tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 14:05:37 +02:00
Code Issues Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/2.4' into 3.0

Browse Source 
Conflicts:
	control/RequestHandler.php
	core/control/ContentController.php
	dev/CsvBulkLoader.php
	docs/en/changelogs/index.md
	docs/en/reference/execution-pipeline.md
	docs/en/topics/commandline.md
	docs/en/topics/controller.md
	docs/en/topics/form-validation.md
	docs/en/topics/forms.md
	docs/en/topics/security.md
	model/MySQLDatabase.php
	security/Security.php
	tests/control/ControllerTest.php
	tests/control/RequestHandlingTest.php
This commit is contained in:
Ingo Schommer 2013-03-19 13:56:04 +01:00
commit 99ca0471f7
6 changed files with 53 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
dev/CsvBulkLoader.php
View File

@ -156,7 +156,7 @@ class CsvBulkLoader extends BulkLoader {
//user_error("CsvBulkLoader:processRecord: Couldn't find duplicate identifier '{$fieldName}' //user_error("CsvBulkLoader:processRecord: Couldn't find duplicate identifier '{$fieldName}'
//in columns", E_USER_ERROR); //in columns", E_USER_ERROR);
} }
$SQL_fieldValue = $record[$fieldName]; $SQL_fieldValue = Convert::raw2sql($record[$fieldName]);
$existingRecord = DataObject::get_one($this->objectClass, "\"$SQL_fieldName\" = '{$SQL_fieldValue}'"); $existingRecord = DataObject::get_one($this->objectClass, "\"$SQL_fieldName\" = '{$SQL_fieldValue}'");
if($existingRecord) return $existingRecord; if($existingRecord) return $existingRecord;
} elseif(is_array($duplicateCheck) && isset($duplicateCheck['callback'])) { } elseif(is_array($duplicateCheck) && isset($duplicateCheck['callback'])) {

42
docs/en/changelogs/2.4.10.md Normal file
View File

@ -0,0 +1,42 @@
# 2.4.10 (2013-02-19)
## Overview
* Security: Undefined `$allowed_actions` overrides parent definitions
* API: More restrictive `$allowed_actions` checks for `Controller` when used with `Extension`
## Details
### Security: Undefined `$allowed_actions` overrides parent definitions
Severity: Important
Description: `Controller` (and subclasses) failed to enforce `$allowed_action` restrictions
on parent classes if a child class didn't have it explicitly defined.
Impact: Depends on the used controller code. For any method with public visibility,
the flaw can expose the return value of the method (unless it fails due to wrong arguments).
It can also lead to unauthorized or unintended execution of logic, e.g. modifying the
state of a database record.
Fix: Apply the 2.4.10 update. In addition, we strongly recommend to define `$allowed_actions`
on all controller classes to ensure the intentions are clearly communicated.
### API: More restrictive `$allowed_actions` checks for `Controller` when used with `Extension`
Controllers which are extended with `$allowed_actions` (through an `Extension`)
now deny access to methods defined on the controller, unless this class also has them in its own
`$allowed_actions` definition.
## Changelog
### API Changes
* 2013-02-15 [2352317](https://github.com/silverstripe/silverstripe-installer/commit/2352317) Filter composer files in IIS and Apache rules (fixes #8011) (Ingo Schommer)
* 2013-02-12 [45c68d6] Require ADMIN for ?showtemplate=1 (Ingo Schommer)
### Bugfixes
* 2013-02-17 [c7b0666](https://github.com/silverstripe/silverstripe-cms/commit/c7b0666) Escape page titles in CommentAdmin table listing (Ingo Schommer)
* 2013-01-15 [50995fb] Undefined `$allowed_actions` overrides parent definitions, stricter handling of $allowed_actions on Extension (Ingo Schommer)
* 2013-01-06 [eecd348] Keep Member.PasswordEncryption setting on empty passwords (Ingo Schommer)

5
docs/en/changelogs/index.md
View File

@ -19,6 +19,11 @@ For information on how to upgrade to newer versions consult the [upgrading](/ins
* [2.4.7](2.4.7) - 1 February 2012 * [2.4.7](2.4.7) - 1 February 2012
* [2.4.6](2.4.6) - 18 October 2011 * [2.4.6](2.4.6) - 18 October 2011
* [2.4.10](2.4.10) - 2013-02-19
* [2.4.9](2.4.9) - 2012-12-04
* [2.4.8](2.4.8) - 2012-10-30
* [2.4.7](2.4.7) - 2012-02-01
* [2.4.6](2.4.6) - 2011-10-17
* [2.4.5](2.4.5) - 2 February 2011 * [2.4.5](2.4.5) - 2 February 2011
* [2.4.4](2.4.4) - 21 December 2010 * [2.4.4](2.4.4) - 21 December 2010
* [2.4.3](2.4.3) - 11 November 2010 * [2.4.3](2.4.3) - 11 November 2010

3
docs/en/topics/commandline.md
View File

@ -98,7 +98,8 @@ This code provides a good template:
:::php :::php
class MyProcess extends Controller { class MyProcess extends Controller {
public function index() { public static $allowed_actions = array('index');
function index() {
set_time_limit(0); set_time_limit(0);
while(memory_get_usage() < 32*1024*1024) { while(memory_get_usage() < 32*1024*1024) {
if($this->somethingToDo()) { if($this->somethingToDo()) {

2
docs/en/topics/controller.md
View File

@ -15,7 +15,7 @@ your own routes since the cms module handles these routes.
<?php <?php
class FastFood_Controller extends Controller { class FastFood_Controller extends Controller {
public static $allowed_actions = array('order'); public static $allowed_actions = array('order');
public function order(SS_HTTPRequest $request) { public function order(SS_HTTPRequest $request) {
print_r($arguments); print_r($arguments);
} }

2
docs/en/topics/security.md
View File

@ -79,7 +79,7 @@ Example:
:::php :::php
class MyController extends Controller { class MyController extends Controller {
static $allowed_actions = array('myurlaction'); static $allowed_actions = array('myurlaction');
public function myurlaction($RAW_urlParams) { public function myurlaction($RAW_urlParams) {
$SQL_urlParams = Convert::raw2sql($RAW_urlParams); // works recursively on an array $SQL_urlParams = Convert::raw2sql($RAW_urlParams); // works recursively on an array
$objs = Player::get()->where("Name = '{$SQL_data[OtherID]}'"); $objs = Player::get()->where("Name = '{$SQL_data[OtherID]}'");