Merge remote-tracking branch 'origin/3.0' into 3.1

This commit is contained in:
Ingo Schommer 2013-03-19 14:04:29 +01:00
commit 53c84ee1fe
7 changed files with 54 additions and 6 deletions

View File

@ -359,7 +359,7 @@ class LeftAndMain extends Controller implements PermissionProvider {
} catch(ValidationException $e) {
// Nicer presentation of model-level validation errors
$msgs = _t('LeftAndMain.ValidationError', 'Validation error') . ': '
. $e->getResult()->message();
. $e->getMessage();
$e = new SS_HTTPResponse_Exception($msgs, 403);
$e->getResponse()->addHeader('Content-Type', 'text/plain');
$e->getResponse()->addHeader('X-Status', rawurlencode($msgs));

View File

@ -156,7 +156,7 @@ class CsvBulkLoader extends BulkLoader {
//user_error("CsvBulkLoader:processRecord: Couldn't find duplicate identifier '{$fieldName}'
//in columns", E_USER_ERROR);
}
$SQL_fieldValue = $record[$fieldName];
$SQL_fieldValue = Convert::raw2sql($record[$fieldName]);
$existingRecord = DataObject::get_one($this->objectClass, "\"$SQL_fieldName\" = '{$SQL_fieldValue}'");
if($existingRecord) return $existingRecord;
} elseif(is_array($duplicateCheck) && isset($duplicateCheck['callback'])) {

View File

@ -0,0 +1,42 @@
# 2.4.10 (2013-02-19)
## Overview
* Security: Undefined `$allowed_actions` overrides parent definitions
* API: More restrictive `$allowed_actions` checks for `Controller` when used with `Extension`
## Details
### Security: Undefined `$allowed_actions` overrides parent definitions
Severity: Important
Description: `Controller` (and subclasses) failed to enforce `$allowed_action` restrictions
on parent classes if a child class didn't have it explicitly defined.
Impact: Depends on the used controller code. For any method with public visibility,
the flaw can expose the return value of the method (unless it fails due to wrong arguments).
It can also lead to unauthorized or unintended execution of logic, e.g. modifying the
state of a database record.
Fix: Apply the 2.4.10 update. In addition, we strongly recommend to define `$allowed_actions`
on all controller classes to ensure the intentions are clearly communicated.
### API: More restrictive `$allowed_actions` checks for `Controller` when used with `Extension`
Controllers which are extended with `$allowed_actions` (through an `Extension`)
now deny access to methods defined on the controller, unless this class also has them in its own
`$allowed_actions` definition.
## Changelog
### API Changes
* 2013-02-15 [2352317](https://github.com/silverstripe/silverstripe-installer/commit/2352317) Filter composer files in IIS and Apache rules (fixes #8011) (Ingo Schommer)
* 2013-02-12 [45c68d6] Require ADMIN for ?showtemplate=1 (Ingo Schommer)
### Bugfixes
* 2013-02-17 [c7b0666](https://github.com/silverstripe/silverstripe-cms/commit/c7b0666) Escape page titles in CommentAdmin table listing (Ingo Schommer)
* 2013-01-15 [50995fb] Undefined `$allowed_actions` overrides parent definitions, stricter handling of $allowed_actions on Extension (Ingo Schommer)
* 2013-01-06 [eecd348] Keep Member.PasswordEncryption setting on empty passwords (Ingo Schommer)

View File

@ -21,6 +21,11 @@ For information on how to upgrade to newer versions consult the [upgrading](/ins
* [2.4.7](2.4.7) - 1 February 2012
* [2.4.6](2.4.6) - 18 October 2011
* [2.4.10](2.4.10) - 2013-02-19
* [2.4.9](2.4.9) - 2012-12-04
* [2.4.8](2.4.8) - 2012-10-30
* [2.4.7](2.4.7) - 2012-02-01
* [2.4.6](2.4.6) - 2011-10-17
* [2.4.5](2.4.5) - 2 February 2011
* [2.4.4](2.4.4) - 21 December 2010
* [2.4.3](2.4.3) - 11 November 2010

View File

@ -98,7 +98,8 @@ This code provides a good template:
:::php
class MyProcess extends Controller {
public function index() {
public static $allowed_actions = array('index');
function index() {
set_time_limit(0);
while(memory_get_usage() < 32*1024*1024) {
if($this->somethingToDo()) {
@ -122,4 +123,4 @@ Step 3: Use sake to start and stop your process
Note that sake processes are currently a little brittle, in that the pid and log files are placed in the site root
directory, rather than somewhere sensible like /var/log or /var/run.
directory, rather than somewhere sensible like /var/log or /var/run.

View File

@ -15,7 +15,7 @@ your own routes since the cms module handles these routes.
<?php
class FastFood_Controller extends Controller {
public static $allowed_actions = array('order');
public static $allowed_actions = array('order');
public function order(SS_HTTPRequest $request) {
print_r($arguments);
}

View File

@ -79,7 +79,7 @@ Example:
:::php
class MyController extends Controller {
static $allowed_actions = array('myurlaction');
static $allowed_actions = array('myurlaction');
public function myurlaction($RAW_urlParams) {
$SQL_urlParams = Convert::raw2sql($RAW_urlParams); // works recursively on an array
$objs = Player::get()->where("Name = '{$SQL_data[OtherID]}'");