mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
Update 2.4.11 changelog
This commit is contained in:
parent
a6a7b01afc
commit
84a8b21936
@ -1,9 +1,10 @@
|
||||
# 2.4.11 (Not yet released)
|
||||
# 2.4.11 (2013-08-08)
|
||||
|
||||
## Overview
|
||||
|
||||
* Security: Require ADMIN for `?flush=1` (stop denial of service attacks)
|
||||
([#1692](https://github.com/silverstripe/silverstripe-framework/issues/1692))
|
||||
* Security: SQL injection in Versioned.php
|
||||
|
||||
## Details
|
||||
|
||||
@ -22,6 +23,14 @@ To prevent this, main.php now checks and only allows the flush parameter in the
|
||||
This applies to both `flush=1` and `flush=all`but only through web requests made through main.php - CLI requests,
|
||||
or any other request that goes through a custom start up script will still process all flush requests as normal.
|
||||
|
||||
Thanks to Christopher Tombleson for reporting.
|
||||
|
||||
### Security: SQL injection in Versioned.php
|
||||
|
||||
The `archiveDate` parameter wasn't correctly escaping user input through URL parameters ([download patch](https://github.com/silverstripe/silverstripe-framework/commit/a150989e6fb8b0ad41d9ad2af54948de33c721f0.patch))
|
||||
|
||||
Thanks to Dean Jerkovich of NCC Group for reporting.
|
||||
|
||||
## Changelog
|
||||
|
||||
### Bugfixes
|
||||
|
@ -9,6 +9,7 @@ For information on how to upgrade to newer versions consult the [upgrading](/ins
|
||||
|
||||
## Stable Releases
|
||||
|
||||
* [2.4.11](2.4.11) - 2013-08-08
|
||||
* [2.4.10](2.4.10) - 2013-02-19
|
||||
* [2.4.9](2.4.9) - 2012-12-04
|
||||
* [2.4.8](2.4.8) - 2012-10-30
|
||||
|
Loading…
Reference in New Issue
Block a user