mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-04 15:18:39 +02:00
31 lines
1.2 KiB
Markdown
31 lines
1.2 KiB
Markdown
|
# 2.4.10
|
||
|
|
||
|
## Overview
|
||
|
|
||
|
* Security: Undefined `$allowed_actions` overrides parent definitions
|
||
|
* API: More restrictive `$allowed_actions` checks for `Controller` when used with `Extension`
|
||
|
|
||
|
## Details
|
||
|
|
||
|
### Security: Undefined `$allowed_actions` overrides parent definitions
|
||
|
|
||
|
Severity: Important
|
||
|
|
||
|
Description: `Controller` (and subclasses) failed to enforce `$allowed_action` restrictions
|
||
|
on parent classes if a child class didn't have it explicitly defined.
|
||
|
|
||
|
Impact: Depends on the used controller code. For any method with public visibility,
|
||
|
the flaw can expose the return value of the method (unless it fails due to wrong arguments).
|
||
|
It can also lead to unauthorized or unintended execution of logic, e.g. modifying the
|
||
|
state of a database record.
|
||
|
|
||
|
Fix: Apply the 2.4.10 update. In addition, we strongly recommend to define `$allowed_actions`
|
||
|
on all controller classes to ensure the intentions are clearly communicated.
|
||
|
|
||
|
### API: More restrictive `$allowed_actions` checks for `Controller` when used with `Extension`
|
||
|
|
||
|
Controllers which are extended with `$allowed_actions` (through an `Extension`)
|
||
|
now deny access to methods defined on the controller, unless this class also has them in its own
|
||
|
`$allowed_actions` definition.
|
||
|
|
||
|
## Upgrading
|