silverstripe-framework/docs/en/04_Changelogs/2.3.10.md

36 lines
2.6 KiB
Markdown
Raw Normal View History

# 2.3.10 (2010-12-21)
## Overview
* Security: XSS in controller handling for missing actions
* Security: SQL injection with Translatable extension enabled
* Security: Version number information disclosure
* Security: Weak entropy in tokens for CSRF protection, autologin, "forgot password" emails and password salts
* Security: HTTP referer leakage on Security/changepassword
* Security: CSRF protection bypassed when handling form action requests through controller
* Improved security of PHPSESSID and byPassStaticCache cookies (setting them to 'httpOnly')
## Upgrading Notes
See [2.4.4](2.4.4)
## Changelogs
### Features and Enhancements
* [rev:114501] Added !RandomGenerator for more secure CSRF tokens etc. (from r114497) (from r114499)
### Bugfixes
* [rev:115200] Removing form actions from in !AssetAdmin, CMSMain, !LeftAndMain - handled through Form->httpSubmission() (merged from r115185)
* [rev:115191] Checking for existence of !FormAction in Form->httpSubmission() to avoid bypassing $allowed_actions definitions in controllers containing this form
* [rev:115191] Checking for $allowed_actions in Form class, through Form->httpSubmission() (from r115182)
* [rev:114776] Disallow web access to sapphire/silverstripe_version to avoid information leakage (from r114773)
* [rev:114772] Disallow web access to cms/silverstripe_version to avoid information leakage (from r114770)
* [rev:114763] Avoid potential referer leaking in Security->changepassword() form by storing Member->!AutoLoginHash in session instead of 'h' GET parameter (from r114758)
* [rev:114741] Fixed CSRF warning in image form after selecting a folder. (from r80237)
* [rev:114517] Escaping $locale values in Translatable->augmentSQL() in addition to the i18n::validate_locale() input validation (from r114515) (from r114516)
* [rev:114513] Limiting usage of mcrypt_create_iv() in !RandomGenerator->generateEntropy() to *nix platforms to avoid fatal errors (specically in IIS) (from r114510) (from r114512)
* [rev:114509] Using !RandomGenerator class in Member->logIn(), Member->autoLogin() and Member->generateAutologinHash() for better randomization of tokens. Increased VARCHAR length of '!RememberLoginToken' and '!AutoLoginHash' fields to 1024 characters to support longer token strings. (from r114504) (from r114507)
* [rev:114502] Using !RandomGenerator class in !SecurityToken->generate() for more random tokens (from r114500)
* [rev:114266] Removing quotes from test data in !RestfulServiceTest, it gives different results depending on magic_quotes_gpc setting on PHP configuration (merged from r80132).