mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
Merge remote-tracking branch 'origin/3.0' into 3.1
This commit is contained in:
commit
53c84ee1fe
@ -359,7 +359,7 @@ class LeftAndMain extends Controller implements PermissionProvider {
|
||||
} catch(ValidationException $e) {
|
||||
// Nicer presentation of model-level validation errors
|
||||
$msgs = _t('LeftAndMain.ValidationError', 'Validation error') . ': '
|
||||
. $e->getResult()->message();
|
||||
. $e->getMessage();
|
||||
$e = new SS_HTTPResponse_Exception($msgs, 403);
|
||||
$e->getResponse()->addHeader('Content-Type', 'text/plain');
|
||||
$e->getResponse()->addHeader('X-Status', rawurlencode($msgs));
|
||||
|
@ -156,7 +156,7 @@ class CsvBulkLoader extends BulkLoader {
|
||||
//user_error("CsvBulkLoader:processRecord: Couldn't find duplicate identifier '{$fieldName}'
|
||||
//in columns", E_USER_ERROR);
|
||||
}
|
||||
$SQL_fieldValue = $record[$fieldName];
|
||||
$SQL_fieldValue = Convert::raw2sql($record[$fieldName]);
|
||||
$existingRecord = DataObject::get_one($this->objectClass, "\"$SQL_fieldName\" = '{$SQL_fieldValue}'");
|
||||
if($existingRecord) return $existingRecord;
|
||||
} elseif(is_array($duplicateCheck) && isset($duplicateCheck['callback'])) {
|
||||
|
42
docs/en/changelogs/2.4.10.md
Normal file
42
docs/en/changelogs/2.4.10.md
Normal file
@ -0,0 +1,42 @@
|
||||
# 2.4.10 (2013-02-19)
|
||||
|
||||
## Overview
|
||||
|
||||
* Security: Undefined `$allowed_actions` overrides parent definitions
|
||||
* API: More restrictive `$allowed_actions` checks for `Controller` when used with `Extension`
|
||||
|
||||
## Details
|
||||
|
||||
### Security: Undefined `$allowed_actions` overrides parent definitions
|
||||
|
||||
Severity: Important
|
||||
|
||||
Description: `Controller` (and subclasses) failed to enforce `$allowed_action` restrictions
|
||||
on parent classes if a child class didn't have it explicitly defined.
|
||||
|
||||
Impact: Depends on the used controller code. For any method with public visibility,
|
||||
the flaw can expose the return value of the method (unless it fails due to wrong arguments).
|
||||
It can also lead to unauthorized or unintended execution of logic, e.g. modifying the
|
||||
state of a database record.
|
||||
|
||||
Fix: Apply the 2.4.10 update. In addition, we strongly recommend to define `$allowed_actions`
|
||||
on all controller classes to ensure the intentions are clearly communicated.
|
||||
|
||||
### API: More restrictive `$allowed_actions` checks for `Controller` when used with `Extension`
|
||||
|
||||
Controllers which are extended with `$allowed_actions` (through an `Extension`)
|
||||
now deny access to methods defined on the controller, unless this class also has them in its own
|
||||
`$allowed_actions` definition.
|
||||
|
||||
## Changelog
|
||||
|
||||
### API Changes
|
||||
|
||||
* 2013-02-15 [2352317](https://github.com/silverstripe/silverstripe-installer/commit/2352317) Filter composer files in IIS and Apache rules (fixes #8011) (Ingo Schommer)
|
||||
* 2013-02-12 [45c68d6] Require ADMIN for ?showtemplate=1 (Ingo Schommer)
|
||||
|
||||
### Bugfixes
|
||||
|
||||
* 2013-02-17 [c7b0666](https://github.com/silverstripe/silverstripe-cms/commit/c7b0666) Escape page titles in CommentAdmin table listing (Ingo Schommer)
|
||||
* 2013-01-15 [50995fb] Undefined `$allowed_actions` overrides parent definitions, stricter handling of $allowed_actions on Extension (Ingo Schommer)
|
||||
* 2013-01-06 [eecd348] Keep Member.PasswordEncryption setting on empty passwords (Ingo Schommer)
|
@ -21,6 +21,11 @@ For information on how to upgrade to newer versions consult the [upgrading](/ins
|
||||
|
||||
* [2.4.7](2.4.7) - 1 February 2012
|
||||
* [2.4.6](2.4.6) - 18 October 2011
|
||||
* [2.4.10](2.4.10) - 2013-02-19
|
||||
* [2.4.9](2.4.9) - 2012-12-04
|
||||
* [2.4.8](2.4.8) - 2012-10-30
|
||||
* [2.4.7](2.4.7) - 2012-02-01
|
||||
* [2.4.6](2.4.6) - 2011-10-17
|
||||
* [2.4.5](2.4.5) - 2 February 2011
|
||||
* [2.4.4](2.4.4) - 21 December 2010
|
||||
* [2.4.3](2.4.3) - 11 November 2010
|
||||
|
@ -98,7 +98,8 @@ This code provides a good template:
|
||||
|
||||
:::php
|
||||
class MyProcess extends Controller {
|
||||
public function index() {
|
||||
public static $allowed_actions = array('index');
|
||||
function index() {
|
||||
set_time_limit(0);
|
||||
while(memory_get_usage() < 32*1024*1024) {
|
||||
if($this->somethingToDo()) {
|
||||
@ -122,4 +123,4 @@ Step 3: Use sake to start and stop your process
|
||||
|
||||
|
||||
Note that sake processes are currently a little brittle, in that the pid and log files are placed in the site root
|
||||
directory, rather than somewhere sensible like /var/log or /var/run.
|
||||
directory, rather than somewhere sensible like /var/log or /var/run.
|
@ -15,7 +15,7 @@ your own routes since the cms module handles these routes.
|
||||
<?php
|
||||
|
||||
class FastFood_Controller extends Controller {
|
||||
public static $allowed_actions = array('order');
|
||||
public static $allowed_actions = array('order');
|
||||
public function order(SS_HTTPRequest $request) {
|
||||
print_r($arguments);
|
||||
}
|
||||
|
@ -79,7 +79,7 @@ Example:
|
||||
|
||||
:::php
|
||||
class MyController extends Controller {
|
||||
static $allowed_actions = array('myurlaction');
|
||||
static $allowed_actions = array('myurlaction');
|
||||
public function myurlaction($RAW_urlParams) {
|
||||
$SQL_urlParams = Convert::raw2sql($RAW_urlParams); // works recursively on an array
|
||||
$objs = Player::get()->where("Name = '{$SQL_data[OtherID]}'");
|
||||
|
Loading…
Reference in New Issue
Block a user