MINOR Added documentation about the new File.ShowInSearch property

2024-10-22 14:05:37 +02:00 · 2011-12-03 12:00:56 +01:00 · 2011-12-03 12:00:56 +01:00 · 719bb18db8
commit 719bb18db8
parent 880a9acec4
3 changed files with 29 additions and 7 deletions
--- a/docs/en/changelogs/2.4.6.md
+++ b/docs/en/changelogs/2.4.6.md
@ -10,6 +10,29 @@

 ## Upgrading Notes ##

+### Security: User-uploaded files searchable when using FulltextSearchable ###
+
+The FulltextSearchable default configuration includes all file names in the `assets/` folder.
+While this is desired in most cases, it can lead to unexpected public visibility of data,
+e.g. when uploaded through users. For example, CVs uploaded to a recruiting site most likely shouldn't be searchable.
+
+Option 1: Disable file search completely (through `mysite/_config.php`):
+
+	FulltextSearchable::enable(array('SiteTree'));
+
+Option 2: Exclude file search from individual files by setting the `File.ShowInSearch` database property to `0`.
+This property has been added in the 2.4.6 release. You can apply this retroactively to all files with this SQL statement:
+
+	UPDATE `File` SET `ShowInSearch` = 0;
+
+Please note that all these files are still exposed through the webserver if the path is known,
+regardless of the `ShowInSearch` setting. To fully secure uploaded files, 
+you can apply protection on a webserver level (e.g. `.htaccess`/`web.config` configuration).
+Alternatively, you can proxy these files through your own permission control system
+rather than exposing them directly through the webserver (e.g. with the ["securefiles" module](http://www.silverstripe.org/secure-files/)).
+
+One common way to allow user-uploaded files is the ["userforms" module](http://www.silverstripe.org/user-forms-module/). This module has been altered to mark all uploaded files with `ShowInSearch`=0 by default.
+
 ### Security: Cross-site scripting (XSS) on anchor links

 Anchor links (`<a href="#">`) are automatically rewritten by the SilverStripe
--- a/docs/en/tutorials/4-site-search.md
+++ b/docs/en/tutorials/4-site-search.md
@ -16,17 +16,13 @@ results page.

 ## Creating the search form

-The Search Form functionality has been altered over time. Please use the section which applies to your SilverStripe
-version.
-
-SilverStripe does not come bundled with the search engine enabled. To enable the search engine you need to include
-the following code in your mysite/_config.php file
+To enable the search engine you need to include the following code in your `mysite/_config.php` file. 
+This will enable fulltext search on page content as well as names of all files in the `/assets` folder.

 	:::php
 	FulltextSearchable::enable();

-After including that in your _config.php you will need to rebuild the database by visiting http://yoursite.com/dev/build
-in your web browser. This will add the fulltext search columns.
+After including that in your `_config.php` you will need to rebuild the database by visiting `http://yoursite.com/dev/build` in your web browser. This will add the fulltext search columns.

 The actual search form code is already provided in FulltextSearchable so when you add the enable line above to your
 `_config.php` you can add your form as `$SearchForm`.
--- a/search/FulltextSearchable.php
+++ b/search/FulltextSearchable.php
@ -6,6 +6,9 @@
 * (if the 'cms' module is available as well).
 * (this means you can use $SearchForm in your template without changing your own implementation).
 * 
+ * CAUTION: Will make all files in your /assets folder searchable by file name
+ * unless "File" is excluded from FulltextSearchable::enable().
+ * 
 * @see http://doc.silverstripe.org/tutorial:4-site-search
 *
 * @package sapphire