From 7b20f775f2b3ef720074802136c0b0a00e5e73ca Mon Sep 17 00:00:00 2001 From: Damian Mooyman Date: Thu, 15 Jan 2015 11:45:41 +1300 Subject: [PATCH] Updated changelog --- docs/en/04_Changelogs/3.1.9.md | 59 +++++++++++++++++++++++++++++++--- 1 file changed, 54 insertions(+), 5 deletions(-) diff --git a/docs/en/04_Changelogs/3.1.9.md b/docs/en/04_Changelogs/3.1.9.md index 431e53186..aa4610b1e 100644 --- a/docs/en/04_Changelogs/3.1.9.md +++ b/docs/en/04_Changelogs/3.1.9.md @@ -1,14 +1,63 @@ # 3.1.9 -# Overview - -This release replaces the 3.1.8 release, and resolves an issue where basic authentication would not work when PHP is running under CGI mode with Apache. - ## Upgrading - * Add the rule ``` RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]``` to the .htacces file in your sites root directory after the line ```RewriteEngine On```. + +### File permissions + +This release makes an important change to File DataObject permissions in order to close a vulnerability in +file modification privileges. In 3.1.8 and below, any part of a website where user interaction could +potentially modify a file (such as an UploadField being used on the frontend) permissions may not be +adequately checked, meaning in some cases non-authorised (or even non-authenticated) users could +make changes to assets. This is because the File DataObject reports that any user has canEdit +privileges on it. + +By default the minimum necessary permission required by any user to modify files has been changed +to CMS_ACCESS_AssetAdmin. This permission value was historically required in 3.0 and has now been restored. + +In order to update a site to 3.1.9 it may be necessary to make sure that this permission requirement still makes +sense to any business logic, and it may also be necessary to apply another permission. This can be +done by creating an extension to File which applies the custom permission. + +E.g. + + :::php +