silverstripe-framework/docs/en/04_Changelogs/4.4.5.md

# 4.4.5

## Security patches

This release contains security patches

### CVE-2019-19325 (CVSS 7.5)

Silverstripe Forms allow malicious HTML or JavaScript to be inserted through non-scalar FormField attributes, which allows performing XSS (Cross-Site Scripting) on some forms built with user input (Request data). This can lead to phishing attempts to obtain a user's credentials or other sensitive user input. There is no known attack vector for extracting user-session information or credentials automatically, it required a user to fall for the phishing attempt. XSS can also be used to modify the presentation of content in malicious ways.

The vulnerability is known to apply in at least the following cases:

The login form provided by Silverstripe. When the login form is used with Multi Factor Authentication (MFA), the attack complexity for phishing increases, and is mitigated by using security keys such as Yubikey as an unphishable token.
Forms which are configured to populate field values based on request parameters. This usually happens via setting the $value on a FormField instance during construction of the form, or by loading request data via Form->loadDataFrom($myRequest->getVars()).
Forms which have form validation applied through RequiredFields, and opt-out of using CSRF tokens via disableSecurityToken(). In this case, the vulnerability is more impactful if the form is also configured to accept GET submissions, rather than the default of POST submissions.
The vulnerability has not identified on forms created through the silverstripe/userforms module.

<!--- Changes below this line will be automatically regenerated -->

## Change Log

### Security

 * 2020-02-03 [ad1b00e](https://github.com/silverstripe/silverstripe-framework/commit/ad1b00ec7dc1589a05bfc7f5f8207489797ef714) XSS through non-scalar FormField attributes - See [CVE-2019-19325](https://www.silverstripe.org/download/security-releases/cve-2019-19325)
 * 2020-02-13 [d515e5e](https://github.com/silverstripe/silverstripe-admin/commit/d515e5eced1787d99d4ca1520e01513c2031a627) XSS through non-scalar FormField attributes - See [CVE-2019-19325](https://www.silverstripe.org/download/security-releases/cve-2019-19325)

### Bugfixes

 * 2020-01-07 [089053b](https://github.com/silverstripe/silverstripe-admin/commit/089053b42d5561720bdb08203371db1c94cadcf9) Make discard confirmations show up when navigating away from editing files (bergice)
 * 2019-12-16 [8edf14d](https://github.com/silverstripe/silverstripe-assets/commit/8edf14dee8deacd2a0bd013344dd26089e8e8b36) VersionedFilesMigrator auto-generated .htaccess directives (Serge Latyntcev)
 * 2019-12-15 [fbc37fb](https://github.com/silverstripe/silverstripe-versioned/commit/fbc37fb6e74b90b72c7313fc428beec81b9ee4de) Default WasDraft to true when migrating versioned DataObject (#240) (Maxime Rainville)
 * 2019-12-09 [be5234d](https://github.com/silverstripe/silverstripe-graphql/commit/be5234d089e0835c5d18248dee4ba53f09d539dc) Reference the correct filters for endswith and startswith (Maxime Rainville)
 * 2019-11-27 [f85209e](https://github.com/silverstripe/silverstripe-graphql/commit/f85209ec5b8834e337c171072cb79b80b9d27a59) fix Injector class alias is now quoted to prevent symfony/yaml 4.0 deprecation warnings (wernerkrauss)
 * 2019-11-26 [04c377f](https://github.com/silverstripe/silverstripe-errorpage/commit/04c377f33371b1ec7c8b4e28da7bb766294d62cf) Fix phpcs install, phpunit name (Serge Latyntcev)
 * 2019-11-24 [f78b7a5](https://github.com/silverstripe/silverstripe-asset-admin/commit/f78b7a5e1eca2a13caf4b53085a4f8c9a9dd33fa) Update build script to copy images to dist folder (Maxime Rainville)
 * 2019-11-22 [af55826](https://github.com/silverstripe/silverstripe-asset-admin/commit/af558265416a1d98648d98341f2236ef05124d3b) Fix missing dist images (Damian Mooyman)
 * 2019-11-20 [453945da1](https://github.com/silverstripe/silverstripe-framework/commit/453945da14c6c7354535189d251c5eda193253ca) Session::restart() didn't correctly restart session (fixes #9259) (Loz Calver)
 * 2019-11-15 [64654ec](https://github.com/silverstripe/silverstripe-assets/commit/64654ec9f606a96ee02b50606c8f3a5656904efa) Retrieve file by filename (Maxime Rainville)
 * 2019-11-14 [4372544](https://github.com/silverstripe/silverstripe-assets/commit/43725448768422448fe96be842ed5c754a654693) Fix linting issue in VersionedFilesMigrationTask and VersionedFilesMigrator (Maxime Rainville)
 * 2019-11-12 [9648801](https://github.com/silverstripe/silverstripe-versioned-admin/commit/9648801aa0eb8ad5ef8b78c9f28c3617a7fe3a03) Gracefully handle lack of actions in HistoryViewer (Serge Latyntcev)
 * 2019-11-07 [3a00ecc](https://github.com/silverstripe/silverstripe-admin/commit/3a00ecc388c24d52ee7fa5830c5ed57f2dba1e84) Lowercase PHPUnit in composer.json to allow packagist to resolve 1.2.x-dev (Maxime Rainville)
 * 2019-11-04 [d32b280](https://github.com/silverstripe/silverstripe-errorpage/commit/d32b28011c85fe509919cac72a4b314466dc99ae) Resolve issue where dev/build does not refresh static content (Damian Mooyman)
 * 2019-10-29 [e76601e5c](https://github.com/silverstripe/silverstripe-framework/commit/e76601e5c8c9b67ca1105958b556b355375ae6bb) FormAction title property cannot be set if useButtonTag is false (Damian Mooyman)
 * 2019-10-28 [f03b3a0](https://github.com/silverstripe/silverstripe-admin/commit/f03b3a085e8e8b5675c5a1e3b100eaab619b6a31) fixed creating multiple duplicate data objects (#961) (Guy Marriott)
 * 2019-10-23 [15b21fc](https://github.com/silverstripe/silverstripe-admin/commit/15b21fcf502a6de90169c2f6a1940270c9176e4f) Remove deprecated uppercase characters from composer.json (#982) (Garion Herman)
 * 2019-10-09 [eb369ed](https://github.com/silverstripe/silverstripe-versioned-admin/commit/eb369edba887b43e78c63f96c80792e94079afe0) Gracefully handle lack of versions in HistoryViewer (Serge Latyntcev)
 * 2019-10-08 [3a3705d](https://github.com/silverstripe/silverstripe-versioned/commit/3a3705dc83ce866e253f82b1abc5c7287ec5f5b6) archive relationships, not related objects (Dylan Wagstaff)
 * 2019-10-03 [f1594fd99](https://github.com/silverstripe/silverstripe-framework/commit/f1594fd991b701d4b97b164919844242f45ae15e) Ensure that canCreate() context matches that respected by GridFieldAddNewButton (Damian Mooyman)
 * 2019-10-03 [b3ccd48](https://github.com/silverstripe/silverstripe-admin/commit/b3ccd48cb9bc0567f9ce53a74d5d465be4e77d90) Remove buggy code from LeftAndMain Breadcrumb (Maxime Rainville)
 * 2019-10-02 [7db524bd9](https://github.com/silverstripe/silverstripe-framework/commit/7db524bd9065dc1918fd812bf20e207740b57dd0) DebugViewFrendlyErrorFormatter handle of admin_email (Serge Latyntcev)
 * 2019-09-30 [be44178](https://github.com/silverstripe/silverstripe-admin/commit/be441785aeb79ea77bd56a5e74a668d809e92530) fixed creating multiple duplicate data object by locking out save button on submit (Makreig)
 * 2019-09-29 [2799265](https://github.com/silverstripe/silverstripe-asset-admin/commit/2799265675ac251c4590c80258f717a08d199273) Honour AssetAdminFile insert dimentions when inserting a new image (#1015) (Maxime Rainville)
 * 2019-09-29 [f475826](https://github.com/silverstripe/silverstripe-assets/commit/f4758265ad245e3b05f8e5fcf9c87fb490de5853) Fix inlinting issue (Maxime Rainville)
 * 2019-09-29 [30d816e](https://github.com/silverstripe/silverstripe-assets/commit/30d816ef386f13a774b4d037620d2435d65af42f) Flush cache before every test in Sha1FileHashingServiceTest (Maxime Rainville)
 * 2019-09-26 [959da81](https://github.com/silverstripe/silverstripe-assets/commit/959da8137684fcadd50701111355e3f71d4c9fe1) Store the timestamp in the cache (Maxime Rainville)
 * 2019-09-25 [255bf2f](https://github.com/silverstripe/silverstripe-admin/commit/255bf2f485963b403b627d887bb943412a73f83b) JSTree error if callback isn't passed (fixes #958) (Loz Calver)
 * 2019-09-24 [fb36e03](https://github.com/silverstripe/silverstripe-admin/commit/fb36e032db48446db074ed09b5d1720bf58370b3) Search for both Save and Apply change when running behat tests (Maxime Rainville)
 * 2019-09-23 [aa7c05742](https://github.com/silverstripe/silverstripe-framework/commit/aa7c05742242f8e2ec77f97b52839e0365ec7e1a) Don't force-add view button to readonly GridField (fixes #… (#9254) (Guy Marriott)
 * 2019-09-23 [190b2f284](https://github.com/silverstripe/silverstripe-framework/commit/190b2f28429cd870c791f689def055061665ee58) run member CMS validator when editing via groups (fixes #9… (#9255) (Guy Marriott)
 * 2019-09-23 [efdb9cc71](https://github.com/silverstripe/silverstripe-framework/commit/efdb9cc718517c09800a47bb53374bff787b54fa) run member CMS validator when editing via groups (fixes #9184) (Loz Calver)
 * 2019-09-23 [d85ff3bc4](https://github.com/silverstripe/silverstripe-framework/commit/d85ff3bc4463d47edd6b662b34569162e3861a88) Don't force-add view button to readonly GridField (fixes #9249) (Loz Calver)
 * 2019-09-23 [f177606](https://github.com/silverstripe/recipe-core/commit/f1776060fec34ba5ac83f1be9f88906e055b1c20) Update Apache .htaccess for new access directives (Dylan Wagstaff)
 * 2019-08-16 [9d44a3b](https://github.com/silverstripe/silverstripe-asset-admin/commit/9d44a3bb44b44b63c0807ddc853689105fb1f6fe) Optimise AssetAdminFile::nestedFolderIDs (Guy Marriott)

<!--- Changes above this line will be automatically regenerated -->
[CVE-2019-19325] XSS through non-scalar FormField attributes Silverstripe Forms allow malicious HTML or JavaScript to be inserted through non-scalar FormField attributes, which allows performing XSS (Cross-Site Scripting) on some forms built with user input (Request data). This can lead to phishing attempts to obtain a user's credentials or other sensitive user input. There is no known attack vector for extracting user-session information or credentials automatically, it required a user to fall for the phishing attempt. XSS can also be used to modify the presentation of content in malicious ways. 2020-02-03 03:56:10 +01:00			`# 4.4.5`

			`## Security patches`

			`This release contains security patches`

Update CVE number to CVE-2019-19325 2020-02-18 21:58:12 +01:00			`### CVE-2019-19325 (CVSS 7.5)`
[CVE-2019-19325] XSS through non-scalar FormField attributes Silverstripe Forms allow malicious HTML or JavaScript to be inserted through non-scalar FormField attributes, which allows performing XSS (Cross-Site Scripting) on some forms built with user input (Request data). This can lead to phishing attempts to obtain a user's credentials or other sensitive user input. There is no known attack vector for extracting user-session information or credentials automatically, it required a user to fall for the phishing attempt. XSS can also be used to modify the presentation of content in malicious ways. 2020-02-03 03:56:10 +01:00
			Silverstripe Forms allow malicious HTML or JavaScript to be inserted through non-scalar FormField attributes, which allows performing XSS (Cross-Site Scripting) on some forms built with user input (Request data). This can lead to phishing attempts to obtain a user's credentials or other sensitive user input. There is no known attack vector for extracting user-session information or credentials automatically, it required a user to fall for the phishing attempt. XSS can also be used to modify the presentation of content in malicious ways.

			`The vulnerability is known to apply in at least the following cases:`

			`The login form provided by Silverstripe. When the login form is used with Multi Factor Authentication (MFA), the attack complexity for phishing increases, and is mitigated by using security keys such as Yubikey as an unphishable token.`
			`Forms which are configured to populate field values based on request parameters. This usually happens via setting the $value on a FormField instance during construction of the form, or by loading request data via Form->loadDataFrom($myRequest->getVars()).`
			`Forms which have form validation applied through RequiredFields, and opt-out of using CSRF tokens via disableSecurityToken(). In this case, the vulnerability is more impactful if the form is also configured to accept GET submissions, rather than the default of POST submissions.`
			`The vulnerability has not identified on forms created through the silverstripe/userforms module.`

Added 4.4.5 changelog 2020-02-17 01:59:20 +01:00			`<!--- Changes below this line will be automatically regenerated -->`
[CVE-2019-19325] XSS through non-scalar FormField attributes Silverstripe Forms allow malicious HTML or JavaScript to be inserted through non-scalar FormField attributes, which allows performing XSS (Cross-Site Scripting) on some forms built with user input (Request data). This can lead to phishing attempts to obtain a user's credentials or other sensitive user input. There is no known attack vector for extracting user-session information or credentials automatically, it required a user to fall for the phishing attempt. XSS can also be used to modify the presentation of content in malicious ways. 2020-02-03 03:56:10 +01:00
Added 4.4.5 changelog 2020-02-17 01:59:20 +01:00			`## Change Log`

			`### Security`

			`* 2020-02-03 [ad1b00e](https://github.com/silverstripe/silverstripe-framework/commit/ad1b00ec7dc1589a05bfc7f5f8207489797ef714) XSS through non-scalar FormField attributes - See [CVE-2019-19325](https://www.silverstripe.org/download/security-releases/cve-2019-19325)`
			`* 2020-02-13 [d515e5e](https://github.com/silverstripe/silverstripe-admin/commit/d515e5eced1787d99d4ca1520e01513c2031a627) XSS through non-scalar FormField attributes - See [CVE-2019-19325](https://www.silverstripe.org/download/security-releases/cve-2019-19325)`

			`### Bugfixes`

			`* 2020-01-07 [089053b](https://github.com/silverstripe/silverstripe-admin/commit/089053b42d5561720bdb08203371db1c94cadcf9) Make discard confirmations show up when navigating away from editing files (bergice)`
			`* 2019-12-16 [8edf14d](https://github.com/silverstripe/silverstripe-assets/commit/8edf14dee8deacd2a0bd013344dd26089e8e8b36) VersionedFilesMigrator auto-generated .htaccess directives (Serge Latyntcev)`
			`* 2019-12-15 [fbc37fb](https://github.com/silverstripe/silverstripe-versioned/commit/fbc37fb6e74b90b72c7313fc428beec81b9ee4de) Default WasDraft to true when migrating versioned DataObject (#240) (Maxime Rainville)`
			`* 2019-12-09 [be5234d](https://github.com/silverstripe/silverstripe-graphql/commit/be5234d089e0835c5d18248dee4ba53f09d539dc) Reference the correct filters for endswith and startswith (Maxime Rainville)`
			`* 2019-11-27 [f85209e](https://github.com/silverstripe/silverstripe-graphql/commit/f85209ec5b8834e337c171072cb79b80b9d27a59) fix Injector class alias is now quoted to prevent symfony/yaml 4.0 deprecation warnings (wernerkrauss)`
			`* 2019-11-26 [04c377f](https://github.com/silverstripe/silverstripe-errorpage/commit/04c377f33371b1ec7c8b4e28da7bb766294d62cf) Fix phpcs install, phpunit name (Serge Latyntcev)`
			`* 2019-11-24 [f78b7a5](https://github.com/silverstripe/silverstripe-asset-admin/commit/f78b7a5e1eca2a13caf4b53085a4f8c9a9dd33fa) Update build script to copy images to dist folder (Maxime Rainville)`
			`* 2019-11-22 [af55826](https://github.com/silverstripe/silverstripe-asset-admin/commit/af558265416a1d98648d98341f2236ef05124d3b) Fix missing dist images (Damian Mooyman)`
			`* 2019-11-20 [453945da1](https://github.com/silverstripe/silverstripe-framework/commit/453945da14c6c7354535189d251c5eda193253ca) Session::restart() didn't correctly restart session (fixes #9259) (Loz Calver)`
			`* 2019-11-15 [64654ec](https://github.com/silverstripe/silverstripe-assets/commit/64654ec9f606a96ee02b50606c8f3a5656904efa) Retrieve file by filename (Maxime Rainville)`
			`* 2019-11-14 [4372544](https://github.com/silverstripe/silverstripe-assets/commit/43725448768422448fe96be842ed5c754a654693) Fix linting issue in VersionedFilesMigrationTask and VersionedFilesMigrator (Maxime Rainville)`
			`* 2019-11-12 [9648801](https://github.com/silverstripe/silverstripe-versioned-admin/commit/9648801aa0eb8ad5ef8b78c9f28c3617a7fe3a03) Gracefully handle lack of actions in HistoryViewer (Serge Latyntcev)`
			`* 2019-11-07 [3a00ecc](https://github.com/silverstripe/silverstripe-admin/commit/3a00ecc388c24d52ee7fa5830c5ed57f2dba1e84) Lowercase PHPUnit in composer.json to allow packagist to resolve 1.2.x-dev (Maxime Rainville)`
			`* 2019-11-04 [d32b280](https://github.com/silverstripe/silverstripe-errorpage/commit/d32b28011c85fe509919cac72a4b314466dc99ae) Resolve issue where dev/build does not refresh static content (Damian Mooyman)`
			`* 2019-10-29 [e76601e5c](https://github.com/silverstripe/silverstripe-framework/commit/e76601e5c8c9b67ca1105958b556b355375ae6bb) FormAction title property cannot be set if useButtonTag is false (Damian Mooyman)`
			`* 2019-10-28 [f03b3a0](https://github.com/silverstripe/silverstripe-admin/commit/f03b3a085e8e8b5675c5a1e3b100eaab619b6a31) fixed creating multiple duplicate data objects (#961) (Guy Marriott)`
			`* 2019-10-23 [15b21fc](https://github.com/silverstripe/silverstripe-admin/commit/15b21fcf502a6de90169c2f6a1940270c9176e4f) Remove deprecated uppercase characters from composer.json (#982) (Garion Herman)`
			`* 2019-10-09 [eb369ed](https://github.com/silverstripe/silverstripe-versioned-admin/commit/eb369edba887b43e78c63f96c80792e94079afe0) Gracefully handle lack of versions in HistoryViewer (Serge Latyntcev)`
			`* 2019-10-08 [3a3705d](https://github.com/silverstripe/silverstripe-versioned/commit/3a3705dc83ce866e253f82b1abc5c7287ec5f5b6) archive relationships, not related objects (Dylan Wagstaff)`
			`* 2019-10-03 [f1594fd99](https://github.com/silverstripe/silverstripe-framework/commit/f1594fd991b701d4b97b164919844242f45ae15e) Ensure that canCreate() context matches that respected by GridFieldAddNewButton (Damian Mooyman)`
			`* 2019-10-03 [b3ccd48](https://github.com/silverstripe/silverstripe-admin/commit/b3ccd48cb9bc0567f9ce53a74d5d465be4e77d90) Remove buggy code from LeftAndMain Breadcrumb (Maxime Rainville)`
			`* 2019-10-02 [7db524bd9](https://github.com/silverstripe/silverstripe-framework/commit/7db524bd9065dc1918fd812bf20e207740b57dd0) DebugViewFrendlyErrorFormatter handle of admin_email (Serge Latyntcev)`
			`* 2019-09-30 [be44178](https://github.com/silverstripe/silverstripe-admin/commit/be441785aeb79ea77bd56a5e74a668d809e92530) fixed creating multiple duplicate data object by locking out save button on submit (Makreig)`
			`* 2019-09-29 [2799265](https://github.com/silverstripe/silverstripe-asset-admin/commit/2799265675ac251c4590c80258f717a08d199273) Honour AssetAdminFile insert dimentions when inserting a new image (#1015) (Maxime Rainville)`
			`* 2019-09-29 [f475826](https://github.com/silverstripe/silverstripe-assets/commit/f4758265ad245e3b05f8e5fcf9c87fb490de5853) Fix inlinting issue (Maxime Rainville)`
			`* 2019-09-29 [30d816e](https://github.com/silverstripe/silverstripe-assets/commit/30d816ef386f13a774b4d037620d2435d65af42f) Flush cache before every test in Sha1FileHashingServiceTest (Maxime Rainville)`
			`* 2019-09-26 [959da81](https://github.com/silverstripe/silverstripe-assets/commit/959da8137684fcadd50701111355e3f71d4c9fe1) Store the timestamp in the cache (Maxime Rainville)`
			`* 2019-09-25 [255bf2f](https://github.com/silverstripe/silverstripe-admin/commit/255bf2f485963b403b627d887bb943412a73f83b) JSTree error if callback isn't passed (fixes #958) (Loz Calver)`
			`* 2019-09-24 [fb36e03](https://github.com/silverstripe/silverstripe-admin/commit/fb36e032db48446db074ed09b5d1720bf58370b3) Search for both Save and Apply change when running behat tests (Maxime Rainville)`
			`* 2019-09-23 [aa7c05742](https://github.com/silverstripe/silverstripe-framework/commit/aa7c05742242f8e2ec77f97b52839e0365ec7e1a) Don't force-add view button to readonly GridField (fixes #… (#9254) (Guy Marriott)`
			`* 2019-09-23 [190b2f284](https://github.com/silverstripe/silverstripe-framework/commit/190b2f28429cd870c791f689def055061665ee58) run member CMS validator when editing via groups (fixes #9… (#9255) (Guy Marriott)`
			`* 2019-09-23 [efdb9cc71](https://github.com/silverstripe/silverstripe-framework/commit/efdb9cc718517c09800a47bb53374bff787b54fa) run member CMS validator when editing via groups (fixes #9184) (Loz Calver)`
			`* 2019-09-23 [d85ff3bc4](https://github.com/silverstripe/silverstripe-framework/commit/d85ff3bc4463d47edd6b662b34569162e3861a88) Don't force-add view button to readonly GridField (fixes #9249) (Loz Calver)`
			`* 2019-09-23 [f177606](https://github.com/silverstripe/recipe-core/commit/f1776060fec34ba5ac83f1be9f88906e055b1c20) Update Apache .htaccess for new access directives (Dylan Wagstaff)`
			`* 2019-08-16 [9d44a3b](https://github.com/silverstripe/silverstripe-asset-admin/commit/9d44a3bb44b44b63c0807ddc853689105fb1f6fe) Optimise AssetAdminFile::nestedFolderIDs (Guy Marriott)`

			`<!--- Changes above this line will be automatically regenerated -->`