Merge remote-tracking branch 'origin/3.0' into 3.1

admin/code/LeftAndMain.php

@@ -359,7 +359,7 @@ class LeftAndMain extends Controller implements PermissionProvider {
 		} catch(ValidationException $e) {
 			// Nicer presentation of model-level validation errors
 			$msgs = _t('LeftAndMain.ValidationError', 'Validation error') . ': ' 
-				. $e->getResult()->message();
+				. $e->getMessage();
 			$e = new SS_HTTPResponse_Exception($msgs, 403);
 			$e->getResponse()->addHeader('Content-Type', 'text/plain');
 			$e->getResponse()->addHeader('X-Status', rawurlencode($msgs));

dev/CsvBulkLoader.php

@@ -156,7 +156,7 @@ class CsvBulkLoader extends BulkLoader {
 					//user_error("CsvBulkLoader:processRecord: Couldn't find duplicate identifier '{$fieldName}'
 					//in columns", E_USER_ERROR);
 				}
-				$SQL_fieldValue = $record[$fieldName];
+				$SQL_fieldValue = Convert::raw2sql($record[$fieldName]);
 				$existingRecord = DataObject::get_one($this->objectClass, "\"$SQL_fieldName\" = '{$SQL_fieldValue}'");
 				if($existingRecord) return $existingRecord;
 			} elseif(is_array($duplicateCheck) && isset($duplicateCheck['callback'])) {

docs/en/changelogs/2.4.10.md

@@ -0,0 +1,42 @@
+# 2.4.10 (2013-02-19)
+
+## Overview
+
+ * Security: Undefined `$allowed_actions` overrides parent definitions
+ * API: More restrictive `$allowed_actions` checks for `Controller` when used with `Extension`
+
+## Details
+
+### Security: Undefined `$allowed_actions` overrides parent definitions
+
+Severity: Important
+
+Description: `Controller` (and subclasses) failed to enforce `$allowed_action` restrictions
+on parent classes if a child class didn't have it explicitly defined.
+
+Impact: Depends on the used controller code. For any method with public visibility,
+the flaw can expose the return value of the method (unless it fails due to wrong arguments).
+It can also lead to unauthorized or unintended execution of logic, e.g. modifying the
+state of a database record.
+
+Fix: Apply the 2.4.10 update. In addition, we strongly recommend to define `$allowed_actions`
+on all controller classes to ensure the intentions are clearly communicated.
+
+### API: More restrictive `$allowed_actions` checks for `Controller` when used with `Extension`
+
+Controllers which are extended with `$allowed_actions` (through an `Extension`)
+now deny access to methods defined on the controller, unless this class also has them in its own
+`$allowed_actions` definition.
+
+## Changelog
+
+### API Changes
+
+ * 2013-02-15 [2352317](https://github.com/silverstripe/silverstripe-installer/commit/2352317) Filter composer files in IIS and Apache rules (fixes #8011) (Ingo Schommer)
+ * 2013-02-12 [45c68d6] Require ADMIN for ?showtemplate=1 (Ingo Schommer)
+
+### Bugfixes
+
+ * 2013-02-17 [c7b0666](https://github.com/silverstripe/silverstripe-cms/commit/c7b0666) Escape page titles in CommentAdmin table listing (Ingo Schommer)
+ * 2013-01-15 [50995fb] Undefined `$allowed_actions` overrides parent definitions, stricter handling of $allowed_actions on Extension (Ingo Schommer)
+ * 2013-01-06 [eecd348] Keep Member.PasswordEncryption setting on empty passwords (Ingo Schommer)

docs/en/changelogs/index.md

@@ -21,6 +21,11 @@ For information on how to upgrade to newer versions consult the [upgrading](/ins
 
  * [2.4.7](2.4.7) - 1 February 2012
  * [2.4.6](2.4.6) - 18 October 2011
+ * [2.4.10](2.4.10) - 2013-02-19
+ * [2.4.9](2.4.9) - 2012-12-04
+ * [2.4.8](2.4.8) - 2012-10-30
+ * [2.4.7](2.4.7) - 2012-02-01
+ * [2.4.6](2.4.6) - 2011-10-17
  * [2.4.5](2.4.5) - 2 February 2011
  * [2.4.4](2.4.4) - 21 December 2010
  * [2.4.3](2.4.3) - 11 November 2010

docs/en/topics/commandline.md

@@ -98,7 +98,8 @@ This code provides a good template:
 
 	:::php
 	class MyProcess extends Controller {
-	  public function index() {
+		public static $allowed_actions = array('index');
+	  function index() {
 	    set_time_limit(0);
 	    while(memory_get_usage() < 32*1024*1024) {
 	      if($this->somethingToDo()) {