Merge remote-tracking branch 'origin/2.4' into 3.0

Conflicts: control/RequestHandler.php core/control/ContentController.php dev/CsvBulkLoader.php docs/en/changelogs/index.md docs/en/reference/execution-pipeline.md docs/en/topics/commandline.md docs/en/topics/controller.md docs/en/topics/form-validation.md docs/en/topics/forms.md docs/en/topics/security.md model/MySQLDatabase.php security/Security.php tests/control/ControllerTest.php tests/control/RequestHandlingTest.php
2024-09-29 12:49:06 +02:00 · 2013-03-19 13:56:04 +01:00 · 2013-03-19 13:56:04 +01:00 · 99ca0471f7
commit 99ca0471f7
parent 00bcdf39d3 5cad7fe9e3
6 changed files with 53 additions and 5 deletions
--- a/dev/CsvBulkLoader.php
+++ b/dev/CsvBulkLoader.php
@ -156,7 +156,7 @@ class CsvBulkLoader extends BulkLoader {
 					//user_error("CsvBulkLoader:processRecord: Couldn't find duplicate identifier '{$fieldName}'
 					//in columns", E_USER_ERROR);
 				}
-				$SQL_fieldValue = $record[$fieldName];
+				$SQL_fieldValue = Convert::raw2sql($record[$fieldName]);
 				$existingRecord = DataObject::get_one($this->objectClass, "\"$SQL_fieldName\" = '{$SQL_fieldValue}'");
 				if($existingRecord) return $existingRecord;
 			} elseif(is_array($duplicateCheck) && isset($duplicateCheck['callback'])) {
--- a/docs/en/changelogs/2.4.10.md
+++ b/docs/en/changelogs/2.4.10.md
@ -0,0 +1,42 @@
+# 2.4.10 (2013-02-19)
+
+## Overview
+
+ * Security: Undefined `$allowed_actions` overrides parent definitions
+ * API: More restrictive `$allowed_actions` checks for `Controller` when used with `Extension`
+
+## Details
+
+### Security: Undefined `$allowed_actions` overrides parent definitions
+
+Severity: Important
+
+Description: `Controller` (and subclasses) failed to enforce `$allowed_action` restrictions
+on parent classes if a child class didn't have it explicitly defined.
+
+Impact: Depends on the used controller code. For any method with public visibility,
+the flaw can expose the return value of the method (unless it fails due to wrong arguments).
+It can also lead to unauthorized or unintended execution of logic, e.g. modifying the
+state of a database record.
+
+Fix: Apply the 2.4.10 update. In addition, we strongly recommend to define `$allowed_actions`
+on all controller classes to ensure the intentions are clearly communicated.
+
+### API: More restrictive `$allowed_actions` checks for `Controller` when used with `Extension`
+
+Controllers which are extended with `$allowed_actions` (through an `Extension`)
+now deny access to methods defined on the controller, unless this class also has them in its own
+`$allowed_actions` definition.
+
+## Changelog
+
+### API Changes
+
+ * 2013-02-15 [2352317](https://github.com/silverstripe/silverstripe-installer/commit/2352317) Filter composer files in IIS and Apache rules (fixes #8011) (Ingo Schommer)
+ * 2013-02-12 [45c68d6] Require ADMIN for ?showtemplate=1 (Ingo Schommer)
+
+### Bugfixes
+
+ * 2013-02-17 [c7b0666](https://github.com/silverstripe/silverstripe-cms/commit/c7b0666) Escape page titles in CommentAdmin table listing (Ingo Schommer)
+ * 2013-01-15 [50995fb] Undefined `$allowed_actions` overrides parent definitions, stricter handling of $allowed_actions on Extension (Ingo Schommer)
+ * 2013-01-06 [eecd348] Keep Member.PasswordEncryption setting on empty passwords (Ingo Schommer)
--- a/docs/en/changelogs/index.md
+++ b/docs/en/changelogs/index.md
@ -19,6 +19,11 @@ For information on how to upgrade to newer versions consult the [upgrading](/ins

 * [2.4.7](2.4.7) - 1 February 2012
 * [2.4.6](2.4.6) - 18 October 2011
+ * [2.4.10](2.4.10) - 2013-02-19
+ * [2.4.9](2.4.9) - 2012-12-04
+ * [2.4.8](2.4.8) - 2012-10-30
+ * [2.4.7](2.4.7) - 2012-02-01
+ * [2.4.6](2.4.6) - 2011-10-17
 * [2.4.5](2.4.5) - 2 February 2011
 * [2.4.4](2.4.4) - 21 December 2010
 * [2.4.3](2.4.3) - 11 November 2010
--- a/docs/en/topics/commandline.md
+++ b/docs/en/topics/commandline.md
@ -98,7 +98,8 @@ This code provides a good template:

 	:::php
 	class MyProcess extends Controller {
-	  public function index() {
+		public static $allowed_actions = array('index');
+	  function index() {
 	    set_time_limit(0);
 	    while(memory_get_usage() < 32*1024*1024) {
 	      if($this->somethingToDo()) {
@ -122,4 +123,4 @@ Step 3: Use sake to start and stop your process


 Note that sake processes are currently a little brittle, in that the pid and log files are placed in the site root
-directory, rather than somewhere sensible like /var/log or /var/run.
+directory, rather than somewhere sensible like /var/log or /var/run.
--- a/docs/en/topics/controller.md
+++ b/docs/en/topics/controller.md
@ -15,7 +15,7 @@ your own routes since the cms module handles these routes.
 	<?php
 	
 	class FastFood_Controller extends Controller {
-			public static $allowed_actions = array('order');
+		public static $allowed_actions = array('order');
 	    public function order(SS_HTTPRequest $request) {
 	        print_r($arguments);
 	    }
--- a/docs/en/topics/security.md
+++ b/docs/en/topics/security.md
@ -79,7 +79,7 @@ Example:

 	:::php
 	class MyController extends Controller {
-		static $allowed_actions = array('myurlaction');
+	  static $allowed_actions = array('myurlaction');
 	  public function myurlaction($RAW_urlParams) {
 	    $SQL_urlParams = Convert::raw2sql($RAW_urlParams); // works recursively on an array
 	    $objs = Player::get()->where("Name = '{$SQL_data[OtherID]}'");