silverstripe-framework/docs/en/changelogs/3.0.6.md

# 3.0.6 (Not yet released)

## Overview

 * Security: Require ADMIN for `?flush=1` (stop denial of service attacks)
 ([#1692](https://github.com/silverstripe/silverstripe-framework/issues/1692))

## Details

### Security: Require ADMIN for ?flush=1 (SS-2013-001)

Flushing the various manifests (class, template, config) is performed through a GET
parameter (`flush=1`). Since this action requires more server resources than normal requests,
it can facilitate [denial-of-service attacks](https://en.wikipedia.org/wiki/Denial-of-service_attack).

To prevent this, main.php now checks and only allows the flush parameter in the following cases:

 * The [environment](/topics/environment-management) is in "dev mode"
 * A user is logged in with ADMIN permissions
 * An error occurs during startup

This applies to both `flush=1` and `flush=all` (technically we only check for the existence of any parameter value)
but only through web requests made through main.php - CLI requests, or any other request that goes through
a custom start up script will still process all flush requests as normal.

### Security: Privilege escalation through Group hierarchy setting (SS-2013-003)

See [announcement](http://www.silverstripe.org/ss-2013-003-privilege-escalation-through-group-hierarchy-setting/)

### Security: Privilege escalation through Group and Member CSV upload (SS-2013-004)

See [announcement](http://www.silverstripe.org/ss-2013-004-privilege-escalation-through-group-and-member-csv-upload/)

### Security: Privilege escalation through APPLY_ROLES assignment (SS-2013-005)

See [announcement](http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/)

## Upgrading

 * If you have created your own composite database fields, then you should amend the setValue() to allow the passing of
   an object (usually DataObject) as well as an array.
 * If you have provided your own startup scripts (ones that include core/Core.php) that can be accessed via a web
   request, you should ensure that you limit use of the flush parameter
 * Translation entity namespaces can no longer contain dots, since it conflicts with the YAML format. 
 * Translation entities defined in templates now use their fully qualified entity name without dots.
   Before: `BackLink_Button.ss.Back`, after `BackLink_Button_ss.Back`. Please fix any custom language
   files or uses of those entities in custom code.
 * If using "Māori/Te Reo" (mi_NZ) as your CMS locale, please re-select it in `admin/myprofile`
   to ensure correct operation (it has changed its locale identifier)
NEW: Added DataObject::getQueriedDatabaseFields() as faster alternative to toMap() API: CompositeDBField::setValue() may be passed an object as its second argument, in addition to array. These changes provide a 15% - 20% performance improvement, and as such justify an small API change in the 3.0 branch. It will likely affect anyone who has created their own composite fields, which is fortunately not all that common. 2013-04-21 03:18:18 +02:00			`# 3.0.6 (Not yet released)`

FIX Prevent DOS by checking for env and admin on ?flush=1 (#1692) 2013-07-18 07:09:21 +02:00			`## Overview`

			* Security: Require ADMIN for `?flush=1` (stop denial of service attacks)
			`([#1692](https://github.com/silverstripe/silverstripe-framework/issues/1692))`

			`## Details`

FIX Privilege escalation through Group hierarchy setting (SS-2013-003) See http://www.silverstripe.org/ss-2013-003-privilege-escalation-through-group-hierarchy-setting/ 2013-08-30 13:58:37 +02:00			`### Security: Require ADMIN for ?flush=1 (SS-2013-001)`
FIX Prevent DOS by checking for env and admin on ?flush=1 (#1692) 2013-07-18 07:09:21 +02:00
			`Flushing the various manifests (class, template, config) is performed through a GET`
			parameter (`flush=1`). Since this action requires more server resources than normal requests,
			`it can facilitate [denial-of-service attacks](https://en.wikipedia.org/wiki/Denial-of-service_attack).`

			`To prevent this, main.php now checks and only allows the flush parameter in the following cases:`

			`* The [environment](/topics/environment-management) is in "dev mode"`
			`* A user is logged in with ADMIN permissions`
			`* An error occurs during startup`

			This applies to both `flush=1` and `flush=all` (technically we only check for the existence of any parameter value)
			`but only through web requests made through main.php - CLI requests, or any other request that goes through`
			`a custom start up script will still process all flush requests as normal.`

FIX Privilege escalation through Group hierarchy setting (SS-2013-003) See http://www.silverstripe.org/ss-2013-003-privilege-escalation-through-group-hierarchy-setting/ 2013-08-30 13:58:37 +02:00			`### Security: Privilege escalation through Group hierarchy setting (SS-2013-003)`

			`See [announcement](http://www.silverstripe.org/ss-2013-003-privilege-escalation-through-group-hierarchy-setting/)`
FIX Privilege escalation through Group and Member CSV upload (SS-2013-004) See http://www.silverstripe.org/ss-2013-004-privilege-escalation-through-group-and-member-csv-upload/ 2013-08-30 13:59:05 +02:00
			`### Security: Privilege escalation through Group and Member CSV upload (SS-2013-004)`

			`See [announcement](http://www.silverstripe.org/ss-2013-004-privilege-escalation-through-group-and-member-csv-upload/)`
FIX Privilege escalation through APPLY_ROLES assignment (SS-2013-005) See http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/ 2013-08-30 13:59:38 +02:00
			`### Security: Privilege escalation through APPLY_ROLES assignment (SS-2013-005)`

			`See [announcement](http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/)`

NEW: Added DataObject::getQueriedDatabaseFields() as faster alternative to toMap() API: CompositeDBField::setValue() may be passed an object as its second argument, in addition to array. These changes provide a 15% - 20% performance improvement, and as such justify an small API change in the 3.0 branch. It will likely affect anyone who has created their own composite fields, which is fortunately not all that common. 2013-04-21 03:18:18 +02:00			`## Upgrading`

FIX Prevent DOS by checking for env and admin on ?flush=1 (#1692) 2013-07-18 07:09:21 +02:00			`* If you have created your own composite database fields, then you should amend the setValue() to allow the passing of`
			`an object (usually DataObject) as well as an array.`
			`* If you have provided your own startup scripts (ones that include core/Core.php) that can be accessed via a web`
			`request, you should ensure that you limit use of the flush parameter`
Translations: Switch to Transifex format - Based on new (last) translation download from getlocalization.com - Removed untranslated strings. Getlocalization started including those at some point which is highly annoying, unnecessary and breaks the new transfix system, since it'll mark all of the english strings as actual translations - Avoid dots in entities. It confuses the Transifex YML parser - Removed some locales unknown to Transifex which didn't have any translations anyway - Removed "lolcat" locale, uses custom notation (en@lolcal) which SilverStripe's i18n system can't handle (needs mapping from SS naming to Zend naming) - Renamed "Te Reo/Maori" locale from "mi_NZ" to "mi" (Transifex/CLDR notation) - Namespaced all entities used in templates (deprecated usage) - Converted dots to underscores where template filenames are used for namespaces, since Transifex YML parsing handles them as separate YML keys otherwise - Removed whitespace in entity names, SilverStripe i18n can't handle it - Only allow selection of locales registered through i18n::$all_locales to avoid issues with unknown locales in Zend's CLDR database 2013-08-03 20:18:06 +02:00			`* Translation entity namespaces can no longer contain dots, since it conflicts with the YAML format.`
			`* Translation entities defined in templates now use their fully qualified entity name without dots.`
			Before: `BackLink_Button.ss.Back`, after `BackLink_Button_ss.Back`. Please fix any custom language
			`files or uses of those entities in custom code.`
			* If using "Māori/Te Reo" (mi_NZ) as your CMS locale, please re-select it in `admin/myprofile`
			`to ensure correct operation (it has changed its locale identifier)`