diff --git a/docs/en/04_Changelogs/4.3.5.md b/docs/en/04_Changelogs/4.3.5.md deleted file mode 100644 index e5ad33966..000000000 --- a/docs/en/04_Changelogs/4.3.5.md +++ /dev/null @@ -1,42 +0,0 @@ -# 4.3.5 - -Embedding files with shortcodes (`FileShortcodeProvider`) no longer provides a session grant -by default. This is because it has the potential to escalate file access -to users who otherwise should not have viewing permissions for the file. - -There is a minor performance trade-off for disabling these grants. If you have a page with a lot of -images that are in a draft state or have custom viewing permissions, it adds an extra database -query for each embedded image. With session grants enabled, the first permission check persists -the grant into the session, meaning there is no need to query the database on every single file. - -Unless you have a lot of shortcode images embedded with protected or draft status on a single page, -this setting is best left to its default value of `false`. - -To revert to the old behaviour: - -``` -SilverStripe\Assets\Shortcodes\FileShortcodeProvider: - allow_session_grant: true -``` - -## If you were using the versionedfiles on your 3.x site - -This release includes a security fix for users who migrated from a 3.x site that used -the [versionedfiles](https://github.com/symbiote/silverstripe-versionedfiles) module. -The file migration would have left the `_versions` folders in your public filesystem -as artefacts, leaving all the unpublished versions of your old files publicly accessible -under a guessable URL. - -To work around this, you can use the `VersionedFilesMigrationTask`: - -`$ vendor/bin/sake dev/tasks/migrate-versionedfiles strategy=[delete|protect]` - -If you choose the `delete` strategy (default), the task will delete all `_versions` -files for you. Be sure to take a snapshot of your `public/assets` folder before -doing so. If you choose the `protect` strategy, the task will drop an `.htaccess` file -in your old `_versions` directories. **This method only works if you are using Apache -to serve your static files**. If you are using another server such as Nginx, these files -will remain publicly exposed. It is recommended you use the `delete` strategy if you are -not using Apache. - - diff --git a/docs/en/04_Changelogs/4.3.6.md b/docs/en/04_Changelogs/4.3.6.md index 2d2212432..7401b0195 100644 --- a/docs/en/04_Changelogs/4.3.6.md +++ b/docs/en/04_Changelogs/4.3.6.md @@ -1,5 +1,43 @@ # 4.3.6 +Embedding files with shortcodes (`FileShortcodeProvider`) no longer provides a session grant +by default. This is because it has the potential to escalate file access +to users who otherwise should not have viewing permissions for the file. + +There is a minor performance trade-off for disabling these grants. If you have a page with a lot of +images that are in a draft state or have custom viewing permissions, it adds an extra database +query for each embedded image. With session grants enabled, the first permission check persists +the grant into the session, meaning there is no need to query the database on every single file. + +Unless you have a lot of shortcode images embedded with protected or draft status on a single page, +this setting is best left to its default value of `false`. + +To revert to the old behaviour: + +``` +SilverStripe\Assets\Shortcodes\FileShortcodeProvider: + allow_session_grant: true +``` + +## If you were using the versionedfiles on your 3.x site + +This release includes a security fix for users who migrated from a 3.x site that used +the [versionedfiles](https://github.com/symbiote/silverstripe-versionedfiles) module. +The file migration would have left the `_versions` folders in your public filesystem +as artefacts, leaving all the unpublished versions of your old files publicly accessible +under a guessable URL. + +To work around this, you can use the `VersionedFilesMigrationTask`: + +`$ vendor/bin/sake dev/tasks/migrate-versionedfiles strategy=[delete|protect]` + +If you choose the `delete` strategy (default), the task will delete all `_versions` +files for you. Be sure to take a snapshot of your `public/assets` folder before +doing so. If you choose the `protect` strategy, the task will drop an `.htaccess` file +in your old `_versions` directories. **This method only works if you are using Apache +to serve your static files**. If you are using another server such as Nginx, these files +will remain publicly exposed. It is recommended you use the `delete` strategy if you are +not using Apache. ## Change Log