MINOR Added documentation about the new File.ShowInSearch property

This commit is contained in:
Ingo Schommer 2011-12-03 12:00:56 +01:00
parent 880a9acec4
commit 719bb18db8
3 changed files with 29 additions and 7 deletions

View File

@ -10,6 +10,29 @@
## Upgrading Notes ## ## Upgrading Notes ##
### Security: User-uploaded files searchable when using FulltextSearchable ###
The FulltextSearchable default configuration includes all file names in the `assets/` folder.
While this is desired in most cases, it can lead to unexpected public visibility of data,
e.g. when uploaded through users. For example, CVs uploaded to a recruiting site most likely shouldn't be searchable.
Option 1: Disable file search completely (through `mysite/_config.php`):
FulltextSearchable::enable(array('SiteTree'));
Option 2: Exclude file search from individual files by setting the `File.ShowInSearch` database property to `0`.
This property has been added in the 2.4.6 release. You can apply this retroactively to all files with this SQL statement:
UPDATE `File` SET `ShowInSearch` = 0;
Please note that all these files are still exposed through the webserver if the path is known,
regardless of the `ShowInSearch` setting. To fully secure uploaded files,
you can apply protection on a webserver level (e.g. `.htaccess`/`web.config` configuration).
Alternatively, you can proxy these files through your own permission control system
rather than exposing them directly through the webserver (e.g. with the ["securefiles" module](http://www.silverstripe.org/secure-files/)).
One common way to allow user-uploaded files is the ["userforms" module](http://www.silverstripe.org/user-forms-module/). This module has been altered to mark all uploaded files with `ShowInSearch`=0 by default.
### Security: Cross-site scripting (XSS) on anchor links ### Security: Cross-site scripting (XSS) on anchor links
Anchor links (`<a href="#">`) are automatically rewritten by the SilverStripe Anchor links (`<a href="#">`) are automatically rewritten by the SilverStripe

View File

@ -16,17 +16,13 @@ results page.
## Creating the search form ## Creating the search form
The Search Form functionality has been altered over time. Please use the section which applies to your SilverStripe To enable the search engine you need to include the following code in your `mysite/_config.php` file.
version. This will enable fulltext search on page content as well as names of all files in the `/assets` folder.
SilverStripe does not come bundled with the search engine enabled. To enable the search engine you need to include
the following code in your mysite/_config.php file
:::php :::php
FulltextSearchable::enable(); FulltextSearchable::enable();
After including that in your _config.php you will need to rebuild the database by visiting http://yoursite.com/dev/build After including that in your `_config.php` you will need to rebuild the database by visiting `http://yoursite.com/dev/build` in your web browser. This will add the fulltext search columns.
in your web browser. This will add the fulltext search columns.
The actual search form code is already provided in FulltextSearchable so when you add the enable line above to your The actual search form code is already provided in FulltextSearchable so when you add the enable line above to your
`_config.php` you can add your form as `$SearchForm`. `_config.php` you can add your form as `$SearchForm`.

View File

@ -6,6 +6,9 @@
* (if the 'cms' module is available as well). * (if the 'cms' module is available as well).
* (this means you can use $SearchForm in your template without changing your own implementation). * (this means you can use $SearchForm in your template without changing your own implementation).
* *
* CAUTION: Will make all files in your /assets folder searchable by file name
* unless "File" is excluded from FulltextSearchable::enable().
*
* @see http://doc.silverstripe.org/tutorial:4-site-search * @see http://doc.silverstripe.org/tutorial:4-site-search
* *
* @package sapphire * @package sapphire