From 074b28cf937821a0d5627d3f19836ede1d662395 Mon Sep 17 00:00:00 2001
From: Maxime Rainville <maxime@silverstripe.com>
Date: Mon, 4 May 2020 21:11:34 +1200
Subject: [PATCH] [CVE-2019-19326] Add changelog for CVE-2019-19326

---
 docs/en/04_Changelogs/3.7.4.md |  4 +-
 docs/en/04_Changelogs/3.7.5.md | 68 ++++++++++++++++++++++++++++++++++
 2 files changed, 70 insertions(+), 2 deletions(-)
 create mode 100644 docs/en/04_Changelogs/3.7.5.md

diff --git a/docs/en/04_Changelogs/3.7.4.md b/docs/en/04_Changelogs/3.7.4.md
index 11d60454b..3d7954cce 100644
--- a/docs/en/04_Changelogs/3.7.4.md
+++ b/docs/en/04_Changelogs/3.7.4.md
@@ -1,4 +1,4 @@
-# 3.7.4 (unreleased)
+# 3.7.4
 
 * [Minor update to support PHP 7.4](https://github.com/silverstripe/silverstripe-framework/pull/9110)
 
@@ -38,4 +38,4 @@ This fork is not a supported module and SilverStripe does not commit to maintain
  * 2019-02-25 [adbc560bd](https://github.com/silverstripe/silverstripe-framework/commit/adbc560bd70ba2e071f94a41a084768819196ee7) Address PR feedback. (Maxime Rainville)
  * 2019-02-21 [4ec1a682c](https://github.com/silverstripe/silverstripe-framework/commit/4ec1a682cf354e2425ef4fd6598c7de8e807bcc7) Renable the ability to do dynamic assignment with DBField (Maxime Rainville)
  * 2019-02-19 [ab5f09a9f](https://github.com/silverstripe/silverstripe-framework/commit/ab5f09a9f3ec12333c748dd68bfc504b5e509bfc) Updated unit test were targeting Float/Int which don't exist on PHP7 (#8810) (Maxime Rainville)
-<!--- Changes above this line will be automatically regenerated -->
\ No newline at end of file
+<!--- Changes above this line will be automatically regenerated -->
diff --git a/docs/en/04_Changelogs/3.7.5.md b/docs/en/04_Changelogs/3.7.5.md
new file mode 100644
index 000000000..e2f601c85
--- /dev/null
+++ b/docs/en/04_Changelogs/3.7.5.md
@@ -0,0 +1,68 @@
+# 3.7.5
+
+* [CVE-2019-19326 Web Cache Poisoning](#CVE-2019-19326)
+
+## CVE-2019-19326 Web Cache Poisoning {#CVE-2019-19326}
+
+Silverstripe sites using HTTP cache headers and HTTP caching proxies (e.g. CDNs) can be susceptible to web cache poisoning through the:
+* `X-Original-Url` HTTP header
+* `X-HTTP-Method-Override` HTTP header
+* `_method` POST variable.
+
+In order to remedy this vulnerability, Silverstripe Framework 3.7.5 removes native support for these features. While this is technically a semantic versioning breakage, these features are inherently insecure and date back to a time when browsers didn't natively support the full range of HTTP methods. Sites who still require these features will have highly unusual requirements that are best served by a tailored solution.
+
+### Re-enabling the support for removed features
+
+These features are best implemented by defining a `RequestFilter`. Request Filters are similar to the more modern concept of "middleware" as defined by the PSR-15 standard and supported by Silverstripe 4.
+
+The following example illustrate how to implement a `RequestFilter` that restore support for the `X-Original-Url` header and the `_method` POST parameter for request originating from a trusted proxy.
+
+```php
+<?php
+
+/**
+ * This is meant to illustrate how to implement a RequestFilter. It assumes your
+ * trusted proxy will strip the insecure data from any requests. If you blindly
+ * copy-paste this in in your code base, you'll simply replicate the vulnerability.
+ */
+class InsecureRequestProcessor implements RequestFilter
+{
+
+    public function preRequest(SS_HTTPRequest $request, Session $session, DataModel $model)
+    {
+        if (TRUSTED_PROXY) {
+            $originalUrl = $request->getHeader('X-Original-Url');
+            if ($originalUrl) {
+                $request->setUrl($originalUrl);
+                $_SERVER['REQUEST_URI'] = $originalUrl;
+            }
+
+            $methodOverride = $request->postVar('_method');
+            $validMethods = ['GET', 'POST', 'PUT', 'DELETE', 'HEAD'];
+            if ($methodOverride && in_array(strtoupper($methodOverride), $validMethods)) {
+                $request->setMethod($methodOverride);
+            }
+        }
+
+        return true;
+    }
+
+    public function postRequest(SS_HTTPRequest $request, SS_HTTPResponse $response, DataModel $model)
+    {
+        return true;
+    }
+}
+```
+
+To learn more about re-implementing support for the disabled features:
+* read [How to implement a Request Filter](/developer_guides/controllers/requestfilters) on the Silverstripe documentation
+* read [how to configure trusted proxies](/developer_guides/security/secure_coding/#request-hostname-forgery) on the Silverstripe documentation
+* review [api:RequestFilter] interface
+
+To learn more about middleware:
+* read the [PSR-15: HTTP Server Request Handlers](https://www.php-fig.org/psr/psr-15/) standard
+* read the [Silverstripe 4 documentation about HTTP Middlewares](https://docs.silverstripe.org/en/4/developer_guides/controllers/middlewares/) standard.
+
+<!--- Changes below this line will be automatically regenerated -->
+
+<!--- Changes above this line will be automatically regenerated -->