbie Averill) - See [cve-2019-12245](https://www.silverstripe.org/download/security-releases/cve-2019-12245)
### Features and Enhancements
* 2019-09-18 [1308911](https://github.com/silverstripe/silverstripe-assets/commit/13089110e7b3feea2196198fd3beda21244ceb20) Add task to remove/protect _versions folders (Aaron Carlino)
* 2019-06-16 [06beff7](https://github.com/silverstripe/silverstripe-admin/commit/06beff71a45bca0f42c88ea931f142d8bc10d008) Allow export of injected GraphQL AST alongside HOC (#889) (Aaron Carlino)
### Bugfixes
* 2019-09-23 [aa7c05742](https://github.com/silverstripe/silverstripe-framework/commit/aa7c05742242f8e2ec77f97b52839e0365ec7e1a) Don't force-add view button to readonly GridField (fixes #… (#9254) (Guy Marriott)
* 2019-09-23 [190b2f284](https://github.com/silverstripe/silverstripe-framework/commit/190b2f28429cd870c791f689def055061665ee58) run member CMS validator when editing via groups (fixes #9… (#9255) (Guy Marriott)
* 2019-09-23 [efdb9cc71](https://github.com/silverstripe/silverstripe-framework/commit/efdb9cc718517c09800a47bb53374bff787b54fa) run member CMS validator when editing via groups (fixes #9184) (Loz Calver)
* 2019-09-23 [d85ff3bc4](https://github.com/silverstripe/silverstripe-framework/commit/d85ff3bc4463d47edd6b662b34569162e3861a88) Don't force-add view button to readonly GridField (fixes #9249) (Loz Calver)
* 2019-09-23 [fc536fa](https://github.com/silverstripe/silverstripe-assets/commit/fc536faf2413683549d6b8e77400dc85e37b3a30) Update Apache .htaccess for new access directives (Dylan Wagstaff)
* 2019-09-20 [ea363fc](https://github.com/silverstripe/silverstripe-asset-admin/commit/ea363fcabd9af8d7607bac9b431171b6b94583f1) Correctly process all non-insert form actions normally in the media dialog (#1005) (Damian Mooyman)
* 2019-09-10 [591b88a9b](https://github.com/silverstripe/silverstripe-framework/commit/591b88a9bc05b40a7ce3604283b9b7cb684f88cc) Allow infinite loop when calling DataObject::writeComponent() recursively (Maxime Rainville)
* 2019-09-03 [b0a6973](https://github.com/silverstripe/silverstripe-asset-admin/commit/b0a6973052e73652a9092e7ed9d5dd5d89e5dd42) Remove Default DropzoneJS Timeout of 30s (#985) (Joe Harvey)
* 2019-08-29 [77ba8391c](https://github.com/silverstripe/silverstripe-framework/commit/77ba8391c40278930873301d50ee3c1168da4cef) Byte Order Marks (BOM) are now stripped when importing CSV files (Robbie Averill)
* 2019-08-28 [73f43c6f4](https://github.com/silverstripe/silverstripe-framework/commit/73f43c6f428dc92ee2c9a5f932c63ed8a04c8230) Remove placeholder text on new group form (Maxime Rainville)
* 2019-08-26 [314a906](https://github.com/silverstripe/silverstripe-admin/commit/314a9068e5a3a1a71dfc99021d6acec9b0ab5b77) Fix the jstree styles so that the selected states are more visible (bergice)
* 2019-08-23 [5845ac6](https://github.com/silverstripe/silverstripe-admin/commit/5845ac685851f8841af8d96ef6313a2cff153ba4) Prevent breadcrumb item styles from bleeding into non-react (Maxime Rainville)
* 2019-08-23 [94d6c80](https://github.com/silverstripe/silverstripe-admin/commit/94d6c80780430acb4e9d8786a5080a800f777792) enter to submit form not working on `Add new page` (bergice)
* 2019-08-14 [9889015](https://github.com/silverstripe/silverstripe-admin/commit/9889015eccd05c099e3d8b3d3ce52f179b5b9933) Display breadcrumb element from left to right (#925) (Guy Marriott)
* 2019-08-13 [1c548cb](https://github.com/silverstripe/silverstripe-admin/commit/1c548cb599563997687cd1062ff2a0985c43197e) jstree state when saving a page by retaining the open/closed state and selected node state. (bergice)
* 2019-08-09 [a2e98dc](https://github.com/silverstripe/silverstripe-admin/commit/a2e98dcf71353951055cb0f2da286a0455a66ebe) Display breadcrumb element from left to right (Maxime Rainville)
* 2019-08-09 [3d989a6ea](https://github.com/silverstripe/silverstripe-framework/commit/3d989a6eae979f2671889376179dfdc7085658ac) Use content generated by DataColumns component for print and csv export (Guy Marriott)
* 2019-07-29 [5c794dfcd](https://github.com/silverstripe/silverstripe-framework/commit/5c794dfcdd42b319325c867f4a807429ad93a553) Prevent setting session value when no session exists yet (Robbie Averill)
* 2019-07-25 [40cd66852](https://github.com/silverstripe/silverstripe-framework/commit/40cd66852e8d3a5d56c56b9d279cb89a98e3c16d) Fixed issue where multiple relationship sort order columns would be lost in favor of only the last relationship column in the sort order (UndefinedOffset)
* 2019-07-17 [ef25468](https://github.com/silverstripe/silverstripe-admin/commit/ef2546889ff35c2a6cf74aa956d818cae72898e0) Inline toolbar placement now works in HTMLEditorFields with less than 6 rows (Robbie Averill)
* 2019-07-12 [fcd7a1e63](https://github.com/silverstripe/silverstripe-framework/commit/fcd7a1e63e7013a9f36100a05bf723ed68382d8a) core memory limit test (Serge Latyntcev)
* 2019-06-27 [183371b](https://github.com/silverstripe/silverstripe-admin/commit/183371b28a9a1496f2a39284eb0d7d667d4b49bb) Update CSS for sitetree new page columns to use new classna… (#899) (Guy Marriott)
* 2019-06-27 [b9dcf070](https://github.com/silverstripe/silverstripe-cms/commit/b9dcf070406644f14ab9ae0eb9c22d0f3d1d10cd) Change sitetree new page column class naming to avoid conf… (#2449) (Guy Marriott)
* 2019-06-26 [b01dc580e](https://github.com/silverstripe/silverstripe-framework/commit/b01dc580e1f9b62c7b8a3a62157ad10930a80342) Protect against undefined index when using nullifyEmpty opt… (#9090) (Guy Marriott)
* 2019-06-25 [c76d3a5db](https://github.com/silverstripe/silverstripe-framework/commit/c76d3a5db10f9a56a31684354fcd89c1a88de8d4) Protect against undefined index when using nullifyEmpty option (Robbie Averill)
* 2019-06-19 [260c89fd5](https://github.com/silverstripe/silverstripe-framework/commit/260c89fd54e1c1ed68e5597ccc4592473a53e983) Fix of delimiter not used bug (Mario Sommereder)
* 2019-06-19 [4df7c21](https://github.com/silverstripe/silverstripe-admin/commit/4df7c21f3fa0ee96cc62876abe9be20720bbc0dc) Update CSS for sitetree new page columns to use new classname, fix item placement within (Mikaela Young)
* 2019-06-19 [73f4e8c8](https://github.com/silverstripe/silverstripe-cms/commit/73f4e8c8605ea28a2283a1ef96723188c0266706) Change sitetree new page column class naming to avoid conflicts with bootstrap (Mikaela Young)
* 2019-06-13 [562a8a5](https://github.com/silverstripe/silverstripe-assets/commit/562a8a523b9a50a5a7d4e40c4b4c799a66869ec8) Add FolderNameFilter class: folder names no longer allow dots, and are replaced with dashes (Robbie Averill)
* 2019-06-05 [bcc55e2](https://github.com/silverstripe/silverstripe-admin/commit/bcc55e212384cdc36728224730dbf6db320acb10) Update modal designs to match design pattern library (Guy Marriott)
* 2019-04-12 [7592db91](https://github.com/silverstripe/silverstripe-cms/commit/7592db918f269db2fd5c33d9c1259df86f15e12b) VirtualPage missing methods from target page (fixes #2408) (Loz Calver)