mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 12:05:37 +00:00
24 lines
1.0 KiB
Markdown
24 lines
1.0 KiB
Markdown
|
# 2.4.11 (Not yet released)
|
||
|
|
|
||
|
|
## Overview
|
||
|
|
|
||
|
|
* Security: Require ADMIN for `?flush=1` (stop denial of service attacks)
|
||
|
|
([#1692](https://github.com/silverstripe/silverstripe-framework/issues/1692))
|
||
|
|
|
||
|
|
## Details
|
||
|
|
|
||
|
|
### Security: Require ADMIN for ?flush=1 and ?flush=all
|
||
|
|
|
||
|
|
Flushing the various manifests (class, template, config) is performed through a GET
|
||
|
|
parameter (`flush=1`). Since this action requires more server resources than normal requests,
|
||
|
|
it can facilitate [denial-of-service attacks](https://en.wikipedia.org/wiki/Denial-of-service_attack).
|
||
|
|
|
||
|
|
To prevent this, main.php now checks and only allows the flush parameter in the following cases:
|
||
|
|
|
||
|
|
* The [environment](/topics/environment-management) is in "dev mode"
|
||
|
|
* A user is logged in with ADMIN permissions
|
||
|
|
* An error occurs during startup
|
||
|
|
|
||
|
|
This applies to both `flush=1` and `flush=all`but only through web requests made through main.php - CLI requests,
|
||
|
|
or any other request that goes through a custom start up script will still process all flush requests as normal.
|