diff --git a/docs/en/changelogs/2.4.6.md b/docs/en/changelogs/2.4.6.md index 9d67f3ee6..32995e0ac 100644 --- a/docs/en/changelogs/2.4.6.md +++ b/docs/en/changelogs/2.4.6.md @@ -10,6 +10,29 @@ ## Upgrading Notes ## +### Security: User-uploaded files searchable when using FulltextSearchable ### + +The FulltextSearchable default configuration includes all file names in the `assets/` folder. +While this is desired in most cases, it can lead to unexpected public visibility of data, +e.g. when uploaded through users. For example, CVs uploaded to a recruiting site most likely shouldn't be searchable. + +Option 1: Disable file search completely (through `mysite/_config.php`): + + FulltextSearchable::enable(array('SiteTree')); + +Option 2: Exclude file search from individual files by setting the `File.ShowInSearch` database property to `0`. +This property has been added in the 2.4.6 release. You can apply this retroactively to all files with this SQL statement: + + UPDATE `File` SET `ShowInSearch` = 0; + +Please note that all these files are still exposed through the webserver if the path is known, +regardless of the `ShowInSearch` setting. To fully secure uploaded files, +you can apply protection on a webserver level (e.g. `.htaccess`/`web.config` configuration). +Alternatively, you can proxy these files through your own permission control system +rather than exposing them directly through the webserver (e.g. with the ["securefiles" module](http://www.silverstripe.org/secure-files/)). + +One common way to allow user-uploaded files is the ["userforms" module](http://www.silverstripe.org/user-forms-module/). This module has been altered to mark all uploaded files with `ShowInSearch`=0 by default. + ### Security: Cross-site scripting (XSS) on anchor links Anchor links (``) are automatically rewritten by the SilverStripe diff --git a/docs/en/tutorials/4-site-search.md b/docs/en/tutorials/4-site-search.md index 44b351a40..91cc05eea 100644 --- a/docs/en/tutorials/4-site-search.md +++ b/docs/en/tutorials/4-site-search.md @@ -16,17 +16,13 @@ results page. ## Creating the search form -The Search Form functionality has been altered over time. Please use the section which applies to your SilverStripe -version. - -SilverStripe does not come bundled with the search engine enabled. To enable the search engine you need to include -the following code in your mysite/_config.php file +To enable the search engine you need to include the following code in your `mysite/_config.php` file. +This will enable fulltext search on page content as well as names of all files in the `/assets` folder. :::php FulltextSearchable::enable(); -After including that in your _config.php you will need to rebuild the database by visiting http://yoursite.com/dev/build -in your web browser. This will add the fulltext search columns. +After including that in your `_config.php` you will need to rebuild the database by visiting `http://yoursite.com/dev/build` in your web browser. This will add the fulltext search columns. The actual search form code is already provided in FulltextSearchable so when you add the enable line above to your `_config.php` you can add your form as `$SearchForm`. diff --git a/search/FulltextSearchable.php b/search/FulltextSearchable.php index 8ea2a8ed1..8718837ac 100644 --- a/search/FulltextSearchable.php +++ b/search/FulltextSearchable.php @@ -6,6 +6,9 @@ * (if the 'cms' module is available as well). * (this means you can use $SearchForm in your template without changing your own implementation). * + * CAUTION: Will make all files in your /assets folder searchable by file name + * unless "File" is excluded from FulltextSearchable::enable(). + * * @see http://doc.silverstripe.org/tutorial:4-site-search * * @package sapphire