mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
Linking to older security issue in change log
Mainly for consistency with the newer format
This commit is contained in:
parent
05757efceb
commit
8b5c8eab72
@ -9,19 +9,7 @@
|
|||||||
|
|
||||||
### Security: Require ADMIN for ?flush=1 (SS-2013-001)
|
### Security: Require ADMIN for ?flush=1 (SS-2013-001)
|
||||||
|
|
||||||
Flushing the various manifests (class, template, config) is performed through a GET
|
See [announcement](http://www.silverstripe.org/ss-2013-001-require-admin-for-flush1/)
|
||||||
parameter (`flush=1`). Since this action requires more server resources than normal requests,
|
|
||||||
it can facilitate [denial-of-service attacks](https://en.wikipedia.org/wiki/Denial-of-service_attack).
|
|
||||||
|
|
||||||
To prevent this, main.php now checks and only allows the flush parameter in the following cases:
|
|
||||||
|
|
||||||
* The [environment](/topics/environment-management) is in "dev mode"
|
|
||||||
* A user is logged in with ADMIN permissions
|
|
||||||
* An error occurs during startup
|
|
||||||
|
|
||||||
This applies to both `flush=1` and `flush=all` (technically we only check for the existence of any parameter value)
|
|
||||||
but only through web requests made through main.php - CLI requests, or any other request that goes through
|
|
||||||
a custom start up script will still process all flush requests as normal.
|
|
||||||
|
|
||||||
### Security: Privilege escalation through Group hierarchy setting (SS-2013-003)
|
### Security: Privilege escalation through Group hierarchy setting (SS-2013-003)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user