From 24bae3f922b8ca0cd9e5ce175ad205baeac96a7b Mon Sep 17 00:00:00 2001 From: Ingo Schommer Date: Thu, 12 Sep 2013 16:48:20 +0200 Subject: [PATCH 01/10] Tagged 3.0.6-rc2 From f765696d269bddf6fea70e7590b89bb4315c738f Mon Sep 17 00:00:00 2001 From: Stephen Shkardoon Date: Fri, 13 Sep 2013 10:34:51 +1200 Subject: [PATCH 02/10] Update 3.0.6.md Add reference to information disclosure in Versioned.php (SS-2013-006) --- docs/en/changelogs/3.0.6.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/docs/en/changelogs/3.0.6.md b/docs/en/changelogs/3.0.6.md index 6f75962a2..26992787d 100644 --- a/docs/en/changelogs/3.0.6.md +++ b/docs/en/changelogs/3.0.6.md @@ -23,6 +23,10 @@ See [announcement](http://www.silverstripe.org/ss-2013-004-privilege-escalation- See [announcement](http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/) +### Security: Information disclosure in Versioned.php (SS-2013-006) + +See [announcement](http://www.silverstripe.org/ss-2013-006-information-disclosure-in-versioned/) + ## Upgrading * If you have created your own composite database fields, then you should amend the setValue() to allow the passing of @@ -34,4 +38,4 @@ See [announcement](http://www.silverstripe.org/ss-2013-005-privilege-escalation- Before: `BackLink_Button.ss.Back`, after `BackLink_Button_ss.Back`. Please fix any custom language files or uses of those entities in custom code. * If using "Māori/Te Reo" (mi_NZ) as your CMS locale, please re-select it in `admin/myprofile` - to ensure correct operation (it has changed its locale identifier) \ No newline at end of file + to ensure correct operation (it has changed its locale identifier) From c453ea30948b1b7def1e03919f19caa1ffabda8e Mon Sep 17 00:00:00 2001 From: Sean Harvey Date: Fri, 20 Sep 2013 11:13:10 +1200 Subject: [PATCH 03/10] BUG Fixing tabindex added to CreditCardField when tabindex is NULL The tabindex increment *should* only be done if there is a tabindex that has been set on a CreditCardField already, otherwise it breaks the tab ordering. --- forms/CreditCardField.php | 3 +++ 1 file changed, 3 insertions(+) diff --git a/forms/CreditCardField.php b/forms/CreditCardField.php index 7e157cc2e..cdeb61c2c 100644 --- a/forms/CreditCardField.php +++ b/forms/CreditCardField.php @@ -35,6 +35,9 @@ class CreditCardField extends TextField { * @return string */ protected function getTabIndexHTML($increment = 0) { + // we can't add a tabindex if there hasn't been one set yet. + if($this->getAttribute('tabindex') === null) return false; + $tabIndex = (int)$this->getAttribute('tabindex') + (int)$increment; return (is_numeric($tabIndex)) ? ' tabindex = "' . $tabIndex . '"' : ''; } From b383a07f90090638deb00923ff07ec5c477365bb Mon Sep 17 00:00:00 2001 From: Sean Harvey Date: Fri, 20 Sep 2013 11:13:10 +1200 Subject: [PATCH 04/10] BUG Fixing tabindex added to CreditCardField when tabindex is NULL The tabindex increment *should* only be done if there is a tabindex that has been set on a CreditCardField already, otherwise it breaks the tab ordering. --- forms/CreditCardField.php | 3 +++ 1 file changed, 3 insertions(+) diff --git a/forms/CreditCardField.php b/forms/CreditCardField.php index 7e157cc2e..cdeb61c2c 100644 --- a/forms/CreditCardField.php +++ b/forms/CreditCardField.php @@ -35,6 +35,9 @@ class CreditCardField extends TextField { * @return string */ protected function getTabIndexHTML($increment = 0) { + // we can't add a tabindex if there hasn't been one set yet. + if($this->getAttribute('tabindex') === null) return false; + $tabIndex = (int)$this->getAttribute('tabindex') + (int)$increment; return (is_numeric($tabIndex)) ? ' tabindex = "' . $tabIndex . '"' : ''; } From 114fb5910776ca7363ecae0c482aa9b654caa70b Mon Sep 17 00:00:00 2001 From: Ingo Schommer Date: Tue, 24 Sep 2013 12:59:05 +0200 Subject: [PATCH 05/10] FIX Auto-escape titles in TreeDropdownField Related to SS-2013-009. While the default "TreeTitle" was escaped within the SiteTree->TreeTitle() getter, other properties like SiteTree->Title weren't escaped. The new logic uses the underlying casting helpers on the processed objects. --- forms/TreeDropdownField.php | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/forms/TreeDropdownField.php b/forms/TreeDropdownField.php index d3d77c83b..a2ca9be8d 100644 --- a/forms/TreeDropdownField.php +++ b/forms/TreeDropdownField.php @@ -263,14 +263,28 @@ class TreeDropdownField extends FormField { $obj->markToExpose($this->objectForKey($value)); } } - $eval = '"
  • getName() . '-{$child->' . $this->keyField . '}\" data-id=\"$child->' - . $this->keyField . '\" class=\"class-$child->class"' - . ' . $child->markingClasses() . "\">ID\">" . $child->' . $this->labelField . ' . ""'; + + $self = $this; + $escapeLabelField = ($obj->escapeTypeForField($this->labelField) != 'xml'); + $titleFn = function(&$child) use(&$self, $escapeLabelField) { + $keyField = $self->keyField; + $labelField = $self->labelField; + return sprintf( + '
  • %s', + Convert::raw2xml($self->getName()), + Convert::raw2xml($child->$keyField), + Convert::raw2xml($child->$keyField), + Convert::raw2xml($child->class), + Convert::raw2xml($child->markingClasses()), + (int)$child->ID, + $escapeLabelField ? Convert::raw2xml($child->$labelField) : $child->$labelField + ); + }; if($isSubTree) { - return substr(trim($obj->getChildrenAsUL('', $eval, null, true, $this->childrenMethod)), 4, -5); + return substr(trim($obj->getChildrenAsUL('', $titleFn, null, true, $this->childrenMethod)), 4, -5); } else { - return $obj->getChildrenAsUL('class="tree"', $eval, null, true, $this->childrenMethod); + return $obj->getChildrenAsUL('class="tree"', $titleFn, null, true, $this->childrenMethod); } } @@ -290,7 +304,7 @@ class TreeDropdownField extends FormField { return true; } - + /** * Populate $this->searchIds with the IDs of the pages matching the searched parameter and their parents. * Reverse-constructs the tree starting from the leaves. Initially taken from CMSSiteTreeFilter, but modified From c243418597c58da98d6a35f28140e553cc6bfe61 Mon Sep 17 00:00:00 2001 From: Ingo Schommer Date: Tue, 24 Sep 2013 13:58:32 +0200 Subject: [PATCH 06/10] API Escape form validation messages (SS-2013-008) --- forms/Form.php | 20 ++++++++++++-------- forms/FormField.php | 4 ++++ 2 files changed, 16 insertions(+), 8 deletions(-) diff --git a/forms/Form.php b/forms/Form.php index f64e5622a..7e7398ef2 100644 --- a/forms/Form.php +++ b/forms/Form.php @@ -65,7 +65,7 @@ class Form extends RequestHandler { protected $validator; protected $formMethod = "post"; - + protected static $current_action; /** @@ -144,6 +144,10 @@ class Form extends RequestHandler { */ protected $attributes = array(); + public static $casting = array( + 'Message' => 'Text' + ); + /** * Create a new form, with the given fields an action buttons. * @@ -203,7 +207,7 @@ class Form extends RequestHandler { 'GET ' => 'httpSubmission', 'HEAD ' => 'httpSubmission', ); - + /** * Set up current form errors in session to * the current form if appropriate. @@ -239,7 +243,7 @@ class Form extends RequestHandler { * if the form is valid. */ public function httpSubmission($request) { - $vars = $request->requestVars(); + $vars = $request->requestVars(); if(isset($funcName)) { Form::set_current_action($funcName); } @@ -281,7 +285,7 @@ class Form extends RequestHandler { if(isset($funcName)) { $this->setButtonClicked($funcName); } - + // Permission checks (first on controller, then falling back to form) if( // Ensure that the action is actually a button or method on the form, @@ -355,8 +359,8 @@ class Form extends RequestHandler { } return $this->controller->redirectBack(); } - } - + } + // First, try a handler method on the controller (has been checked for allowed_actions above already) if($this->controller->hasMethod($funcName)) { return $this->controller->$funcName($vars, $this, $request); @@ -439,7 +443,7 @@ class Form extends RequestHandler { } /** - * Add an error message to a field on this form. It will be saved into the session + * Add a plain text error message to a field on this form. It will be saved into the session * and used the next time this form is displayed. */ public function addErrorMessage($fieldName, $message, $messageType) { @@ -865,7 +869,7 @@ class Form extends RequestHandler { $this->formMethod = strtolower($method); return $this; } - + /** * Return the form's action attribute. * This is build by adding an executeForm get variable to the parent controller's Link() value diff --git a/forms/FormField.php b/forms/FormField.php index 1e1111e20..16abd410b 100644 --- a/forms/FormField.php +++ b/forms/FormField.php @@ -93,6 +93,10 @@ class FormField extends RequestHandler { */ protected $attributes = array(); + public static $casting = array( + 'Message' => 'Text' + ); + /** * Takes a fieldname and converts camelcase to spaced * words. Also resolves combined fieldnames with dot syntax From e1f9458db145ce8ffda195ab78e3ba2260ea1f8a Mon Sep 17 00:00:00 2001 From: Ingo Schommer Date: Tue, 24 Sep 2013 14:18:45 +0200 Subject: [PATCH 07/10] Added 3.0.7 changelog --- docs/en/changelogs/3.0.7.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 docs/en/changelogs/3.0.7.md diff --git a/docs/en/changelogs/3.0.7.md b/docs/en/changelogs/3.0.7.md new file mode 100644 index 000000000..700a1b42e --- /dev/null +++ b/docs/en/changelogs/3.0.7.md @@ -0,0 +1,17 @@ +# 3.0.7 + +## Overview + +### Security: XSS in form validation errors (SS-2013-008) + +See [announcement](http://www.silverstripe.org/ss-2013-008-xss-in-numericfield-validation/) + +### Security: XSS in CMS "Pages" section (SS-2013-009) + +See [announcement](http://www.silverstripe.org/ss-2013-009-xss-in-cms-pages-section/) + +### API: Form validation message no longer allow HTML + +Due to cross-site scripting concerns when user data is used for form messages, +it is no longer possible to use HTML in `Form->sessionMessage()`, and consequently +in the `FormField->validate()` API. \ No newline at end of file From ffb316dbc98772fe6eab302df5897a50a4066cd8 Mon Sep 17 00:00:00 2001 From: Ingo Schommer Date: Thu, 26 Sep 2013 01:32:41 +0200 Subject: [PATCH 08/10] Added 3.0.7-rc1 changelog --- docs/en/changelogs/rc/3.0.7-rc1.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 docs/en/changelogs/rc/3.0.7-rc1.md diff --git a/docs/en/changelogs/rc/3.0.7-rc1.md b/docs/en/changelogs/rc/3.0.7-rc1.md new file mode 100644 index 000000000..a426af041 --- /dev/null +++ b/docs/en/changelogs/rc/3.0.7-rc1.md @@ -0,0 +1,17 @@ +# 3.0.7-rc1 + +## Overview + +### Security: XSS in form validation errors (SS-2013-008) + +See [announcement](http://www.silverstripe.org/ss-2013-008-xss-in-numericfield-validation/) + +### Security: XSS in CMS "Pages" section (SS-2013-009) + +See [announcement](http://www.silverstripe.org/ss-2013-009-xss-in-cms-pages-section/) + +### API: Form validation message no longer allow HTML + +Due to cross-site scripting concerns when user data is used for form messages, +it is no longer possible to use HTML in `Form->sessionMessage()`, and consequently +in the `FormField->validate()` API. \ No newline at end of file From dd0296413fbbe56ff8dec9cd927fe7fb0dbade6c Mon Sep 17 00:00:00 2001 From: moveforward Date: Thu, 26 Sep 2013 14:41:40 +1200 Subject: [PATCH 09/10] Fixed typo --- docs/en/topics/versioning.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/en/topics/versioning.md b/docs/en/topics/versioning.md index c0ba66138..ebd98825c 100644 --- a/docs/en/topics/versioning.md +++ b/docs/en/topics/versioning.md @@ -80,7 +80,7 @@ but also include information about when and how a record was published. :::php $record = MyRecord::get()->byID(99); // stage doesn't matter here $versions = $record->allVersions(); - echo $versions->First()->Version; // instance of Versioned_Versoin + echo $versions->First()->Version; // instance of Versioned_Version ### Writing Versions and Changing Stages From 652682c04822685b4555ccac60b697f2e86ec4e0 Mon Sep 17 00:00:00 2001 From: Ingo Schommer Date: Thu, 26 Sep 2013 11:33:27 +0200 Subject: [PATCH 10/10] 3.0.6 changelog --- docs/en/changelogs/3.0.6.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/en/changelogs/3.0.6.md b/docs/en/changelogs/3.0.6.md index 26992787d..c033bbd06 100644 --- a/docs/en/changelogs/3.0.6.md +++ b/docs/en/changelogs/3.0.6.md @@ -1,4 +1,4 @@ -# 3.0.6 (Not yet released) +# 3.0.6 ## Overview