From d85ff3bc4463d47edd6b662b34569162e3861a88 Mon Sep 17 00:00:00 2001 From: Loz Calver Date: Mon, 23 Sep 2019 16:52:47 +0100 Subject: [PATCH 1/7] FIX: Don't force-add view button to readonly GridField (fixes #9249) --- src/Forms/GridField/GridField.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/Forms/GridField/GridField.php b/src/Forms/GridField/GridField.php index 934b15d60..60eb1edec 100644 --- a/src/Forms/GridField/GridField.php +++ b/src/Forms/GridField/GridField.php @@ -247,6 +247,7 @@ class GridField extends FormField $copy = clone $this; $copy->setReadonly(true); $copyConfig = $copy->getConfig(); + $hadEditButton = $copyConfig->getComponentByType(GridFieldEditButton::class) !== null; // get the whitelist for allowable readonly components $allowedComponents = $this->getReadonlyComponents(); @@ -257,8 +258,8 @@ class GridField extends FormField } } - // As the edit button may have been removed, add a view button if it doesn't have one - if (!$copyConfig->getComponentByType(GridFieldViewButton::class)) { + // If the edit button has been removed, replace it with a view button + if ($hadEditButton && !$copyConfig->getComponentByType(GridFieldViewButton::class)) { $copyConfig->addComponent(new GridFieldViewButton); } From efdb9cc718517c09800a47bb53374bff787b54fa Mon Sep 17 00:00:00 2001 From: Loz Calver Date: Mon, 23 Sep 2019 16:59:58 +0100 Subject: [PATCH 2/7] FIX: run member CMS validator when editing via groups (fixes #9184) --- src/Security/Group.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/Security/Group.php b/src/Security/Group.php index eb72fbfe3..fb507833c 100755 --- a/src/Security/Group.php +++ b/src/Security/Group.php @@ -96,7 +96,7 @@ class Group extends DataObject return $doSet; } - + private function getDecodedBreadcrumbs() { $list = Group::get()->exclude('ID', $this->ID); @@ -166,10 +166,10 @@ class Group extends DataObject /** @var GridFieldDetailForm $detailForm */ $detailForm = $config->getComponentByType(GridFieldDetailForm::class); $detailForm - ->setValidator(Member_Validator::create()) ->setItemEditFormCallback(function ($form) use ($group) { /** @var Form $form */ $record = $form->getRecord(); + $form->setValidator($record->getValidator()); $groupsField = $form->Fields()->dataFieldByName('DirectGroups'); if ($groupsField) { // If new records are created in a group context, @@ -332,7 +332,7 @@ class Group extends DataObject // Now set all children groups as a new foreign key $familyIDs = $this->collateFamilyIDs(); $result = $result->forForeignID($familyIDs); - + return $result->where($filter); } From 99ab3c642135a8fd5e9ee8f342afc681b15f010c Mon Sep 17 00:00:00 2001 From: Aaron Carlino Date: Mon, 19 Aug 2019 10:41:50 +1200 Subject: [PATCH 3/7] DOCS: Add FileShortcodeProvider change to changelog --- docs/en/04_Changelogs/4.3.5.md | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 docs/en/04_Changelogs/4.3.5.md diff --git a/docs/en/04_Changelogs/4.3.5.md b/docs/en/04_Changelogs/4.3.5.md new file mode 100644 index 000000000..a5b18d451 --- /dev/null +++ b/docs/en/04_Changelogs/4.3.5.md @@ -0,0 +1,22 @@ +# 4.3.5 + +Embedding files with shortcodes (`FileShortcodeProvider`) no longer provides a session grant +by default. This is because it has the potential to escalate file access +to users who otherwise should not have viewing permissions for the file. + +There is a minor performance trade-off for disabling these grants. If you have a page with a lot of +images that are in a draft state or have custom viewing permissions, it adds an extra database +query for each embedded image. With session grants enabled, the first permission check persists +the grant into the session, meaning there is no need to query the database on every single file. + +Unless you have a lot of shortcode images embedded with protected or draft status on a single page, +this setting is best left to its default value of `false`. + +To revert to the old behaviour: + +``` +SilverStripe\Assets\Shortcodes\FileShortcodeProvider: + allow_session_grant: true +``` + + From 569237c0f4d16ac6f927aeb0ed8c9b8787490080 Mon Sep 17 00:00:00 2001 From: Serge Latyntcev Date: Mon, 16 Sep 2019 16:29:42 +1200 Subject: [PATCH 4/7] [CVE-2019-12203] Session fixation in "change password" form A potential account hijacking may happen if an attacker has physical access to victim's computer to perform session fixation. Also possible if the targeted application contains an XSS vulnerability. Requires the victim to click the password reset link sent to their email. If all the above happens, attackers may reset the password before the actual user does that. --- src/Control/Session.php | 13 ++++++++++++- .../MemberAuthenticator/ChangePasswordHandler.php | 1 + .../SessionAuthenticationHandler.php | 1 + 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/src/Control/Session.php b/src/Control/Session.php index f0ad80545..638cd7fe7 100644 --- a/src/Control/Session.php +++ b/src/Control/Session.php @@ -218,7 +218,6 @@ class Session */ public function init(HTTPRequest $request) { - if (!$this->isStarted() && $this->requestContainsSessionId($request)) { $this->start($request); } @@ -635,4 +634,16 @@ class Session } } } + + /** + * Regenerate session id + * + * @internal This is for internal use only. Isn't a part of public API. + */ + public function regenerateSessionId() + { + if (!headers_sent()) { + session_regenerate_id(true); + } + } } diff --git a/src/Security/MemberAuthenticator/ChangePasswordHandler.php b/src/Security/MemberAuthenticator/ChangePasswordHandler.php index 483286162..fdd704e0a 100644 --- a/src/Security/MemberAuthenticator/ChangePasswordHandler.php +++ b/src/Security/MemberAuthenticator/ChangePasswordHandler.php @@ -158,6 +158,7 @@ class ChangePasswordHandler extends RequestHandler Injector::inst()->get(IdentityStore::class)->logOut(); } + $this->getRequest()->getSession()->regenerateSessionId(); // Store the hash for the change password form. Will be unset after reload within the ChangePasswordForm. $this->getRequest()->getSession()->set('AutoLoginHash', $member->encryptWithUserSettings($token)); } diff --git a/src/Security/MemberAuthenticator/SessionAuthenticationHandler.php b/src/Security/MemberAuthenticator/SessionAuthenticationHandler.php index 1aafc020c..25f5b47f4 100644 --- a/src/Security/MemberAuthenticator/SessionAuthenticationHandler.php +++ b/src/Security/MemberAuthenticator/SessionAuthenticationHandler.php @@ -98,6 +98,7 @@ class SessionAuthenticationHandler implements AuthenticationHandler $file = ''; $line = ''; + // TODO: deprecate and use Session::regenerateSessionId // @ is to supress win32 warnings/notices when session wasn't cleaned up properly // There's nothing we can do about this, because it's an operating system function! if (!headers_sent($file, $line)) { From 5af205993d24b4bafc00dea94efc2c31305bca83 Mon Sep 17 00:00:00 2001 From: Serge Latyntcev Date: Tue, 24 Sep 2019 11:14:14 +1200 Subject: [PATCH 5/7] [CVE-2019-12617] Fix access escalation for CMS users with limited access through permission cache pollution --- src/Security/InheritedPermissions.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/Security/InheritedPermissions.php b/src/Security/InheritedPermissions.php index d8ae2f7bd..adf752429 100644 --- a/src/Security/InheritedPermissions.php +++ b/src/Security/InheritedPermissions.php @@ -737,6 +737,7 @@ class InheritedPermissions implements PermissionChecker, MemberCacheFlusher */ protected function generateCacheKey($type, $memberID) { - return "{$type}-{$memberID}"; + $classKey = str_replace('\\', '-', $this->baseClass); + return "{$type}-{$classKey}-{$memberID}"; } } From 8ee5e621fd8558ffa38a3f73cbb7c98977299ea8 Mon Sep 17 00:00:00 2001 From: Aaron Carlino Date: Wed, 18 Sep 2019 17:10:07 +1200 Subject: [PATCH 6/7] DOCS: Add docs for versioned files migration --- docs/en/03_Upgrading/index.md | 20 ++++++++++++++++++++ docs/en/04_Changelogs/4.3.5.md | 20 ++++++++++++++++++++ 2 files changed, 40 insertions(+) diff --git a/docs/en/03_Upgrading/index.md b/docs/en/03_Upgrading/index.md index 92562fc20..78754d904 100644 --- a/docs/en/03_Upgrading/index.md +++ b/docs/en/03_Upgrading/index.md @@ -1148,6 +1148,26 @@ has been added to assist in migration of legacy files (see [file migration docum ./vendor/bin/sake dev/tasks/MigrateFileTask ``` +##### If you were using the versionedfiles on your 3.x site + +SilverStripe 4 supersedes the `versionedfiles` module with its new support for +properly versioned files. However, your file migration will leave all your old +`_versions` folders as artefacts in the public filesystem, which means all the +unpublished versions of your old files are publicly accessible under a guessable URL. + +To work around this, you can use the `VersionedFilesMigrationTask`: + +`$ vendor/bin/sake dev/tasks/migrate-versionedfiles strategy=[delete|protect]` + +If you choose the `delete` strategy (default), the task will delete all `_versions` +files for you. Be sure to take a snapshot of your `public/assets` folder before +doing so. If you choose the `protect` strategy, the task will drop an `.htaccess` file +in your old `_versions` directories. **This method only works if you are using Apache +to serve your static files**. If you are using another server such as Nginx, these files +will remain publicly exposed. It is recommended you use the `delete` strategy if you are +not using Apache. + + ### Any other script that needs running. Some third party modules may include their own migration tasks. Take a minute to consult the release notes of your third party dependencies to make sure you haven't missed anything. diff --git a/docs/en/04_Changelogs/4.3.5.md b/docs/en/04_Changelogs/4.3.5.md index a5b18d451..e5ad33966 100644 --- a/docs/en/04_Changelogs/4.3.5.md +++ b/docs/en/04_Changelogs/4.3.5.md @@ -19,4 +19,24 @@ SilverStripe\Assets\Shortcodes\FileShortcodeProvider: allow_session_grant: true ``` +## If you were using the versionedfiles on your 3.x site + +This release includes a security fix for users who migrated from a 3.x site that used +the [versionedfiles](https://github.com/symbiote/silverstripe-versionedfiles) module. +The file migration would have left the `_versions` folders in your public filesystem +as artefacts, leaving all the unpublished versions of your old files publicly accessible +under a guessable URL. + +To work around this, you can use the `VersionedFilesMigrationTask`: + +`$ vendor/bin/sake dev/tasks/migrate-versionedfiles strategy=[delete|protect]` + +If you choose the `delete` strategy (default), the task will delete all `_versions` +files for you. Be sure to take a snapshot of your `public/assets` folder before +doing so. If you choose the `protect` strategy, the task will drop an `.htaccess` file +in your old `_versions` directories. **This method only works if you are using Apache +to serve your static files**. If you are using another server such as Nginx, these files +will remain publicly exposed. It is recommended you use the `delete` strategy if you are +not using Apache. + From 26a4fb38baed3280684533be155cd834ce6c42c6 Mon Sep 17 00:00:00 2001 From: Serge Latyntcev Date: Tue, 24 Sep 2019 05:01:19 +0000 Subject: [PATCH 7/7] Added 4.3.6 changelog --- docs/en/04_Changelogs/4.3.6.md | 51 ++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 docs/en/04_Changelogs/4.3.6.md diff --git a/docs/en/04_Changelogs/4.3.6.md b/docs/en/04_Changelogs/4.3.6.md new file mode 100644 index 000000000..2d2212432 --- /dev/null +++ b/docs/en/04_Changelogs/4.3.6.md @@ -0,0 +1,51 @@ +# 4.3.6 + + +## Change Log + +### Security + + * 2019-09-23 [5af205993](https://github.com/silverstripe/silverstripe-framework/commit/5af205993d24b4bafc00dea94efc2c31305bca83) Fix access escalation for CMS users with limited access through permission cache pollution (Serge Latyntcev) - See [cve-2019-12617](https://www.silverstripe.org/download/security-releases/cve-2019-12617) + * 2019-09-16 [569237c0f](https://github.com/silverstripe/silverstripe-framework/commit/569237c0f4d16ac6f927aeb0ed8c9b8787490080) Session fixation in "change password" form (Serge Latyntcev) - See [cve-2019-12203](https://www.silverstripe.org/download/security-releases/cve-2019-12203) + * 2019-08-20 [f98a59de](https://github.com/silverstripe/silverstripe-cms/commit/f98a59deb58d3c9c739f5b32de16472f6ef4a69c) install.php warning does not account for public dir (Aaron Carlino) - See [cve-2019-12204](https://www.silverstripe.org/download/security-releases/cve-2019-12204) + * 2019-08-17 [fddf889](https://github.com/silverstripe/silverstripe-assets/commit/fddf889917c4e58d32a3e6f476bddaf3fa595e41) Broken access control on files due to session grant (Aaron Carlino) - See [cve-2019-14273](https://www.silverstripe.org/download/security-releases/cve-2019-14273) + * 2019-05-21 [73e0cc6](https://github.com/silverstripe/silverstripe-assets/commit/73e0cc69dc499c24aa706af9eddd8a2db2ac93e0) Fix incorrect access control vulnerability with unwritten files in protected folders (Robbie Averill) - See [cve-2019-12245](https://www.silverstripe.org/download/security-releases/cve-2019-12245) + +### Features and Enhancements + + * 2019-09-18 [1308911](https://github.com/silverstripe/silverstripe-assets/commit/13089110e7b3feea2196198fd3beda21244ceb20) Add task to remove/protect _versions folders (Aaron Carlino) + * 2019-06-16 [06beff7](https://github.com/silverstripe/silverstripe-admin/commit/06beff71a45bca0f42c88ea931f142d8bc10d008) Allow export of injected GraphQL AST alongside HOC (#889) (Aaron Carlino) + +### Bugfixes + + * 2019-09-23 [aa7c05742](https://github.com/silverstripe/silverstripe-framework/commit/aa7c05742242f8e2ec77f97b52839e0365ec7e1a) Don't force-add view button to readonly GridField (fixes #… (#9254) (Guy Marriott) + * 2019-09-23 [190b2f284](https://github.com/silverstripe/silverstripe-framework/commit/190b2f28429cd870c791f689def055061665ee58) run member CMS validator when editing via groups (fixes #9… (#9255) (Guy Marriott) + * 2019-09-23 [efdb9cc71](https://github.com/silverstripe/silverstripe-framework/commit/efdb9cc718517c09800a47bb53374bff787b54fa) run member CMS validator when editing via groups (fixes #9184) (Loz Calver) + * 2019-09-23 [d85ff3bc4](https://github.com/silverstripe/silverstripe-framework/commit/d85ff3bc4463d47edd6b662b34569162e3861a88) Don't force-add view button to readonly GridField (fixes #9249) (Loz Calver) + * 2019-09-23 [fc536fa](https://github.com/silverstripe/silverstripe-assets/commit/fc536faf2413683549d6b8e77400dc85e37b3a30) Update Apache .htaccess for new access directives (Dylan Wagstaff) + * 2019-09-20 [ea363fc](https://github.com/silverstripe/silverstripe-asset-admin/commit/ea363fcabd9af8d7607bac9b431171b6b94583f1) Correctly process all non-insert form actions normally in the media dialog (#1005) (Damian Mooyman) + * 2019-09-10 [591b88a9b](https://github.com/silverstripe/silverstripe-framework/commit/591b88a9bc05b40a7ce3604283b9b7cb684f88cc) Allow infinite loop when calling DataObject::writeComponent() recursively (Maxime Rainville) + * 2019-09-03 [b0a6973](https://github.com/silverstripe/silverstripe-asset-admin/commit/b0a6973052e73652a9092e7ed9d5dd5d89e5dd42) Remove Default DropzoneJS Timeout of 30s (#985) (Joe Harvey) + * 2019-08-29 [77ba8391c](https://github.com/silverstripe/silverstripe-framework/commit/77ba8391c40278930873301d50ee3c1168da4cef) Byte Order Marks (BOM) are now stripped when importing CSV files (Robbie Averill) + * 2019-08-28 [73f43c6f4](https://github.com/silverstripe/silverstripe-framework/commit/73f43c6f428dc92ee2c9a5f932c63ed8a04c8230) Remove placeholder text on new group form (Maxime Rainville) + * 2019-08-26 [314a906](https://github.com/silverstripe/silverstripe-admin/commit/314a9068e5a3a1a71dfc99021d6acec9b0ab5b77) Fix the jstree styles so that the selected states are more visible (bergice) + * 2019-08-23 [5845ac6](https://github.com/silverstripe/silverstripe-admin/commit/5845ac685851f8841af8d96ef6313a2cff153ba4) Prevent breadcrumb item styles from bleeding into non-react (Maxime Rainville) + * 2019-08-23 [94d6c80](https://github.com/silverstripe/silverstripe-admin/commit/94d6c80780430acb4e9d8786a5080a800f777792) enter to submit form not working on `Add new page` (bergice) + * 2019-08-14 [9889015](https://github.com/silverstripe/silverstripe-admin/commit/9889015eccd05c099e3d8b3d3ce52f179b5b9933) Display breadcrumb element from left to right (#925) (Guy Marriott) + * 2019-08-13 [1c548cb](https://github.com/silverstripe/silverstripe-admin/commit/1c548cb599563997687cd1062ff2a0985c43197e) jstree state when saving a page by retaining the open/closed state and selected node state. (bergice) + * 2019-08-09 [a2e98dc](https://github.com/silverstripe/silverstripe-admin/commit/a2e98dcf71353951055cb0f2da286a0455a66ebe) Display breadcrumb element from left to right (Maxime Rainville) + * 2019-08-09 [3d989a6ea](https://github.com/silverstripe/silverstripe-framework/commit/3d989a6eae979f2671889376179dfdc7085658ac) Use content generated by DataColumns component for print and csv export (Guy Marriott) + * 2019-07-29 [5c794dfcd](https://github.com/silverstripe/silverstripe-framework/commit/5c794dfcdd42b319325c867f4a807429ad93a553) Prevent setting session value when no session exists yet (Robbie Averill) + * 2019-07-25 [40cd66852](https://github.com/silverstripe/silverstripe-framework/commit/40cd66852e8d3a5d56c56b9d279cb89a98e3c16d) Fixed issue where multiple relationship sort order columns would be lost in favor of only the last relationship column in the sort order (UndefinedOffset) + * 2019-07-17 [ef25468](https://github.com/silverstripe/silverstripe-admin/commit/ef2546889ff35c2a6cf74aa956d818cae72898e0) Inline toolbar placement now works in HTMLEditorFields with less than 6 rows (Robbie Averill) + * 2019-07-12 [fcd7a1e63](https://github.com/silverstripe/silverstripe-framework/commit/fcd7a1e63e7013a9f36100a05bf723ed68382d8a) core memory limit test (Serge Latyntcev) + * 2019-06-27 [183371b](https://github.com/silverstripe/silverstripe-admin/commit/183371b28a9a1496f2a39284eb0d7d667d4b49bb) Update CSS for sitetree new page columns to use new classna… (#899) (Guy Marriott) + * 2019-06-27 [b9dcf070](https://github.com/silverstripe/silverstripe-cms/commit/b9dcf070406644f14ab9ae0eb9c22d0f3d1d10cd) Change sitetree new page column class naming to avoid conf… (#2449) (Guy Marriott) + * 2019-06-26 [b01dc580e](https://github.com/silverstripe/silverstripe-framework/commit/b01dc580e1f9b62c7b8a3a62157ad10930a80342) Protect against undefined index when using nullifyEmpty opt… (#9090) (Guy Marriott) + * 2019-06-25 [c76d3a5db](https://github.com/silverstripe/silverstripe-framework/commit/c76d3a5db10f9a56a31684354fcd89c1a88de8d4) Protect against undefined index when using nullifyEmpty option (Robbie Averill) + * 2019-06-19 [260c89fd5](https://github.com/silverstripe/silverstripe-framework/commit/260c89fd54e1c1ed68e5597ccc4592473a53e983) Fix of delimiter not used bug (Mario Sommereder) + * 2019-06-19 [4df7c21](https://github.com/silverstripe/silverstripe-admin/commit/4df7c21f3fa0ee96cc62876abe9be20720bbc0dc) Update CSS for sitetree new page columns to use new classname, fix item placement within (Mikaela Young) + * 2019-06-19 [73f4e8c8](https://github.com/silverstripe/silverstripe-cms/commit/73f4e8c8605ea28a2283a1ef96723188c0266706) Change sitetree new page column class naming to avoid conflicts with bootstrap (Mikaela Young) + * 2019-06-13 [562a8a5](https://github.com/silverstripe/silverstripe-assets/commit/562a8a523b9a50a5a7d4e40c4b4c799a66869ec8) Add FolderNameFilter class: folder names no longer allow dots, and are replaced with dashes (Robbie Averill) + * 2019-06-05 [bcc55e2](https://github.com/silverstripe/silverstripe-admin/commit/bcc55e212384cdc36728224730dbf6db320acb10) Update modal designs to match design pattern library (Guy Marriott) + * 2019-04-12 [7592db91](https://github.com/silverstripe/silverstripe-cms/commit/7592db918f269db2fd5c33d9c1259df86f15e12b) VirtualPage missing methods from target page (fixes #2408) (Loz Calver)