mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
[CVE-2020-6164] Remove/deprecate unused controllers that can potentially give away some information about the underlying project.
This commit is contained in:
Maxime Rainville
parent
fa9a122a99
commit
996c1b5719
10
.upgrade.yml
10
.upgrade.yml
@ -205,8 +205,6 @@ mappings:
|
||||
FunctionalTest: SilverStripe\Dev\FunctionalTest
|
||||
InstallerTest: SilverStripe\Dev\InstallerTest
|
||||
MigrationTask: SilverStripe\Dev\MigrationTask
|
||||
SapphireInfo: SilverStripe\Dev\SapphireInfo
|
||||
SapphireREPL: SilverStripe\Dev\SapphireREPL
|
||||
SapphireTest: SilverStripe\Dev\SapphireTest
|
||||
TaskRunner: SilverStripe\Dev\TaskRunner
|
||||
TestMailer: SilverStripe\Dev\TestMailer
|
||||
@ -1018,6 +1016,14 @@ warnings:
|
||||
message: 'Use SilverStripe\CMS\BatchActions\CMSBatchAction_Archive instead'
|
||||
'EncryptAllPasswordsTask':
|
||||
message: 'Removed'
|
||||
'SapphireInfo':
|
||||
message: 'Removed'
|
||||
'SilverStripe\Dev\SapphireREPL':
|
||||
message: 'Removed'
|
||||
'SilverStripe\Dev\SapphireInfo':
|
||||
message: 'Deprecated'
|
||||
'SilverStripe\Dev\InstallerTest':
|
||||
message: 'Deprecated'
|
||||
methods:
|
||||
'SilverStripe\Security\Authenticator::register()':
|
||||
message: 'Custom authenticators work differently now'
|
||||
|
||||
@ -14,10 +14,6 @@ SilverStripe\Control\Director:
|
||||
'Security//$Action/$ID/$OtherID': SilverStripe\Security\Security
|
||||
'CMSSecurity//$Action/$ID/$OtherID': SilverStripe\Security\CMSSecurity
|
||||
'dev': SilverStripe\Dev\DevelopmentAdmin
|
||||
'interactive': SilverStripe\Dev\SapphireREPL
|
||||
'InstallerTest//$Action/$ID/$OtherID': SilverStripe\Dev\InstallerTest
|
||||
'SapphireInfo//$Action/$ID/$OtherID': SilverStripe\Dev\SapphireInfo
|
||||
'SapphireREPL//$Action/$ID/$OtherID': SilverStripe\Dev\SapphireREPL
|
||||
---
|
||||
Name: security-limited
|
||||
After:
|
||||
|
||||
@ -6,6 +6,7 @@ use SilverStripe\Control\Controller;
|
||||
|
||||
/**
|
||||
* Simple controller that the installer uses to test that URL rewriting is working.
|
||||
* @deprecated 4.4.7 This class will be removed in Silverstripe Framework 5.
|
||||
*/
|
||||
class InstallerTest extends Controller
|
||||
{
|
||||
|
||||
@ -9,6 +9,7 @@ use SilverStripe\Security\Security;
|
||||
|
||||
/**
|
||||
* Returns information about the current site instance.
|
||||
* @deprecated 4.4.7 This class will be removed in Silverstripe Framework 5.
|
||||
*/
|
||||
class SapphireInfo extends Controller
|
||||
{
|
||||
|
||||
@ -1,110 +0,0 @@
|
||||
<?php
|
||||
|
||||
namespace SilverStripe\Dev;
|
||||
|
||||
use SilverStripe\Control\Controller;
|
||||
use SilverStripe\Control\Director;
|
||||
use Exception;
|
||||
|
||||
/* Don't actually define these, since it'd clutter up the namespace.
|
||||
define('1',E_ERROR);
|
||||
define('2',E_WARNING);
|
||||
define('4',E_PARSE);
|
||||
define('8',E_NOTICE);
|
||||
define('16',E_CORE_ERROR);
|
||||
define('32',E_CORE_WARNING);
|
||||
define('64',E_COMPILE_ERROR);
|
||||
define('128',E_COMPILE_WARNING);
|
||||
define('256',E_USER_ERROR);
|
||||
define('512',E_USER_WARNING);
|
||||
define('1024',E_USER_NOTICE);
|
||||
define('2048',E_STRICT);
|
||||
define('4096',E_RECOVERABLE_ERROR);
|
||||
define('8192',E_DEPRECATED);
|
||||
define('16384',E_USER_DEPRECATED);
|
||||
define('30719',E_ALL);
|
||||
*/
|
||||
/**
|
||||
*/
|
||||
class SapphireREPL extends Controller
|
||||
{
|
||||
|
||||
private static $allowed_actions = [
|
||||
'index'
|
||||
];
|
||||
|
||||
public function error_handler($errno, $errstr, $errfile, $errline, $errctx)
|
||||
{
|
||||
// Ignore unless important error
|
||||
if (($errno & ~( 2048 | 8192 | 16384 )) == 0) {
|
||||
return ;
|
||||
}
|
||||
// Otherwise throw exception to handle in REPL loop
|
||||
throw new Exception(sprintf("%s:%d\r\n%s", $errfile, $errline, $errstr));
|
||||
}
|
||||
|
||||
public function index()
|
||||
{
|
||||
if (!Director::is_cli()) {
|
||||
return "The SilverStripe Interactive Command-line doesn't work in a web browser."
|
||||
. " Use 'sake interactive' from the command-line to run.";
|
||||
}
|
||||
|
||||
|
||||
/* Try using PHP_Shell if it exists */
|
||||
@include 'php-shell-cmd.php' ;
|
||||
|
||||
/* Fall back to our simpler interface */
|
||||
if (empty($__shell)) {
|
||||
set_error_handler([$this, 'error_handler']);
|
||||
|
||||
echo "SilverStripe Interactive Command-line (REPL interface). Type help for hints.\n\n";
|
||||
while (true) {
|
||||
echo CLI::text("?> ", "cyan");
|
||||
echo CLI::start_colour("yellow");
|
||||
$command = trim(fgets(STDIN, 4096));
|
||||
echo CLI::end_colour();
|
||||
|
||||
if ($command == 'help' || $command == '?') {
|
||||
print "help or ? to exit\n" ;
|
||||
print "quit or \q to exit\n" ;
|
||||
print "install PHP_Shell for a more advanced interface with"
|
||||
. " auto-completion and readline support\n\n" ;
|
||||
continue ;
|
||||
}
|
||||
|
||||
if ($command == 'quit' || $command == '\q') {
|
||||
break ;
|
||||
}
|
||||
|
||||
// Simple command processing
|
||||
if (substr($command, -1) == ';') {
|
||||
$command = substr($command, 0, -1);
|
||||
}
|
||||
$is_print = preg_match('/^\s*print/i', $command);
|
||||
$is_return = preg_match('/^\s*return/i', $command);
|
||||
if (!$is_print && !$is_return) {
|
||||
$command = "return ($command)";
|
||||
}
|
||||
$command .= ";";
|
||||
|
||||
try {
|
||||
$result = eval($command);
|
||||
if (!$is_print) {
|
||||
print_r($result);
|
||||
}
|
||||
echo "\n";
|
||||
} catch (Exception $__repl_exception) {
|
||||
echo CLI::start_colour("red");
|
||||
printf(
|
||||
'%s (code: %d) got thrown' . PHP_EOL,
|
||||
get_class($__repl_exception),
|
||||
$__repl_exception->getCode()
|
||||
);
|
||||
print $__repl_exception;
|
||||
echo "\n";
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
Loading…
Reference in New Issue
Block a user