[CVE-2020-6164] Remove/deprecate unused controllers that can potentially give away some information about the underlying project.

This commit is contained in:
Maxime Rainville 2020-05-13 16:54:02 +12:00
parent fa9a122a99
commit 996c1b5719
5 changed files with 10 additions and 116 deletions

View File

@ -205,8 +205,6 @@ mappings:
FunctionalTest: SilverStripe\Dev\FunctionalTest
InstallerTest: SilverStripe\Dev\InstallerTest
MigrationTask: SilverStripe\Dev\MigrationTask
SapphireInfo: SilverStripe\Dev\SapphireInfo
SapphireREPL: SilverStripe\Dev\SapphireREPL
SapphireTest: SilverStripe\Dev\SapphireTest
TaskRunner: SilverStripe\Dev\TaskRunner
TestMailer: SilverStripe\Dev\TestMailer
@ -1018,6 +1016,14 @@ warnings:
message: 'Use SilverStripe\CMS\BatchActions\CMSBatchAction_Archive instead'
'EncryptAllPasswordsTask':
message: 'Removed'
'SapphireInfo':
message: 'Removed'
'SilverStripe\Dev\SapphireREPL':
message: 'Removed'
'SilverStripe\Dev\SapphireInfo':
message: 'Deprecated'
'SilverStripe\Dev\InstallerTest':
message: 'Deprecated'
methods:
'SilverStripe\Security\Authenticator::register()':
message: 'Custom authenticators work differently now'

View File

@ -14,10 +14,6 @@ SilverStripe\Control\Director:
'Security//$Action/$ID/$OtherID': SilverStripe\Security\Security
'CMSSecurity//$Action/$ID/$OtherID': SilverStripe\Security\CMSSecurity
'dev': SilverStripe\Dev\DevelopmentAdmin
'interactive': SilverStripe\Dev\SapphireREPL
'InstallerTest//$Action/$ID/$OtherID': SilverStripe\Dev\InstallerTest
'SapphireInfo//$Action/$ID/$OtherID': SilverStripe\Dev\SapphireInfo
'SapphireREPL//$Action/$ID/$OtherID': SilverStripe\Dev\SapphireREPL
---
Name: security-limited
After:

View File

@ -6,6 +6,7 @@ use SilverStripe\Control\Controller;
/**
* Simple controller that the installer uses to test that URL rewriting is working.
* @deprecated 4.4.7 This class will be removed in Silverstripe Framework 5.
*/
class InstallerTest extends Controller
{

View File

@ -9,6 +9,7 @@ use SilverStripe\Security\Security;
/**
* Returns information about the current site instance.
* @deprecated 4.4.7 This class will be removed in Silverstripe Framework 5.
*/
class SapphireInfo extends Controller
{

View File

@ -1,110 +0,0 @@
<?php
namespace SilverStripe\Dev;
use SilverStripe\Control\Controller;
use SilverStripe\Control\Director;
use Exception;
/* Don't actually define these, since it'd clutter up the namespace.
define('1',E_ERROR);
define('2',E_WARNING);
define('4',E_PARSE);
define('8',E_NOTICE);
define('16',E_CORE_ERROR);
define('32',E_CORE_WARNING);
define('64',E_COMPILE_ERROR);
define('128',E_COMPILE_WARNING);
define('256',E_USER_ERROR);
define('512',E_USER_WARNING);
define('1024',E_USER_NOTICE);
define('2048',E_STRICT);
define('4096',E_RECOVERABLE_ERROR);
define('8192',E_DEPRECATED);
define('16384',E_USER_DEPRECATED);
define('30719',E_ALL);
*/
/**
*/
class SapphireREPL extends Controller
{
private static $allowed_actions = [
'index'
];
public function error_handler($errno, $errstr, $errfile, $errline, $errctx)
{
// Ignore unless important error
if (($errno & ~( 2048 | 8192 | 16384 )) == 0) {
return ;
}
// Otherwise throw exception to handle in REPL loop
throw new Exception(sprintf("%s:%d\r\n%s", $errfile, $errline, $errstr));
}
public function index()
{
if (!Director::is_cli()) {
return "The SilverStripe Interactive Command-line doesn't work in a web browser."
. " Use 'sake interactive' from the command-line to run.";
}
/* Try using PHP_Shell if it exists */
@include 'php-shell-cmd.php' ;
/* Fall back to our simpler interface */
if (empty($__shell)) {
set_error_handler([$this, 'error_handler']);
echo "SilverStripe Interactive Command-line (REPL interface). Type help for hints.\n\n";
while (true) {
echo CLI::text("?> ", "cyan");
echo CLI::start_colour("yellow");
$command = trim(fgets(STDIN, 4096));
echo CLI::end_colour();
if ($command == 'help' || $command == '?') {
print "help or ? to exit\n" ;
print "quit or \q to exit\n" ;
print "install PHP_Shell for a more advanced interface with"
. " auto-completion and readline support\n\n" ;
continue ;
}
if ($command == 'quit' || $command == '\q') {
break ;
}
// Simple command processing
if (substr($command, -1) == ';') {
$command = substr($command, 0, -1);
}
$is_print = preg_match('/^\s*print/i', $command);
$is_return = preg_match('/^\s*return/i', $command);
if (!$is_print && !$is_return) {
$command = "return ($command)";
}
$command .= ";";
try {
$result = eval($command);
if (!$is_print) {
print_r($result);
}
echo "\n";
} catch (Exception $__repl_exception) {
echo CLI::start_colour("red");
printf(
'%s (code: %d) got thrown' . PHP_EOL,
get_class($__repl_exception),
$__repl_exception->getCode()
);
print $__repl_exception;
echo "\n";
}
}
}
}
}