silverstripe-framework/docs/en/04_Changelogs/4.3.5.md

# 4.3.5

Embedding files with shortcodes (`FileShortcodeProvider`) no longer provides a session grant
by default. This is because it has the potential to escalate file access
to users who otherwise should not have viewing permissions for the file.

There is a minor performance trade-off for disabling these grants. If you have a page with a lot of
images that are in a draft state or have custom viewing permissions, it adds an extra database
query for each embedded image. With session grants enabled, the first permission check persists
the grant into the session, meaning there is no need to query the database on every single file.

Unless you have a lot of shortcode images embedded with protected or draft status on a single page,
this setting is best left to its default value of `false`.

To revert to the old behaviour:

```
SilverStripe\Assets\Shortcodes\FileShortcodeProvider:
  allow_session_grant: true
```

## If you were using the versionedfiles on your 3.x site

This release includes a security fix for users who migrated from a 3.x site that used
the [versionedfiles](https://github.com/symbiote/silverstripe-versionedfiles) module.
The file migration would have left the `_versions` folders in your public filesystem
as artefacts, leaving all the unpublished versions of your old files publicly accessible
under a guessable URL.

To work around this, you can use the `VersionedFilesMigrationTask`:

`$ vendor/bin/sake dev/tasks/migrate-versionedfiles strategy=[delete|protect]`

If you choose the `delete` strategy (default), the task will delete all `_versions`
files for you. Be sure to take a snapshot of your `public/assets` folder before
doing so. If you choose the `protect` strategy, the task will drop an `.htaccess` file
in your old `_versions` directories. **This method only works if you are using Apache
to serve your static files**. If you are using another server such as Nginx, these files
will remain publicly exposed. It is recommended you use the `delete` strategy if you are
not using Apache.

<!--- Changes below this line will be automatically regenerated -->
DOCS: Add FileShortcodeProvider change to changelog 2019-08-19 00:41:50 +02:00			`# 4.3.5`

			Embedding files with shortcodes (`FileShortcodeProvider`) no longer provides a session grant
			`by default. This is because it has the potential to escalate file access`
			`to users who otherwise should not have viewing permissions for the file.`

			`There is a minor performance trade-off for disabling these grants. If you have a page with a lot of`
			`images that are in a draft state or have custom viewing permissions, it adds an extra database`
			`query for each embedded image. With session grants enabled, the first permission check persists`
			`the grant into the session, meaning there is no need to query the database on every single file.`

			`Unless you have a lot of shortcode images embedded with protected or draft status on a single page,`
			this setting is best left to its default value of `false`.

			`To revert to the old behaviour:`

			```
			`SilverStripe\Assets\Shortcodes\FileShortcodeProvider:`
			`allow_session_grant: true`
			```

DOCS: Add docs for versioned files migration 2019-09-18 07:10:07 +02:00			`## If you were using the versionedfiles on your 3.x site`

			`This release includes a security fix for users who migrated from a 3.x site that used`
			`the [versionedfiles](https://github.com/symbiote/silverstripe-versionedfiles) module.`
			The file migration would have left the `_versions` folders in your public filesystem
			`as artefacts, leaving all the unpublished versions of your old files publicly accessible`
			`under a guessable URL.`

			To work around this, you can use the `VersionedFilesMigrationTask`:

			`$ vendor/bin/sake dev/tasks/migrate-versionedfiles strategy=[delete\|protect]`

			If you choose the `delete` strategy (default), the task will delete all `_versions`
			files for you. Be sure to take a snapshot of your `public/assets` folder before
			doing so. If you choose the `protect` strategy, the task will drop an `.htaccess` file
			in your old `_versions` directories. **This method only works if you are using Apache
			`to serve your static files**. If you are using another server such as Nginx, these files`
			will remain publicly exposed. It is recommended you use the `delete` strategy if you are
			`not using Apache.`

DOCS: Add FileShortcodeProvider change to changelog 2019-08-19 00:41:50 +02:00			`<!--- Changes below this line will be automatically regenerated -->`