silverstripe-framework/docs/en/04_Changelogs/3.1.9.md

# 3.1.9

## Upgrading

### File permissions

This release makes an important change to File DataObject permissions in order to close a vulnerability in
file modification privileges. In 3.1.8 and below, any part of a website where user interaction could
potentially modify a file (such as an UploadField being used on the frontend) permissions may not be
adequately checked, meaning in some cases non-authorised (or even non-authenticated) users could
make changes to assets. This is because the File DataObject reports that any user has canEdit
privileges on it.

By default the minimum necessary permission required by any user to modify files has been changed
to CMS_ACCESS_AssetAdmin. This permission value was historically required in 3.0 and has now been restored.

In order to update a site to 3.1.9 it may be necessary to make sure that this permission requirement still makes
sense to any business logic, and it may also be necessary to apply another permission. This can be
done by creating an extension to File which applies the custom permission.

E.g.

	:::php
	<?php
	class FileSecurityExtension extends DataExtension {
		public function canEdit($member) {
			return Permission::checkMember($member, 'MyCustomPermission');
		}
	}

## Security

This release includes an important security fix.

 * 2015-01-12 [c49f164](https://github.com/silverstripe/silverstripe-framework/commit/c49f164) Fix file and uploadfield permissions [SS-2014-018](http://www.silverstripe.org/software/download/security-releases/ss-2014-018-open-file-permissions).

### Features and Enhancements

 * 2014-11-21 [31b5a9d](https://github.com/silverstripe/sapphire/commit/31b5a9d) Allow CMS re-authentication to be completely disabled if necessary (Damian Mooyman)
 * 2014-12-10 [fba6880](https://github.com/silverstripe/sapphire/commit/fba6880) Additional extension points for Tiny MCE editing, for when images are regenerated and manipulating the HTML prior to a save (Gordon Anderson)
 * 2014-11-13 [d7eb275](https://github.com/silverstripe/sapphire/commit/d7eb275) Make the record count in GridFieldFooter optional (Jeremy Shipman)

### Bugfixes

 * 2015-01-08 [a02adf6](https://github.com/silverstripe/sapphire/commit/a02adf6) Uneccessary class replacement (Michael Strong)
 * 2014-12-18 [5637431](https://github.com/silverstripe/sapphire/commit/5637431) The method 'name' does not exist on 'Form' (Elvinas L)
 * 2014-12-15 [6582162](https://github.com/silverstripe/sapphire/commit/6582162) How to folder on forms (Cam Findlay)
 * 2014-12-11 [b5c361a](https://github.com/silverstripe/sapphire/commit/b5c361a) GD - check file exists before getimagesize (Will Morgan)
 * 2014-12-09 [6bdd30c](https://github.com/silverstripe/sapphire/commit/6bdd30c) Fix gridfield storing duplicate data in session (Damian Mooyman)
 * 2014-12-09 [3ac705f](https://github.com/silverstripe/sapphire/commit/3ac705f) Feedback to name the fields section to "field types" to make it clearer what the section is about. (Cam Findlay)
 * 2014-12-09 [e9fd03b](https://github.com/silverstripe/sapphire/commit/e9fd03b) use GFMD code blocks to fix code formatting consistency. (Cam Findlay)
 * 2014-11-25 [01989aa](https://github.com/silverstripe/sapphire/commit/01989aa) Manifest flushing (Jonathon Menz)
 * 2014-11-24 [7384d01](https://github.com/silverstripe/sapphire/commit/7384d01) DataDifferencer was trying to compare fields, even if the fields didn't exist causing an error. (micmania1)
 * 2014-11-18 [2bdfd65](https://github.com/silverstripe/sapphire/commit/2bdfd65) Security::findAnAdministrator doesn't always find an admin (Damian Mooyman)
 * 2014-11-10 [85b4ba1](https://github.com/silverstripe/sapphire/commit/85b4ba1) DataObject::db() doesn't respect overloaded db types (fixes #3620) (Loz Calver)
 * 2014-10-03 [9d888d5](https://github.com/silverstripe/silverstripe-cms/commit/9d888d5) Fixed SearchForm not calling getTemplate() in forTemplate() (Stephen McMahon)
 * 2014-09-02 [1f4f5e6](https://github.com/silverstripe/sapphire/commit/1f4f5e6) Fix versioned Versioned is not writing Version to _version tables for subclasses of Version dataobjects which have their own DB fields - Fix disjoint of ID / RecordID (which should be the same) - Fix calculation of new record version - Fix use of empty vs !isset to check for existing version (Damian Mooyman)

## Changelog

 * [framework](https://github.com/silverstripe/silverstripe-framework/releases/tag/3.1.9)
 * [cms](https://github.com/silverstripe/silverstripe-cms/releases/tag/3.1.9)
 * [installer](https://github.com/silverstripe/silverstripe-installer/releases/tag/3.1.9)
Add detection for PHP running in CGI mode and add HTTP_AUTHORIZATION rewrite rule Detect and parse HTTP_AUTHORIZATION for basic authentication running PHP in CGI mode Add comments about using CGI mode with Apache and Basic Auth in /docs/en/topics/environment-management.md Added notes to docs/en/changelogs/3.1.9.md 2014-11-27 20:34:55 +01:00			`# 3.1.9`

Updated changelog 2015-01-14 23:45:41 +01:00			`## Upgrading`
Add detection for PHP running in CGI mode and add HTTP_AUTHORIZATION rewrite rule Detect and parse HTTP_AUTHORIZATION for basic authentication running PHP in CGI mode Add comments about using CGI mode with Apache and Basic Auth in /docs/en/topics/environment-management.md Added notes to docs/en/changelogs/3.1.9.md 2014-11-27 20:34:55 +01:00
Updated changelog 2015-01-14 23:45:41 +01:00			`### File permissions`
Add detection for PHP running in CGI mode and add HTTP_AUTHORIZATION rewrite rule Detect and parse HTTP_AUTHORIZATION for basic authentication running PHP in CGI mode Add comments about using CGI mode with Apache and Basic Auth in /docs/en/topics/environment-management.md Added notes to docs/en/changelogs/3.1.9.md 2014-11-27 20:34:55 +01:00
Updated changelog 2015-01-14 23:45:41 +01:00			`This release makes an important change to File DataObject permissions in order to close a vulnerability in`
			`file modification privileges. In 3.1.8 and below, any part of a website where user interaction could`
			`potentially modify a file (such as an UploadField being used on the frontend) permissions may not be`
			`adequately checked, meaning in some cases non-authorised (or even non-authenticated) users could`
			`make changes to assets. This is because the File DataObject reports that any user has canEdit`
			`privileges on it.`

			`By default the minimum necessary permission required by any user to modify files has been changed`
			`to CMS_ACCESS_AssetAdmin. This permission value was historically required in 3.0 and has now been restored.`

			`In order to update a site to 3.1.9 it may be necessary to make sure that this permission requirement still makes`
			`sense to any business logic, and it may also be necessary to apply another permission. This can be`
			`done by creating an extension to File which applies the custom permission.`

			`E.g.`

			`:::php`
			`<?php`
			`class FileSecurityExtension extends DataExtension {`
			`public function canEdit($member) {`
			`return Permission::checkMember($member, 'MyCustomPermission');`
			`}`
			`}`

			`## Security`

			`This release includes an important security fix.`

			`* 2015-01-12 [c49f164](https://github.com/silverstripe/silverstripe-framework/commit/c49f164) Fix file and uploadfield permissions [SS-2014-018](http://www.silverstripe.org/software/download/security-releases/ss-2014-018-open-file-permissions).`

			`### Features and Enhancements`

			`* 2014-11-21 [31b5a9d](https://github.com/silverstripe/sapphire/commit/31b5a9d) Allow CMS re-authentication to be completely disabled if necessary (Damian Mooyman)`
			`* 2014-12-10 [fba6880](https://github.com/silverstripe/sapphire/commit/fba6880) Additional extension points for Tiny MCE editing, for when images are regenerated and manipulating the HTML prior to a save (Gordon Anderson)`
			`* 2014-11-13 [d7eb275](https://github.com/silverstripe/sapphire/commit/d7eb275) Make the record count in GridFieldFooter optional (Jeremy Shipman)`
Add detection for PHP running in CGI mode and add HTTP_AUTHORIZATION rewrite rule Detect and parse HTTP_AUTHORIZATION for basic authentication running PHP in CGI mode Add comments about using CGI mode with Apache and Basic Auth in /docs/en/topics/environment-management.md Added notes to docs/en/changelogs/3.1.9.md 2014-11-27 20:34:55 +01:00
			`### Bugfixes`

Updated changelog 2015-01-14 23:45:41 +01:00			`* 2015-01-08 [a02adf6](https://github.com/silverstripe/sapphire/commit/a02adf6) Uneccessary class replacement (Michael Strong)`
			`* 2014-12-18 [5637431](https://github.com/silverstripe/sapphire/commit/5637431) The method 'name' does not exist on 'Form' (Elvinas L)`
			`* 2014-12-15 [6582162](https://github.com/silverstripe/sapphire/commit/6582162) How to folder on forms (Cam Findlay)`
			`* 2014-12-11 [b5c361a](https://github.com/silverstripe/sapphire/commit/b5c361a) GD - check file exists before getimagesize (Will Morgan)`
			`* 2014-12-09 [6bdd30c](https://github.com/silverstripe/sapphire/commit/6bdd30c) Fix gridfield storing duplicate data in session (Damian Mooyman)`
			`* 2014-12-09 [3ac705f](https://github.com/silverstripe/sapphire/commit/3ac705f) Feedback to name the fields section to "field types" to make it clearer what the section is about. (Cam Findlay)`
			`* 2014-12-09 [e9fd03b](https://github.com/silverstripe/sapphire/commit/e9fd03b) use GFMD code blocks to fix code formatting consistency. (Cam Findlay)`
			`* 2014-11-25 [01989aa](https://github.com/silverstripe/sapphire/commit/01989aa) Manifest flushing (Jonathon Menz)`
			`* 2014-11-24 [7384d01](https://github.com/silverstripe/sapphire/commit/7384d01) DataDifferencer was trying to compare fields, even if the fields didn't exist causing an error. (micmania1)`
			`* 2014-11-18 [2bdfd65](https://github.com/silverstripe/sapphire/commit/2bdfd65) Security::findAnAdministrator doesn't always find an admin (Damian Mooyman)`
			`* 2014-11-10 [85b4ba1](https://github.com/silverstripe/sapphire/commit/85b4ba1) DataObject::db() doesn't respect overloaded db types (fixes #3620) (Loz Calver)`
			`* 2014-10-03 [9d888d5](https://github.com/silverstripe/silverstripe-cms/commit/9d888d5) Fixed SearchForm not calling getTemplate() in forTemplate() (Stephen McMahon)`
			`* 2014-09-02 [1f4f5e6](https://github.com/silverstripe/sapphire/commit/1f4f5e6) Fix versioned Versioned is not writing Version to _version tables for subclasses of Version dataobjects which have their own DB fields - Fix disjoint of ID / RecordID (which should be the same) - Fix calculation of new record version - Fix use of empty vs !isset to check for existing version (Damian Mooyman)`
Add detection for PHP running in CGI mode and add HTTP_AUTHORIZATION rewrite rule Detect and parse HTTP_AUTHORIZATION for basic authentication running PHP in CGI mode Add comments about using CGI mode with Apache and Basic Auth in /docs/en/topics/environment-management.md Added notes to docs/en/changelogs/3.1.9.md 2014-11-27 20:34:55 +01:00
			`## Changelog`

Updated changelog 2015-01-14 23:45:41 +01:00			`* [framework](https://github.com/silverstripe/silverstripe-framework/releases/tag/3.1.9)`
			`* [cms](https://github.com/silverstripe/silverstripe-cms/releases/tag/3.1.9)`
			`* [installer](https://github.com/silverstripe/silverstripe-installer/releases/tag/3.1.9)`