Merge remote branch 'origin/master' into translation-staging

This commit is contained in:
TeamCity 2012-10-16 22:37:05 +13:00
commit 1cfe1818ef
5 changed files with 103 additions and 21 deletions

View File

@ -26,8 +26,12 @@ script:
branches: branches:
except: except:
- translation-staging - 2.1
- 2.2
- 2.3
- 2.4 - 2.4
- post-2.4
- translation-staging
notifications: notifications:
irc: irc:

View File

@ -0,0 +1,42 @@
# 2.4.8-rc1 #
## Overview ##
* Security (Moderate Severity): More solid relative/site URL checks (related to "BackURL" redirection).
* Security (Moderate Severity): Ensure javascript content type is sent in form responses. If content type is html, and the javascript contains script tags within the content, this content will be executed.
* Security (Low Severity): Fixed remote code execution vuln in install.php due to inserting unescaped user data into mysite/_config.php. Not critical because install.php is required to be removed on a SilverStripe installation anyway
## Details
### API Changes
* 2012-02-01 [bf4476a](https://github.com/silverstripe/sapphire/commit/bf4476a) silverstripe_version file now contains the plain version number, rather than an SVN path (Ingo Schommer)
* 2012-02-01 [4abe136](https://github.com/silverstripe/silverstripe-cms/commit/4abe136) silverstripe_version file now contains the plain version number, rather than an SVN path (Ingo Schommer)
### Features and Enhancements
* 2012-02-03 [921bf9a](https://github.com/silverstripe/sapphire/commit/921bf9a) Ensure that forceSSL and protocol detection respects the X-Forwarded-Protocol header. (Sam Minnee)
### Bugfixes
* 2012-09-14 [8ec6312](https://github.com/silverstripe/sapphire/commit/8ec6312) to prevent unintended results from getComponentsQuery(...) (stozze)
* 2012-07-09 [838ac97](https://github.com/silverstripe/silverstripe-cms/commit/838ac97) fixing an edge-case bug where a 404-page would get statically published and overwrite the homepage of the site (this would sometimes happen when a RedirectorPage was set to an external URL and still referenced an internal page ID) (Julian Seidenberg)
* 2012-05-04 [392543b](https://github.com/silverstripe/sapphire/commit/392543b) Don't' set 'Referer' header in FunctionalTest->get()/post() if its explicitly passed to the method (Ingo Schommer)
### Minor changes
* 2012-08-15 [7669871](https://github.com/silverstripe/sapphire/commit/7669871) fixed array to string conversion to avoid PHP 5.4 warnings (Adam Skrzypulec)
* 2012-05-29 [039a372](https://github.com/silverstripe/silverstripe-installer/commit/039a372) Fixed phpunit bootstrap relative path (Ingo Schommer)
* 2012-05-14 [b211c38](https://github.com/silverstripe/sapphire/commit/b211c38) Manually testing exceptions in SSViewerCacheBlockTest to avoid PHPUnit 3.6 warnings (Ingo Schommer)
* 2012-03-30 [c1d2cd1](https://github.com/silverstripe/sapphire/commit/c1d2cd1) Corrected Geoip entries for ex-Yugoslavia ... better late than never (Ingo Schommer)
* 2012-03-14 [44b9d05](https://github.com/silverstripe/sapphire/commit/44b9d05) Backported bootstrap.php changes from master and cstom TeamCity configuration (required to run tests through phpunit binary) (Ingo Schommer)
* 2011-12-17 [af22d07](https://github.com/silverstripe/sapphire/commit/af22d07) On PHPUnit 3.6, show the output of tests. (Sam Minnee)
* 2011-11-08 [5956ad8](https://github.com/silverstripe/sapphire/commit/5956ad8) Amended PHPUnit execution to work with PHPUnit 3.6 (Sam Minnee)
### Other
* 2012-10-05 [1c7b7d0](https://github.com/silverstripe/sapphire/commit/1c7b7d0) Fixed grammatical error for Form.FIELDISREQUIRED (Will Morgan)
* 2012-08-08 [f6c69d5](https://github.com/silverstripe/sapphire/commit/f6c69d5) Update widget documentation (fixes #706) (Will Rossiter)
* 2012-05-16 [b7c8737](https://github.com/silverstripe/silverstripe-installer/commit/b7c8737) SECURITY Fixed remote code execution vuln in install.php due to inserting unescaped user data into mysite/_config.php. Not critical because install.php is required to be removed on a SilverStripe installation anyway (fixes #7205) (Ingo Schommer)
* 2012-05-04 [46064f8](https://github.com/silverstripe/sapphire/commit/46064f8) SECURITY More solid relative/site URL checks (related to "BackURL" redirection) (Ingo Schommer)
* 2012-05-03 [9bf3ae9](https://github.com/silverstripe/sapphire/commit/9bf3ae9) SECURITY: Ensure javascript content type is sent in form responses. If content type is html, and the javascript contains script tags within the content, this content will be executed. (Andrew O'Neil)

View File

@ -65,14 +65,14 @@ class DB {
* Set it to null to revert to the main database. * Set it to null to revert to the main database.
*/ */
public static function set_alternative_database_name($dbname) { public static function set_alternative_database_name($dbname) {
$_SESSION["alternativeDatabaseName"] = $dbname; Session::set("alternativeDatabaseName", $dbname);
} }
/** /**
* Get the name of the database in use * Get the name of the database in use
*/ */
public static function get_alternative_database_name() { public static function get_alternative_database_name() {
return $_SESSION["alternativeDatabaseName"]; return Session::get("alternativeDatabaseName");
} }
/** /**
@ -84,8 +84,8 @@ class DB {
*/ */
public static function connect($databaseConfig) { public static function connect($databaseConfig) {
// This is used by TestRunner::startsession() to test up a test session using an alt // This is used by TestRunner::startsession() to test up a test session using an alt
if(isset($_SESSION) && !empty($_SESSION['alternativeDatabaseName'])) { if($name = Session::get('alternativeDatabaseName')) {
$databaseConfig['database'] = $_SESSION['alternativeDatabaseName']; $databaseConfig['database'] = $name;
} }
if(!isset($databaseConfig['type']) || empty($databaseConfig['type'])) { if(!isset($databaseConfig['type']) || empty($databaseConfig['type'])) {

View File

@ -17,14 +17,30 @@ class SS_HTMLValue extends ViewableData {
* @param string $content * @param string $content
*/ */
public function __construct($content = null) { public function __construct($content = null) {
$this->document = new DOMDocument('1.0', 'UTF-8'); $this->setDocument(new DOMDocument('1.0', 'UTF-8'));
$this->document->scrictErrorChecking = false; $this->setScrictErrorChecking(false);
$this->setOutputFormatting(false);
$this->setContent($content); $this->setContent($content);
parent::__construct(); parent::__construct();
} }
/**
* Should strict error checking be used?
* @param boolean $bool
*/
public function setScrictErrorChecking($bool) {
$this->getDocument()->scrictErrorChecking = $bool;
}
/**
* Should the output be formatted?
* @param boolean $bool
*/
public function setOutputFormatting($bool) {
$this->getDocument()->formatOutput = $bool;
}
/** /**
* @return string * @return string
*/ */
@ -35,16 +51,15 @@ class SS_HTMLValue extends ViewableData {
return trim( return trim(
preg_replace( preg_replace(
array( array(
'/^<!DOCTYPE.+?>/i', '/(.*)<body>/is',
'/(.*)<body>/i', '/<\/body>(.*)/is',
'/<\/body>(.*)/i',
), ),
'', '',
urldecode($this->getDocument()->saveHTML()) urldecode($this->getDocument()->saveHTML())
) )
); );
} }
/** /**
* @param string $content * @param string $content
* @return bool * @return bool
@ -59,14 +74,21 @@ class SS_HTMLValue extends ViewableData {
"<body>$content</body></html>" "<body>$content</body></html>"
); );
} }
/** /**
* @return DOMDocument * @return DOMDocument
*/ */
public function getDocument() { public function getDocument() {
return $this->document; return $this->document;
} }
/**
* @param DOMDocument $document
*/
public function setDocument($document) {
$this->document = $document;
}
/** /**
* A simple convenience wrapper around DOMDocument::getElementsByTagName(). * A simple convenience wrapper around DOMDocument::getElementsByTagName().
* *

View File

@ -6,9 +6,10 @@
class SS_HTMLValueTest extends SapphireTest { class SS_HTMLValueTest extends SapphireTest {
public function testInvalidHTMLSaving() { public function testInvalidHTMLSaving() {
$value = new SS_HTMLValue(); $value = new SS_HTMLValue();
$invalid = array ( $invalid = array (
'<p>Enclosed Value</p></p>' => '<p>Enclosed Value</p>', '<p>Enclosed Value</p></p>' => '<p>Enclosed Value</p>',
'<meta content="text/html"></meta>' => '<meta content="text/html">',
'<p><div class="example"></div></p>' => '<p></p><div class="example"></div>', '<p><div class="example"></div></p>' => '<p></p><div class="example"></div>',
'<html><html><body><falsetag "attribute=""attribute""">' => '<falsetag></falsetag>', '<html><html><body><falsetag "attribute=""attribute""">' => '<falsetag></falsetag>',
'<body<body<body>/bodu>/body>' => '/bodu&gt;/body&gt;' '<body<body<body>/bodu>/body>' => '/bodu&gt;/body&gt;'
@ -19,9 +20,22 @@ class SS_HTMLValueTest extends SapphireTest {
$this->assertEquals($expected, $value->getContent(), 'Invalid HTML can be saved'); $this->assertEquals($expected, $value->getContent(), 'Invalid HTML can be saved');
} }
} }
public function testUtf8Saving() {
$value = new SS_HTMLValue();
$value->setContent('<p>ö ß ā い 家</p>');
$this->assertEquals('<p>ö ß ā い 家</p>', $value->getContent());
}
public function testOutputFormatting() {
$value = new SS_HTMLValue();
$value->setOutputFormatting(true);
$value->setContent('<meta content="text/html">');
$this->assertEquals('<meta content="text/html">', $value->getContent(), 'Formatted output works');
}
public function testInvalidHTMLTagNames() { public function testInvalidHTMLTagNames() {
$value = new SS_HTMLValue(); $value = new SS_HTMLValue();
$invalid = array( $invalid = array(
'<p><div><a href="test-link"></p></div>', '<p><div><a href="test-link"></p></div>',
'<html><div><a href="test-link"></a></a></html_>', '<html><div><a href="test-link"></a></a></html_>',
@ -30,7 +44,7 @@ class SS_HTMLValueTest extends SapphireTest {
foreach($invalid as $input) { foreach($invalid as $input) {
$value->setContent($input); $value->setContent($input);
$this->assertEquals ( $this->assertEquals(
'test-link', 'test-link',
$value->getElementsByTagName('a')->item(0)->getAttribute('href'), $value->getElementsByTagName('a')->item(0)->getAttribute('href'),
'Link data can be extraced from malformed HTML' 'Link data can be extraced from malformed HTML'
@ -47,5 +61,5 @@ class SS_HTMLValueTest extends SapphireTest {
'Newlines get converted' 'Newlines get converted'
); );
} }
} }