silverstripe-framework/docs/en/04_Changelogs/3.1.13.md

# 3.1.13

# Overview

This release includes several security fixes to prevent HTTP Hostname injection, 
as well as a fix for flush or isDev querystring parameters
to be set via unauthenticated requests.

Users upgrading from 3.1.12 or below should read the [security documentation](/developer_guides/security/secure_coding)
on securing their site.

### Security

 * 2015-05-22 [a978b89](https://github.com/silverstripe/sapphire/commit/a978b89) Fix handling of empty parameter token (Damian Mooyman) - See [ss-2015-014](http://www.silverstripe.org/software/download/security-releases/ss-2015-014)
 * 2015-05-25 [75137db](https://github.com/silverstripe/sapphire/commit/75137db) Ensure only trusted proxy servers have control over certain HTTP headers (Damian Mooyman) - See [ss-2015-013](http://www.silverstripe.org/software/download/security-releases/ss-2015-013)
 * 2015-05-25 [22a35e4](https://github.com/silverstripe/sapphire/commit/22a35e4) Fix malformed urls redirecting to external sites (Damian Mooyman) - See [ss-2015-012](http://www.silverstripe.org/software/download/security-releases/ss-2015-012)
 * 2015-05-22 [79cfa2b](https://github.com/silverstripe/sapphire/commit/79cfa2b) Bug fix sqlquery select (Damian Mooyman) - See [ss-2015-011](http://www.silverstripe.org/software/download/security-releases/ss-2015-011)

### Bugfixes

 * 2015-04-24 [242de4e](https://github.com/silverstripe/sapphire/commit/242de4e) Added Youtube's short URL. (Michael Strong)
 * 2015-05-28 [9c8fa51](https://github.com/silverstripe/sapphire/commit/9c8fa51) Allow users to specify allowed hosts (Marcus Nyeholt)
 * 2015-05-07 [828ad6e](https://github.com/silverstripe/sapphire/commit/828ad6e) Modifications to GridFieldExportButton to allow ArrayList use in SS_Report (Will Rossiter)
 * 2015-04-30 [be10d90](https://github.com/silverstripe/sapphire/commit/be10d90) count breaks when having clause defined (Aram Balakjian)
 * 2015-04-27 [120b983](https://github.com/silverstripe/sapphire/commit/120b983) X-Reload & X-ControllerURL didn't support absolute URLs (fixes #4119) (Loz Calver)
 * 2015-04-25 [bfd8b66](https://github.com/silverstripe/sapphire/commit/bfd8b66) for #4104, minor revision of error messages in ListboxField (more intuitive). (Patrick Nelson)
 * 2015-04-23 [5ae0ca1](https://github.com/silverstripe/sapphire/commit/5ae0ca1) #4100 Setup the ability to overload the ShortcodeParser class and ensuring its methods/properties are extensible via the "static" keyword. (Patrick Nelson)
 * 2015-04-23 [c2fd18e](https://github.com/silverstripe/sapphire/commit/c2fd18e) use config for Security::$login_url (Daniel Hensby)
 * 2015-04-23 [19423e9](https://github.com/silverstripe/sapphire/commit/19423e9) Fix tinymce errors crashing CMS When removing a tinymce field, internal third party errors should be caught and ignored gracefully rather than breaking the whole CMS. (Damian Mooyman)
 * 2015-04-20 [8e24511](https://github.com/silverstripe/sapphire/commit/8e24511) Fix users with all cms section access not able to edit files Fixes #4078 (Damian Mooyman)
 * 2015-04-14 [8caaae6](https://github.com/silverstripe/sapphire/commit/8caaae6) Fix accordion sometimes displaying scrollbars (Damian Mooyman)
 * 2015-03-31 [a71f5f9](https://github.com/silverstripe/silverstripe-cms/commit/a71f5f9) Use SearchForm::create to instantiate SearchForm (Daniel Hensby)
 * 2015-03-26 [636cddb](https://github.com/silverstripe/sapphire/commit/636cddb) export and print buttons outside button row (Naomi Guyer)
 * 2015-03-26 [a7d3f89](https://github.com/silverstripe/sapphire/commit/a7d3f89) Check for existence of HTTP_USER_AGENT to avoid E_NOTICE error. (Sean Harvey)
 * 2015-03-25 [8d6cd15](https://github.com/silverstripe/sapphire/commit/8d6cd15) Fix some database errors during dev/build where an auth token exists for the current user Fixes #3660 (Damian Mooyman)
 * 2015-03-23 [aba0b70](https://github.com/silverstripe/sapphire/commit/aba0b70) GridFieldDetailForm::setItemEditFormCalback broke chaining (Daniel Hensby)
 * 2015-03-23 [72bb9a2](https://github.com/silverstripe/sapphire/commit/72bb9a2) Debug::text no longer incorrecty returns "ViewableData_debugger" (Daniel Hensby)
 * 2015-03-16 [f2b1fa9](https://github.com/silverstripe/sapphire/commit/f2b1fa9) broken link in docs to how_tos/extend_cms_interface (Jeremy Shipman)
 * 2015-02-24 [6c92a86](https://github.com/silverstripe/silverstripe-cms/commit/6c92a86) Fix CMSMainTest attempting to render page on Security permission error (Damian Mooyman)
Added 3.1.13 changelog 2015-05-28 08:59:11 +02:00			`# 3.1.13`

			`# Overview`

			`This release includes several security fixes to prevent HTTP Hostname injection,`
			`as well as a fix for flush or isDev querystring parameters`
			`to be set via unauthenticated requests.`

DOCS 3.1 - fixes broken internal links 2016-01-14 11:59:53 +01:00			`Users upgrading from 3.1.12 or below should read the [security documentation](/developer_guides/security/secure_coding)`
Added 3.1.13 changelog 2015-05-28 08:59:11 +02:00			`on securing their site.`

			`### Security`

			`* 2015-05-22 [a978b89](https://github.com/silverstripe/sapphire/commit/a978b89) Fix handling of empty parameter token (Damian Mooyman) - See [ss-2015-014](http://www.silverstripe.org/software/download/security-releases/ss-2015-014)`
			`* 2015-05-25 [75137db](https://github.com/silverstripe/sapphire/commit/75137db) Ensure only trusted proxy servers have control over certain HTTP headers (Damian Mooyman) - See [ss-2015-013](http://www.silverstripe.org/software/download/security-releases/ss-2015-013)`
			`* 2015-05-25 [22a35e4](https://github.com/silverstripe/sapphire/commit/22a35e4) Fix malformed urls redirecting to external sites (Damian Mooyman) - See [ss-2015-012](http://www.silverstripe.org/software/download/security-releases/ss-2015-012)`
			`* 2015-05-22 [79cfa2b](https://github.com/silverstripe/sapphire/commit/79cfa2b) Bug fix sqlquery select (Damian Mooyman) - See [ss-2015-011](http://www.silverstripe.org/software/download/security-releases/ss-2015-011)`

			`### Bugfixes`

			`* 2015-04-24 [242de4e](https://github.com/silverstripe/sapphire/commit/242de4e) Added Youtube's short URL. (Michael Strong)`
			`* 2015-05-28 [9c8fa51](https://github.com/silverstripe/sapphire/commit/9c8fa51) Allow users to specify allowed hosts (Marcus Nyeholt)`
			`* 2015-05-07 [828ad6e](https://github.com/silverstripe/sapphire/commit/828ad6e) Modifications to GridFieldExportButton to allow ArrayList use in SS_Report (Will Rossiter)`
			`* 2015-04-30 [be10d90](https://github.com/silverstripe/sapphire/commit/be10d90) count breaks when having clause defined (Aram Balakjian)`
			`* 2015-04-27 [120b983](https://github.com/silverstripe/sapphire/commit/120b983) X-Reload & X-ControllerURL didn't support absolute URLs (fixes #4119) (Loz Calver)`
			`* 2015-04-25 [bfd8b66](https://github.com/silverstripe/sapphire/commit/bfd8b66) for #4104, minor revision of error messages in ListboxField (more intuitive). (Patrick Nelson)`
			`* 2015-04-23 [5ae0ca1](https://github.com/silverstripe/sapphire/commit/5ae0ca1) #4100 Setup the ability to overload the ShortcodeParser class and ensuring its methods/properties are extensible via the "static" keyword. (Patrick Nelson)`
			`* 2015-04-23 [c2fd18e](https://github.com/silverstripe/sapphire/commit/c2fd18e) use config for Security::$login_url (Daniel Hensby)`
			`* 2015-04-23 [19423e9](https://github.com/silverstripe/sapphire/commit/19423e9) Fix tinymce errors crashing CMS When removing a tinymce field, internal third party errors should be caught and ignored gracefully rather than breaking the whole CMS. (Damian Mooyman)`
			`* 2015-04-20 [8e24511](https://github.com/silverstripe/sapphire/commit/8e24511) Fix users with all cms section access not able to edit files Fixes #4078 (Damian Mooyman)`
			`* 2015-04-14 [8caaae6](https://github.com/silverstripe/sapphire/commit/8caaae6) Fix accordion sometimes displaying scrollbars (Damian Mooyman)`
			`* 2015-03-31 [a71f5f9](https://github.com/silverstripe/silverstripe-cms/commit/a71f5f9) Use SearchForm::create to instantiate SearchForm (Daniel Hensby)`
			`* 2015-03-26 [636cddb](https://github.com/silverstripe/sapphire/commit/636cddb) export and print buttons outside button row (Naomi Guyer)`
			`* 2015-03-26 [a7d3f89](https://github.com/silverstripe/sapphire/commit/a7d3f89) Check for existence of HTTP_USER_AGENT to avoid E_NOTICE error. (Sean Harvey)`
			`* 2015-03-25 [8d6cd15](https://github.com/silverstripe/sapphire/commit/8d6cd15) Fix some database errors during dev/build where an auth token exists for the current user Fixes #3660 (Damian Mooyman)`
			`* 2015-03-23 [aba0b70](https://github.com/silverstripe/sapphire/commit/aba0b70) GridFieldDetailForm::setItemEditFormCalback broke chaining (Daniel Hensby)`
			`* 2015-03-23 [72bb9a2](https://github.com/silverstripe/sapphire/commit/72bb9a2) Debug::text no longer incorrecty returns "ViewableData_debugger" (Daniel Hensby)`
			`* 2015-03-16 [f2b1fa9](https://github.com/silverstripe/sapphire/commit/f2b1fa9) broken link in docs to how_tos/extend_cms_interface (Jeremy Shipman)`
			`* 2015-02-24 [6c92a86](https://github.com/silverstripe/silverstripe-cms/commit/6c92a86) Fix CMSMainTest attempting to render page on Security permission error (Damian Mooyman)`