mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
Merge branch '3.0' into 3.1
Conflicts: control/Director.php dev/Backtrace.php docs/en/installation/nginx.md model/HTMLValue.php tests/model/SQLQueryTest.php
This commit is contained in:
commit
0e0597f8cd
@ -2,34 +2,11 @@
|
||||
|
||||
## Overview
|
||||
|
||||
### Default current Versioned "stage" to "Live" rather than "Stage"
|
||||
* Security: Require ADMIN for ?flush=1&isDev=1 ([SS-2014-001](http://www.silverstripe.org/ss-2014-001-require-admin-for-flush1-and-isdev1))
|
||||
* Security: XSS in third party library (SWFUpload) ([SS-2014-002](http://www.silverstripe.org/ss-2014-002-xss-in-third-party-library-swfupload/))
|
||||
|
||||
Previously only the controllers responsible for page and CMS display
|
||||
(`LeftAndMain` and `ContentController`) explicitly set a stage through
|
||||
`Versioned::choose_site_stage()`. Unless this method is called,
|
||||
the default stage will be "Stage", showing draft content.
|
||||
Any direct subclasses of `Controller` interacting with "versioned" objects
|
||||
are vulnerable to exposing unpublished content, unless `choose_site_stage()`
|
||||
is called explicitly in their own logic.
|
||||
## Changelog
|
||||
|
||||
In order to provide more secure default behaviour, we have changed
|
||||
`choose_site_stage()` to be called on all requests, defaulting to the "Live" stage.
|
||||
If your logic relies on querying draft content, use `Versioned::reading_stage('Stage')`.
|
||||
|
||||
Important: The `choose_site_stage()` call only deals with setting the default stage,
|
||||
and doesn't check if the user is authenticated to view it. As with any other controller logic,
|
||||
please use `DataObject->canView()` to determine permissions.
|
||||
|
||||
:::php
|
||||
class MyController extends Controller {
|
||||
private static $allowed_actions = array('showpage');
|
||||
public function showpage($request) {
|
||||
$page = Page::get()->byID($request->param('ID'));
|
||||
if(!$page->canView()) return $this->httpError(401);
|
||||
// continue with authenticated logic...
|
||||
}
|
||||
}
|
||||
|
||||
### API Changes
|
||||
|
||||
* 2013-08-03 [0e7231f](https://github.com/silverstripe/sapphire/commit/0e7231f) Disable discontinued Google Spellcheck in TinyMCE (Ingo Schommer)
|
||||
* [framework](https://github.com/silverstripe/silverstripe-framework/releases/tag/3.0.9)
|
||||
* [cms](https://github.com/silverstripe/silverstripe-framework/releases/tag/3.0.9)
|
||||
* [installer](https://github.com/silverstripe/silverstripe-framework/releases/tag/3.0.9)
|
12
docs/en/changelogs/rc/3.0.9-rc1.md
Normal file
12
docs/en/changelogs/rc/3.0.9-rc1.md
Normal file
@ -0,0 +1,12 @@
|
||||
# 3.0.9-rc1 (2014-02-19)
|
||||
|
||||
## Overview
|
||||
|
||||
* Security: Require ADMIN for ?flush=1&isDev=1 ([SS-2014-001](http://www.silverstripe.org/ss-2014-001-require-admin-for-flush1-and-isdev1))
|
||||
* Security: XSS in third party library (SWFUpload) ([SS-2014-002](http://www.silverstripe.org/ss-2014-002-xss-in-third-party-library-swfupload/))
|
||||
|
||||
## Changelog
|
||||
|
||||
* [framework](https://github.com/silverstripe/silverstripe-framework/releases/tag/3.0.9-rc1)
|
||||
* [cms](https://github.com/silverstripe/silverstripe-framework/releases/tag/3.0.9-rc1)
|
||||
* [installer](https://github.com/silverstripe/silverstripe-framework/releases/tag/3.0.9-rc1)
|
@ -115,7 +115,7 @@ So you want to contribute to SilverStripe? Fantastic! You can do this with compo
|
||||
You have to tell composer three things in order to be able to do this:
|
||||
|
||||
- Keep the full git repository information
|
||||
- Include dependancies marked as "developer" requirements
|
||||
- Include dependencies marked as "developer" requirements
|
||||
- Use the development version, not the latest stable version
|
||||
|
||||
The first two steps are done as part of the initial create project using additional arguments.
|
||||
@ -232,7 +232,7 @@ For more information, read the ["Repositories" chapter of the Composer documenta
|
||||
|
||||
### Forks and branch names
|
||||
|
||||
Generally, you should keep using the same pattern of branch names as the main repositories does. If your version is a fork of 3.0, then call the branch `3.0`, not `3.0-myproj` or `myproj`. Otherwise, the depenency resolution gets confused.
|
||||
Generally, you should keep using the same pattern of branch names as the main repositories does. If your version is a fork of 3.0, then call the branch `3.0`, not `3.0-myproj` or `myproj`. Otherwise, the dependency resolution gets confused.
|
||||
|
||||
Sometimes, however, this isn't feasible. For example, you might have a number of project forks stored in a single repository, such as your personal github fork of a project. Or you might be testing/developing a feature branch. Or it might just be confusing to other team members to call the branch of your modified version `3.0`.
|
||||
|
||||
|
@ -1,6 +1,6 @@
|
||||
# Nginx
|
||||
|
||||
These instructions are also covered in less detail on the
|
||||
These instructions are also covered on the
|
||||
[Nginx Wiki](http://wiki.nginx.org/SilverStripe).
|
||||
|
||||
The prerequisite is that you have already installed Nginx and you are
|
||||
@ -18,150 +18,79 @@ But enough of the disclaimer, on to the actual configuration — typically in `n
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
server_name example.com;
|
||||
|
||||
root /var/www/example.com;
|
||||
|
||||
# SSL configuration (optional, but recommended for security)
|
||||
# (remember to actually force logins to use ssl)
|
||||
include ssl
|
||||
|
||||
include silverstripe3.conf;
|
||||
include htaccess.conf;
|
||||
|
||||
# rest of the server section is optional, but helpful
|
||||
# maintenance page if it exists
|
||||
error_page 503 @maintenance;
|
||||
if (-f $document_root/maintenance.html ) {
|
||||
return 503;
|
||||
root /path/to/ss/folder;
|
||||
|
||||
server_name site.com www.site.com;
|
||||
|
||||
location / {
|
||||
try_files $uri /framework/main.php?url=$uri&$query_string;
|
||||
}
|
||||
location @maintenance {
|
||||
try_files /maintenance.html =503;
|
||||
}
|
||||
|
||||
# always show SilverStripe's version of 500 error page
|
||||
|
||||
error_page 404 /assets/error-404.html;
|
||||
error_page 500 /assets/error-500.html;
|
||||
|
||||
# let the user's browser cache static files (e.g. 2 weeks)
|
||||
expires 2w;
|
||||
|
||||
# in case your machine is slow, increase the timeout
|
||||
# (also remembers php's own timeout settings)
|
||||
#fastcgi_read_timeout 300s;
|
||||
}
|
||||
|
||||
Here is the include file `silverstripe3.conf`:
|
||||
|
||||
location / {
|
||||
try_files $uri @silverstripe;
|
||||
}
|
||||
|
||||
# only needed for installation - disable this location (and remove the
|
||||
# index.php and install.php files) after you installed SilverStripe
|
||||
# (you did read the blogentry linked above, didn't you)
|
||||
location ~ ^/(index|install).php {
|
||||
fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
|
||||
include fastcgi.conf;
|
||||
fastcgi_pass unix:/run/php-fpm/php-fpm-silverstripe.sock;
|
||||
}
|
||||
location ^~ /assets/ {
|
||||
sendfile on;
|
||||
try_files $uri =404;
|
||||
}
|
||||
|
||||
# whitelist php files that are called directly and need to be interpreted
|
||||
location = /framework/thirdparty/tinymce/tiny_mce_gzip.php {
|
||||
include fastcgi.conf;
|
||||
fastcgi_pass unix:/run/php-fpm/php-fpm-silverstripe.sock;
|
||||
}
|
||||
location = /framework/thirdparty/tinymce-spellchecker/rpc.php {
|
||||
include fastcgi.conf;
|
||||
fastcgi_pass unix:/run/php-fpm/php-fpm-silverstripe.sock;
|
||||
}
|
||||
location ~ /framework/.*(main|rpc|tiny_mce_gzip)\.php$ {
|
||||
fastcgi_keep_conn on;
|
||||
fastcgi_pass 127.0.0.1:9000;
|
||||
fastcgi_index index.php;
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
include fastcgi_params;
|
||||
}
|
||||
|
||||
location @silverstripe {
|
||||
expires off;
|
||||
include fastcgi.conf;
|
||||
fastcgi_pass unix:/run/php-fpm/php-fpm-silverstripe.sock;
|
||||
# note that specifying a fixed script already protects against execution
|
||||
# of arbitrary files, but remember the advice above for any other rules
|
||||
# you add yourself (monitoring, etc,....)
|
||||
fastcgi_param SCRIPT_FILENAME $document_root/framework/main.php;
|
||||
fastcgi_param SCRIPT_NAME /framework/main.php;
|
||||
fastcgi_param QUERY_STRING url=$uri&$args;
|
||||
|
||||
# tuning is up to your expertise, but buffer_size needs to be >= 8k,
|
||||
# otherwise you'll get "upstream sent too big header while reading
|
||||
# response header from upstream" errors.
|
||||
fastcgi_buffer_size 8k;
|
||||
#fastcgi_buffers 4 32k;
|
||||
#fastcgi_busy_buffers_size 64k;
|
||||
location ~ /(mysite|framework|cms)/.*\.(php|php3|php4|php5|phtml|inc)$ {
|
||||
deny all;
|
||||
}
|
||||
|
||||
location ~ /\.. {
|
||||
deny all;
|
||||
}
|
||||
|
||||
location ~ \.ss$ {
|
||||
satisfy any;
|
||||
allow 127.0.0.1;
|
||||
deny all;
|
||||
}
|
||||
|
||||
location ~ web\.config$ {
|
||||
deny all;
|
||||
}
|
||||
|
||||
location ~ \.ya?ml$ {
|
||||
deny all;
|
||||
}
|
||||
|
||||
location ^~ /vendor/ {
|
||||
deny all;
|
||||
}
|
||||
|
||||
location ~* /silverstripe-cache/ {
|
||||
deny all;
|
||||
}
|
||||
|
||||
location ~* composer\.(json|lock)$ {
|
||||
deny all;
|
||||
}
|
||||
|
||||
location ~* /(cms|framework)/silverstripe_version$ {
|
||||
deny all;
|
||||
}
|
||||
|
||||
location ~ \.php$ {
|
||||
fastcgi_keep_conn on;
|
||||
fastcgi_pass 127.0.0.1:9000;
|
||||
fastcgi_index index.php;
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
include fastcgi_params;
|
||||
}
|
||||
}
|
||||
|
||||
<div class="warning" markdown='1'>
|
||||
With only the above configuration, nginx would hand out any existing file
|
||||
uninterpreted, so it would happily serve your precious configuration files,
|
||||
including all your private api-keys and whatnot to any random visitor. So you
|
||||
**must** restrict access further.
|
||||
</div>
|
||||
You don't need to use separate files, but it is easier to have the permissive
|
||||
rules distinct from the restricting ones.
|
||||
|
||||
Here is the include file `htaccess.conf`:
|
||||
|
||||
# Don't try to find nonexisting stuff in assets (esp. don't pass through php)
|
||||
location ^~ /assets/ {
|
||||
try_files $uri =404;
|
||||
}
|
||||
|
||||
# Deny access to silverstripe-cache, vendor or composer.json/.lock
|
||||
location ^~ /silverstripe-cache/ {
|
||||
deny all;
|
||||
}
|
||||
location ^~ /vendor/ {
|
||||
deny all;
|
||||
}
|
||||
location ~ /composer\.(json|lock) {
|
||||
deny all;
|
||||
}
|
||||
|
||||
# Don't serve up any "hidden" files or directories
|
||||
# (starting with dot, like .htaccess or .git)
|
||||
# also don't serve web.config files
|
||||
location ~ /(\.|web\.config) {
|
||||
deny all;
|
||||
}
|
||||
|
||||
# Block access to yaml files (and don't forget about backup
|
||||
# files that editors tend to leave behind)
|
||||
location ~ \.(yml|bak|swp)$ {
|
||||
deny all;
|
||||
}
|
||||
location ~ ~$ {
|
||||
deny all;
|
||||
}
|
||||
|
||||
# generally don't serve any php-like files
|
||||
# (as they exist, they would be served as regular files, and not interpreted.
|
||||
# But as those can contain configuration data, this is bad nevertheless)
|
||||
# If needed, you can always whitelist entries.
|
||||
location ~ \.(php|php[345]|phtml|inc)$ {
|
||||
deny all;
|
||||
}
|
||||
location ~ ^/(cms|framework)/silverstripe_version$ {
|
||||
deny all;
|
||||
}
|
||||
|
||||
Here is the optional include file `ssl`:
|
||||
|
||||
listen 443 ssl;
|
||||
ssl_certificate server.crt;
|
||||
ssl_certificate_key server.key;
|
||||
ssl_session_timeout 5m;
|
||||
ssl_protocols SSLv3 TLSv1;
|
||||
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
|
||||
|
||||
The above configuration sets up a virtual host `example.com` with
|
||||
rewrite rules suited for SilverStripe. The location block named
|
||||
`@silverstripe` passes all requests that aren't matched by one of the other
|
||||
location rules (and cannot be satisfied by serving an existing file) to
|
||||
SilverStripe framework's main.php script, that is run by the FastCGI-wrapper,
|
||||
that in turn is accessed via a Unix socket.
|
||||
The above configuration sets up a virtual host `site.com` with
|
||||
rewrite rules suited for SilverStripe. The location block for php files
|
||||
passes all php scripts to the FastCGI-wrapper via a TCP socket.
|
||||
|
||||
Now you can proceed with the SilverStripe installation normally.
|
||||
|
@ -100,6 +100,7 @@ CMS users still need to remember the specific syntax, but these shortcodes can f
|
||||
for more advanced editing interfaces (with visual placeholders). See the built-in `embed` shortcode as an example
|
||||
for coupling shortcodes with a form to create and edit placeholders.
|
||||
|
||||
|
||||
## Built-in Shortcodes
|
||||
|
||||
SilverStripe comes with several shortcode parsers already.
|
||||
|
@ -342,7 +342,6 @@ class SQLQueryTest extends SapphireTest {
|
||||
);
|
||||
}
|
||||
|
||||
|
||||
public function testSetWhereAny() {
|
||||
$query = new SQLQuery();
|
||||
$query->setFrom('MyTable');
|
||||
@ -352,7 +351,6 @@ class SQLQueryTest extends SapphireTest {
|
||||
}
|
||||
|
||||
public function testSelectFirst() {
|
||||
|
||||
// Test first from sequence
|
||||
$query = new SQLQuery();
|
||||
$query->setFrom('"SQLQueryTest_DO"');
|
||||
@ -398,7 +396,6 @@ class SQLQueryTest extends SapphireTest {
|
||||
}
|
||||
|
||||
public function testSelectLast() {
|
||||
|
||||
// Test last in sequence
|
||||
$query = new SQLQuery();
|
||||
$query->setFrom('"SQLQueryTest_DO"');
|
||||
|
Loading…
Reference in New Issue
Block a user