Merge remote-tracking branch 'origin/3.1.0-beta2' into 3.1

2024-10-22 12:05:37 +00:00 · 2013-03-12 10:45:44 +01:00 · 2013-03-12 10:45:44 +01:00 · 53e988bb09
commit 53e988bb09
parent 31bb60199e 58d0126538
2 changed files with 15 additions and 3 deletions
--- a/docs/en/changelogs/3.1.0.md
+++ b/docs/en/changelogs/3.1.0.md
@ -22,6 +22,7 @@
 * Deny URL access if `Controller::$allowed_actions` is undefined
 * Removed support for "*" rules in `Controller::$allowed_actions`
 * Removed support for overriding rules on parent classes through `Controller::$allowed_actions`
+ * `RestfulService` verifies SSL peers by default
 * Editing of relation table data (`$many_many_extraFields`) in `GridField`
 * Optional integration with ImageMagick as a new image manipulation backend
 * Support for PHP 5.4's built-in webserver
@ -174,6 +175,17 @@ in order to reduce the boilerplate code required to get a model editable in the
 Note: GridField is already relying on the permission checks performed
 through the CMS controllers, providing a simple level of security.

+### RestfulService verifies SSL peers by default
+
+This makes the implementation "secure by default", by removing
+the call to `curl_setopt(CURLOPT_SSL_VERIFYPEER, false)`.
+Failing to validate SSL peers makes HTTP requests vulnerable to man in the middle attacks.
+The underlying `curl` library relies on the operating system for the resulting CA certificate
+verification. On some systems (mainly Windows), these certificates are not available on
+a standard PHP installation, and need to be added manually through `CURLOPT_CAINFO`.
+Although it is not recommended, you can restore the old insecure behaviour with
+the following configuration: `RestfulService::set_default_curl_option(CURLOPT_SSL_VERIFYPEER, false)`.
+
 ### Other

 * `TableListField`, `ComplexTableField`, `TableField`, `HasOneComplexTableField`, `HasManyComplexTableField` and `ManyManyComplexTableField` have been removed from the core and placed into a module called "legacytablefields" located at https://github.com/silverstripe-labs/legacytablefields
--- a/filesystem/File.php
+++ b/filesystem/File.php
@ -411,7 +411,7 @@ class File extends DataObject {
 	 * @return String
 	 */
 	public function appCategory() {
-		return self::get_app_category($this->Extension);
+		return self::get_app_category($this->getExtension());
 	}

 	public function CMSThumbnail() {
@ -426,7 +426,7 @@ class File extends DataObject {
 	 * @return String 
 	 */
 	public function Icon() {
-		$ext = $this->Extension;
+		$ext = strtolower($this->getExtension());
 		if(!Director::fileExists(FRAMEWORK_DIR . "/images/app_icons/{$ext}_32.gif")) {
 			$ext = $this->appCategory();
 		}