1
0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 14:05:37 +02:00

Merge branch '3.7' into 3

This commit is contained in:
Serge Latyntcev 2019-10-01 14:29:56 +13:00
commit 837507e63b
16 changed files with 279 additions and 44 deletions

View File

@ -28,14 +28,11 @@ matrix:
services:
- mysql
- php: 7.3.0RC1
- php: 7.3
env: DB=SQLITE
sudo: required
dist: xenial
addons:
apt:
packages:
- libzip4
- php: 7.4snapshot
env: DB=SQLITE INSTALL_PHPUNIT_FORK=1
# CMS test
- php: 5.5
@ -61,9 +58,10 @@ before_script:
- if ! [ $(phpenv version-name) = "5.3" ]; then printf "\n" | travis_retry pecl install imagick; fi
- if [ $(phpenv version-name) = "5.3" ]; then printf "\n" | travis_retry pecl install imagick-3.3.0; fi
- composer self-update || true
- if [ $INSTALL_PHPUNIT_FORK ]; then composer require --no-update --dev sminnee/phpunit-mock-objects:^3.4.7; fi
- phpenv rehash
- phpenv config-rm xdebug.ini || true
- echo 'memory_limit = 2G' >> ~/.phpenv/versions/$(phpenv version-name)/etc/conf.d/travis.ini
- echo 'memory_limit = 3G' >> ~/.phpenv/versions/$(phpenv version-name)/etc/conf.d/travis.ini
- git clone git://github.com/silverstripe-labs/silverstripe-travis-support.git ~/travis-support
- "if [ \"$BEHAT_TEST\" = \"\" ] && [ \"$CMS_TEST\" = \"\" ]; then php ~/travis-support/travis_setup.php --source `pwd` --target ~/builds/ss; fi"
- "if [ \"$BEHAT_TEST\" = \"1\" ] && [ \"$CMS_TEST\" = \"\" ]; then php ~/travis-support/travis_setup.php --source `pwd` --target ~/builds/ss --require silverstripe/behat-extension; fi"

View File

@ -194,8 +194,10 @@ class LeftAndMain extends Controller implements PermissionProvider {
// alternative extended checks
if ($this->hasMethod('alternateAccessCheck')) {
$alternateAllowed = $this->alternateAccessCheck();
if($alternateAllowed === FALSE) return false;
$alternateAllowed = $this->alternateAccessCheck($member);
if ($alternateAllowed === false) {
return false;
}
}
// Check for "CMS admin" permission

View File

@ -26,6 +26,7 @@
"require-dev": {
"phpunit/phpunit": "^3 || ^4 || ^5"
},
"extra": [],
"autoload": {
"psr-0": {
"SilverStripe\\": "src/",

View File

@ -0,0 +1,15 @@
# 3.6.8
## Change Log
### Security
* 2019-09-16 [a86093fee](https://github.com/silverstripe/silverstripe-framework/commit/a86093fee6398881889d6d330a15f7042be25bff) Session fixation in "change password" form (Serge Latyntcev) - See [cve-2019-12203](https://www.silverstripe.org/download/security-releases/cve-2019-12203)
### Bugfixes
* 2019-02-26 [bd9296941](https://github.com/silverstripe/silverstripe-framework/commit/bd929694188dc7df7277d8430df5534dcb2b914a) Use a function common to MySQL, SQLite and PostgreSQL to test dynamic DBFIeld assigment (Maxime Rainville)
* 2019-02-25 [adbc560bd](https://github.com/silverstripe/silverstripe-framework/commit/adbc560bd70ba2e071f94a41a084768819196ee7) Address PR feedback. (Maxime Rainville)
* 2019-02-21 [4ec1a682c](https://github.com/silverstripe/silverstripe-framework/commit/4ec1a682cf354e2425ef4fd6598c7de8e807bcc7) Renable the ability to do dynamic assignment with DBField (Maxime Rainville)
* 2019-02-19 [ab5f09a9f](https://github.com/silverstripe/silverstripe-framework/commit/ab5f09a9f3ec12333c748dd68bfc504b5e509bfc) Updated unit test were targeting Float/Int which don't exist on PHP7 (#8810) (Maxime Rainville)

View File

@ -0,0 +1,41 @@
# 3.7.4 (unreleased)
* [Minor update to support PHP 7.4](https://github.com/silverstripe/silverstripe-framework/pull/9110)
## Running SilverStripe 3.7 on PHP 7.4
SilverStripe's standard test tools require `phpunit/phpunit-mock-objects` to run. This package has been deprecated and
doesn't support PHP 7.4.
SilverStripe is using a fork for its own PHP 7.3 unit tests: `sminnee/phpunit-mock-objects`.
You can use this fork for your own project by running this command:
```bash
composer require --dev sminnee/phpunit-mock-objects:^3.4.7
```
This fork is not a supported module and SilverStripe does not commit to maintaining it.
<!--- Changes below this line will be automatically regenerated -->
## Change Log
### Security
* 2019-09-16 [a86093fee](https://github.com/silverstripe/silverstripe-framework/commit/a86093fee6398881889d6d330a15f7042be25bff) Session fixation in "change password" form (Serge Latyntcev) - See [cve-2019-12203](https://www.silverstripe.org/download/security-releases/cve-2019-12203)
* 2019-01-10 [c44f06cdf](https://github.com/silverstripe/silverstripe-framework/commit/c44f06cdf10387a987e4efb096ff06b3bb4495ef) Patch SQL Injection vulnerability when arrays are assigned to DataObject Fields (Aaron Carlino) - See [ss-2018-021](https://www.silverstripe.org/download/security-releases/ss-2018-021)
### Features and Enhancements
* 2019-03-13 [0bf03a3e7](https://github.com/silverstripe/silverstripe-framework/commit/0bf03a3e77304e242a81cca37ccbc02e35e3dbc6) Add PHP 7.4s daily snapshot to the travis suite. (Sam Minnee)
### Bugfixes
* 2019-08-26 [7d901a6d9](https://github.com/silverstripe/silverstripe-framework/commit/7d901a6d9b126ac057918f827e65aa0360231d1b) Member argument is now passed to LeftAndMain::alternateAccessCheck() (Robbie Averill)
* 2019-07-12 [b250e14ac](https://github.com/silverstripe/silverstripe-framework/commit/b250e14acea12493ee1bb7392cf3f18c5a1f5f8b) Require PHP7.4 compatible fork of phpunit-mock-objects (Maxime Rainville)
* 2019-04-15 [ad3c58f2d](https://github.com/silverstripe/silverstripe-framework/commit/ad3c58f2d875a0ac7a8a17372c7eca84abd1a2b3) Back-port https://github.com/silverstripe/silverstripe-admin/pull/769 to 3.7, fix parsererror issue (Damian Mooyman)
* 2019-02-26 [bd9296941](https://github.com/silverstripe/silverstripe-framework/commit/bd929694188dc7df7277d8430df5534dcb2b914a) Use a function common to MySQL, SQLite and PostgreSQL to test dynamic DBFIeld assigment (Maxime Rainville)
* 2019-02-25 [adbc560bd](https://github.com/silverstripe/silverstripe-framework/commit/adbc560bd70ba2e071f94a41a084768819196ee7) Address PR feedback. (Maxime Rainville)
* 2019-02-21 [4ec1a682c](https://github.com/silverstripe/silverstripe-framework/commit/4ec1a682cf354e2425ef4fd6598c7de8e807bcc7) Renable the ability to do dynamic assignment with DBField (Maxime Rainville)
* 2019-02-19 [ab5f09a9f](https://github.com/silverstripe/silverstripe-framework/commit/ab5f09a9f3ec12333c748dd68bfc504b5e509bfc) Updated unit test were targeting Float/Int which don't exist on PHP7 (#8810) (Maxime Rainville)
<!--- Changes above this line will be automatically regenerated -->

View File

@ -140,7 +140,11 @@ class GDBackend extends SS_Object implements Image_Backend {
$bytesPerPixel = $bits * $channels;
// width * height * bytes per pixel
if ($imageInfo) {
$memoryRequired = $imageInfo[0] * $imageInfo[1] * $bytesPerPixel;
} else {
$memoryRequired = 0;
}
return $memoryRequired + memory_get_usage() < $limit;
}

View File

@ -109,10 +109,13 @@
$.ajax({
dataType: 'script',
url: newJsInclude,
success: function() {
complete: function() {
self._ondemand_loaded_list[newJsInclude] = 1;
getScriptQueue();
},
error: function(xhr, status, error) {
console.error(error);
},
cache: false,
// jQuery seems to override the XHR objects if used in async mode
async: false

View File

@ -1362,8 +1362,11 @@ class DataObject extends ViewableData implements DataObjectInterface, i18nEntity
if (!isset($tableManipulation['fields'])) {
continue;
}
foreach ($tableManipulation['fields'] as $fieldValue) {
foreach ($tableManipulation['fields'] as $fieldName => $fieldValue) {
if (is_array($fieldValue)) {
$dbObject = $this->dbObject($fieldName);
// If the field allows non-scalar values we'll let it do dynamic assignments
if ($dbObject && $dbObject->scalarValueOnly()) {
user_error(
'DataObject::writeManipulation: parameterised field assignments are disallowed',
E_USER_ERROR
@ -1371,6 +1374,7 @@ class DataObject extends ViewableData implements DataObjectInterface, i18nEntity
}
}
}
}
// Perform the manipulation
DB::manipulate($manipulation);

View File

@ -254,8 +254,10 @@ class ManyManyList extends RelationList {
);
}
/** @var DBField[] $fieldObjects */
$fieldObjects = array();
if($extraFields && $this->extraFields) {
// Write extra field to manipluation in the same way
// Write extra field to manipulation in the same way
// that DataObject::prepareManipulationTable writes fields
foreach($this->extraFields as $fieldName => $fieldSpec) {
// Skip fields without an assignment
@ -263,6 +265,7 @@ class ManyManyList extends RelationList {
$fieldObject = SS_Object::create_from_string($fieldSpec, $fieldName);
$fieldObject->setValue($extraFields[$fieldName]);
$fieldObject->writeToManipulation($manipulation[$this->joinTable]);
$fieldObjects[$fieldName] = $fieldObject;
}
}
}
@ -275,14 +278,17 @@ class ManyManyList extends RelationList {
if (!isset($tableManipulation['fields'])) {
continue;
}
foreach ($tableManipulation['fields'] as $fieldValue) {
foreach ($tableManipulation['fields'] as $fieldName => $fieldValue) {
if (is_array($fieldValue)) {
// If the field allows non-scalar values we'll let it do dynamic assignments
if (isset($fieldObjects[$fieldName]) && $fieldObjects[$fieldName]->scalarValueOnly()) {
user_error(
'ManyManyList::add: parameterised field assignments are disallowed',
E_USER_ERROR
);
}
}
}
}
DB::manipulate($manipulation);

View File

@ -172,7 +172,7 @@ abstract class Authenticator extends SS_Object {
/**
* Set a default authenticator (shows first in tabs)
*
* @param string
* @param string $authenticator
*/
public static function set_default_authenticator($authenticator) {
self::$default_authenticator = $authenticator;

View File

@ -726,6 +726,12 @@ class Security extends Controller implements TemplateGlobalProvider {
$curMember->logOut();
}
if (!headers_sent()) {
// To avoid a potential session fixation attack
// we're refreshing the session id so that it's
// always new and random for every authentication
session_regenerate_id(true);
}
// Store the hash for the change password form. Will be unset after reload within the ChangePasswordForm.
Session::set('AutoLoginHash', $member->encryptWithUserSettings($_REQUEST['t']));

View File

@ -14,7 +14,7 @@ class DBFieldTest extends SapphireTest {
*/
public function testNullValue() {
/* Float and Double use 0 for "null" value representation */
$this->assertEquals(0, singleton('Float')->nullValue());
$this->assertEquals(0, singleton('DBFloat')->nullValue());
$this->assertEquals(0, singleton('Double')->nullValue());
}
@ -22,14 +22,12 @@ class DBFieldTest extends SapphireTest {
* Test the prepValueForDB() method on DBField.
*/
public function testPrepValueForDB() {
$db = DB::get_conn();
/* Float behaviour, asserting we have 0 */
$this->assertEquals(0, singleton('Float')->prepValueForDB(0));
$this->assertEquals(0, singleton('Float')->prepValueForDB(null));
$this->assertEquals(0, singleton('Float')->prepValueForDB(false));
$this->assertEquals(0, singleton('Float')->prepValueForDB(''));
$this->assertEquals('0', singleton('Float')->prepValueForDB('0'));
$this->assertEquals(0, singleton('DBFloat')->prepValueForDB(0));
$this->assertEquals(0, singleton('DBFloat')->prepValueForDB(null));
$this->assertEquals(0, singleton('DBFloat')->prepValueForDB(false));
$this->assertEquals(0, singleton('DBFloat')->prepValueForDB(''));
$this->assertEquals('0', singleton('DBFloat')->prepValueForDB('0'));
/* Double behaviour, asserting we have 0 */
$this->assertEquals(0, singleton('Double')->prepValueForDB(0));
@ -39,16 +37,16 @@ class DBFieldTest extends SapphireTest {
$this->assertEquals('0', singleton('Double')->prepValueForDB('0'));
/* Integer behaviour, asserting we have 0 */
$this->assertEquals(0, singleton('Int')->prepValueForDB(0));
$this->assertEquals(0, singleton('Int')->prepValueForDB(null));
$this->assertEquals(0, singleton('Int')->prepValueForDB(false));
$this->assertEquals(0, singleton('Int')->prepValueForDB(''));
$this->assertEquals('0', singleton('Int')->prepValueForDB('0'));
$this->assertEquals(0, singleton('DBInt')->prepValueForDB(0));
$this->assertEquals(0, singleton('DBInt')->prepValueForDB(null));
$this->assertEquals(0, singleton('DBInt')->prepValueForDB(false));
$this->assertEquals(0, singleton('DBInt')->prepValueForDB(''));
$this->assertEquals('0', singleton('DBInt')->prepValueForDB('0'));
/* Integer behaviour, asserting we have 1 */
$this->assertEquals(1, singleton('Int')->prepValueForDB(true));
$this->assertEquals(1, singleton('Int')->prepValueForDB(1));
$this->assertEquals('1', singleton('Int')->prepValueForDB('1'));
$this->assertEquals(1, singleton('DBInt')->prepValueForDB(true));
$this->assertEquals(1, singleton('DBInt')->prepValueForDB(1));
$this->assertEquals('1', singleton('DBInt')->prepValueForDB('1'));
/* Decimal behaviour, asserting we have 0 */
$this->assertEquals(0, singleton('Decimal')->prepValueForDB(0));
@ -197,11 +195,11 @@ class DBFieldTest extends SapphireTest {
array('Decimal', true),
array('Double', true),
array('Enum', true),
array('Float', true),
array('DBFloat', true),
array('ForeignKey', true, array('SomeField')),
array('HTMLText', true),
array('HTMLVarchar', true),
array('Int', true),
array('DBInt', true),
array('Money', false),
array('MultiEnum', true, array('SomeField', array('One', 'Two', 'Three'))),
array('Percentage', true),

View File

@ -32,6 +32,7 @@ class DataObjectTest extends SapphireTest {
'DataObjectTest_Sortable',
'ManyManyListTest_Product',
'ManyManyListTest_Category',
'MockDynamicAssignmentDataObject'
);
/**
@ -1773,6 +1774,35 @@ class DataObjectTest extends SapphireTest {
$this->assertNotEmpty($do->CompositeMoneyField);
}
public function testWriteManipulationWithNonScalarValuesAllowed()
{
$do = MockDynamicAssignmentDataObject::create();
$do->write();
$do->StaticScalarOnlyField = true;
$do->DynamicScalarOnlyField = false;
$do->DynamicField = true;
$do->write();
$this->assertEquals(1, $do->StaticScalarOnlyField);
$this->assertEquals(0, $do->DynamicScalarOnlyField);
$this->assertEquals(1, $do->DynamicField);
}
/**
* @expectedException PHPUnit_Framework_Error
* @expectedExceptionMessageRegExp /parameterised field assignments are disallowed/
*/
public function testWriteManipulationWithNonScalarValuesDisallowed()
{
$do = MockDynamicAssignmentDataObject::create();
$do->write();
$do->StaticScalarOnlyField = false;
$do->DynamicScalarOnlyField = true;
$do->DynamicField = false;
$do->write();
}
}
class DataObjectTest_Sortable extends DataObject implements TestOnly {

View File

@ -21,6 +21,7 @@ class ManyManyListTest extends SapphireTest {
'ManyManyListTest_ExtraFields',
'ManyManyListTest_Product',
'ManyManyListTest_Category',
'MockDynamicAssignmentDataObject',
);
@ -306,7 +307,40 @@ class ManyManyListTest extends SapphireTest {
$this->assertEquals(1, $productsRelatedToProductB->count());
}
public function testWriteManipulationWithNonScalarValuesAllowed()
{
$left = MockDynamicAssignmentDataObject::create();
$left->write();
$right = MockDynamicAssignmentDataObject::create();
$right->write();
$left->MockManyMany()->add($right, array(
'ManyManyStaticScalarOnlyField' => true,
'ManyManyDynamicScalarOnlyField' => false,
'ManyManyDynamicField' => true
));
$pivot = $left->MockManyMany()->first();
$this->assertEquals(1, $pivot->ManyManyStaticScalarOnlyField);
$this->assertEquals(0, $pivot->ManyManyDynamicScalarOnlyField);
$this->assertEquals(1, $pivot->ManyManyDynamicField);
}
/**
* @expectedException PHPUnit_Framework_Error
* @expectedExceptionMessageRegExp /parameterised field assignments are disallowed/
*/
public function testWriteManipulationWithNonScalarValuesDisallowed()
{
$left = MockDynamicAssignmentDataObject::create();
$left->write();
$right = MockDynamicAssignmentDataObject::create();
$right->write();
$left->MockManyMany()->add($right, array(
'ManyManyStaticScalarOnlyField' => false,
'ManyManyDynamicScalarOnlyField' => true,
'ManyManyDynamicField' => false
));
}
}
/**

View File

@ -0,0 +1,49 @@
<?php
/**
* This is a fake DB field specifically design to test dynamic value assignment. You can set `scalarValueOnly` in
* the constructor. You can control whetever the field will try to do a dynamic assignment by specifing
* `$dynamicAssignment` in nthe consturctor.
*
* If the field is set to false, it will try to do a plain assignment. This is so you can save the initial value no
* matter what. If the field is set to true, it will try to do a dynamic assignment.
*/
class MockDynamicAssignmentDBField extends Boolean
{
private $scalarOnly;
private $dynamicAssignment;
/**
* @param string $name
* @param boolean $scalarOnly Whether our fake field should be scalar only.
* @param boolean $dynamicAssignment Whether our fake field will try to do a dynamic assignment.
*/
public function __construct($name = '', $scalarOnly = false, $dynamicAssignment = false)
{
$this->scalarOnly = $scalarOnly;
$this->dynamicAssignment = $dynamicAssignment;
parent::__construct($name);
}
/**
* If the field value and dynamicAssignment are true, we'll try to do a dynamic assignment
* @param mixed $value
* @return array|int|mixed
*/
public function prepValueForDB($value)
{
if ($value) {
return $this->dynamicAssignment
? array('ABS(?)' => array(1))
: 1;
}
return 0;
}
public function scalarValueOnly()
{
return $this->scalarOnly;
}
}

View File

@ -0,0 +1,44 @@
<?php
/**
* This is a fake DB field specifically design to test dynamic value assignment
* @property boolean $StaticScalarOnlyField
* @property boolean $DynamicScalarOnlyField
* @property boolean $DynamicField
* @method ManyManyList MockManyMany
*/
class MockDynamicAssignmentDataObject extends DataObject implements TestOnly
{
private static $db = array(
// This field only emits scalar value and will save
'StaticScalarOnlyField' => 'MockDynamicAssignmentDBField(1,0)',
// This field tries to emit dynamic assignment but will fail because of scalar only
'DynamicScalarOnlyField' => 'MockDynamicAssignmentDBField(1,1)',
// This field does dynamic assignment and will pass
'DynamicField' => 'MockDynamicAssignmentDBField(0,1)',
);
private static $many_many = array(
"MockManyMany" => 'MockDynamicAssignmentDataObject'
);
private static $belongs_many_many = array(
"MockBelongsManyMany" => 'MockDynamicAssignmentDataObject'
);
private static $many_many_extraFields = array(
'MockManyMany' => array(
// This field only emits scalar value and will save
'ManyManyStaticScalarOnlyField' => 'MockDynamicAssignmentDBField(1,0)',
// This field tries to emit dynamic assignment but will fail because of scalar only
'ManyManyDynamicScalarOnlyField' => 'MockDynamicAssignmentDBField(1,1)',
// This field does dynamic assignment and will pass
'ManyManyDynamicField' => 'MockDynamicAssignmentDBField(0,1)',
)
);
}