From 091d99f599dcacf6aef2ad1df48311c2399f150c Mon Sep 17 00:00:00 2001 From: Daniel Hensby Date: Tue, 12 Sep 2017 15:57:03 +0100 Subject: [PATCH 1/9] FIX Authenticators are more resilient to incomplete configuration --- security/Authenticator.php | 33 ++++++++++++++-------- security/LoginForm.php | 10 +++++++ security/MemberAuthenticator.php | 8 ++++-- tests/security/MemberAuthenticatorTest.php | 6 ++++ 4 files changed, 44 insertions(+), 13 deletions(-) diff --git a/security/Authenticator.php b/security/Authenticator.php index de3619c82..b1b98f0e3 100644 --- a/security/Authenticator.php +++ b/security/Authenticator.php @@ -102,9 +102,12 @@ abstract class Authenticator extends Object { if(is_subclass_of($authenticator, 'Authenticator') == false) return false; - if(in_array($authenticator, self::$authenticators) == false) { + $authenticators = Config::inst()->get(__CLASS__, 'authenticators'); + if(in_array($authenticator, $authenticators) == false) { if(call_user_func(array($authenticator, 'on_register')) === true) { - array_push(self::$authenticators, $authenticator); + Config::inst()->update(__CLASS__, 'authenticators', array( + $authenticator, + )); } else { return false; } @@ -125,8 +128,11 @@ abstract class Authenticator extends Object { */ public static function unregister_authenticator($authenticator) { if(call_user_func(array($authenticator, 'on_unregister')) === true) { - if(in_array($authenticator, self::$authenticators)) { - unset(self::$authenticators[array_search($authenticator, self::$authenticators)]); + $authenticators = Config::inst()->get(__CLASS__, 'authenticators'); + if(($key = array_search($authenticator, $authenticators)) !== false) { + unset($authenticators[$key]); + Config::inst()->remove(__CLASS__, 'authenticators'); + Config::inst()->update(__CLASS__, 'authenticators', $authenticators); } } } @@ -140,7 +146,7 @@ abstract class Authenticator extends Object { * otherwise. */ public static function is_registered($authenticator) { - return in_array($authenticator, self::$authenticators); + return in_array($authenticator, Config::inst()->get(__CLASS__, 'authenticators')); } @@ -151,13 +157,16 @@ abstract class Authenticator extends Object { * authenticators. */ public static function get_authenticators() { - // put default authenticator first (mainly for tab-order on loginform) - if($key = array_search(self::$default_authenticator,self::$authenticators)) { - unset(self::$authenticators[$key]); - array_unshift(self::$authenticators, self::$default_authenticator); + $authenticators = Config::inst()->get(__CLASS__, 'authenticators'); + $defaultAuthenticator = Config::inst()->get(__CLASS__, 'default_authenticator'); + + // put default authenticator first if it isn't already + if (reset($authenticators) !== $defaultAuthenticator && ($key = array_search($defaultAuthenticator, $authenticators)) !== false) { + unset($authenticators[$key]); + array_unshift($authenticators, $defaultAuthenticator); } - return self::$authenticators; + return $authenticators; } /** @@ -175,7 +184,9 @@ abstract class Authenticator extends Object { * @return string */ public static function get_default_authenticator() { - return self::$default_authenticator; + $authenticators = static::get_authenticators(); + // the first authenticator is the default one + return reset($authenticators); } diff --git a/security/LoginForm.php b/security/LoginForm.php index dbc047ec7..c60acd58c 100644 --- a/security/LoginForm.php +++ b/security/LoginForm.php @@ -44,5 +44,15 @@ abstract class LoginForm extends Form { return $authClass::get_name(); } + public function setAuthenticatorClass($class) + { + $this->authenticator_class = $class; + $authenticatorField = $this->Fields()->dataFieldByName('AuthenticationMethod'); + if ($authenticatorField) { + $authenticatorField->setValue($class); + } + return $this; + } + } diff --git a/security/MemberAuthenticator.php b/security/MemberAuthenticator.php index 29005bb35..dd4158259 100644 --- a/security/MemberAuthenticator.php +++ b/security/MemberAuthenticator.php @@ -179,14 +179,18 @@ class MemberAuthenticator extends Authenticator { * * @param Controller The parent controller, necessary to create the * appropriate form action tag - * @return Form Returns the login form to use with this authentication + * @return MemberLoginForm Returns the login form to use with this authentication * method */ public static function get_login_form(Controller $controller) { return MemberLoginForm::create($controller, "LoginForm"); } - public static function get_cms_login_form(\Controller $controller) { + /** + * @param Controller $controller + * @return CMSMemberLoginForm + */ + public static function get_cms_login_form(Controller $controller) { return CMSMemberLoginForm::create($controller, "LoginForm"); } diff --git a/tests/security/MemberAuthenticatorTest.php b/tests/security/MemberAuthenticatorTest.php index 8606e6f58..f3e4598ca 100644 --- a/tests/security/MemberAuthenticatorTest.php +++ b/tests/security/MemberAuthenticatorTest.php @@ -221,4 +221,10 @@ class MemberAuthenticatorTest extends SapphireTest { $this->assertTrue($member->isLockedOut()); $this->assertFalse($member->canLogIn()->valid()); } + + public function testDefaultAuthenticatorWontReturnIfDisabled() + { + Authenticator::unregister('MemberAuthenticator'); + $this->assertNotEquals('MemberAuthenticator', Authenticator::get_default_authenticator()); + } } From 1f256cf2d2e0ae918b58ff87a79926006a7883d6 Mon Sep 17 00:00:00 2001 From: Daniel Hensby Date: Tue, 19 Sep 2017 15:25:41 +0000 Subject: [PATCH 2/9] Added 3.5.5-beta1 changelog --- docs/en/04_Changelogs/beta/3.5.5-beta1.md | 27 +++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 docs/en/04_Changelogs/beta/3.5.5-beta1.md diff --git a/docs/en/04_Changelogs/beta/3.5.5-beta1.md b/docs/en/04_Changelogs/beta/3.5.5-beta1.md new file mode 100644 index 000000000..f563dcb08 --- /dev/null +++ b/docs/en/04_Changelogs/beta/3.5.5-beta1.md @@ -0,0 +1,27 @@ +# 3.5.5-beta1 + + + +## Change Log + +### Bugfixes + + * 2017-08-28 [7b200a2](https://github.com/silverstripe/silverstripe-framework/commit/7b200a2a642a78bffcf0a2f417a4757fb216ecfb) add combinedFiles to clear logic (Christopher Joe) + * 2017-08-16 [eb80a5f](https://github.com/silverstripe/silverstripe-framework/commit/eb80a5f9e89e69480edc7f1c9c66cc7403f547f1) LastEdited no longer updated on skipped writes (Daniel Hensby) + * 2017-08-14 [b04a1ab](https://github.com/silverstripe/silverstripe-framework/commit/b04a1ab41c4051923e9d9a9af5dedfa5a3ef67d8) Truncate Error Issue when using views in a Unittest. (James Pluck) + * 2017-07-26 [31c5eeb](https://github.com/silverstripe/silverstripe-framework/commit/31c5eebda089867d61546106b36ca20b21a00026) Avoid JS errors for HTMLEditorFields in small holders (Daniel Hensby) + * 2017-07-26 [82c0632](https://github.com/silverstripe/silverstripe-framework/commit/82c0632f46e00a251d287811652429036d200eff) Use Config API for MemberAuthenticator::$migrate_legacy_hashes (fixes #7208) (Loz Calver) + * 2017-07-19 [292aaf6](https://github.com/silverstripe/silverstripe-framework/commit/292aaf65301b2be4bb5e6e1505ccbe98b8ade67f) Cache IDs grouped by site first (Daniel Hensby) + * 2017-07-18 [b77274c](https://github.com/silverstripe/silverstripe-framework/commit/b77274c1a3c3ab8cfa0abf939aa2e4735e534171) Add unique prefix to cache stores to prevent cache leak (Daniel Hensby) + * 2017-07-17 [515a7cb](https://github.com/silverstripe/silverstripe-cms/commit/515a7cb569f0cf90787b44fca8845760b539fabe) Make sure VirtualPage renders correct templates (Daniel Hensby) + * 2017-07-06 [a6db16b](https://github.com/silverstripe/silverstripe-framework/commit/a6db16b2298738e1ef1329329cbef7c6b33f993e) OS X issue with `Convert::html2raw`, `HTMLText::FirstSentence`, `HTMLText::Summary` and `Text::FirstSentence`. (Roman Schmid) + * 2017-06-29 [79a7b10](https://github.com/silverstripe/silverstripe-framework/commit/79a7b1016e6046af4f07fcd8bfb40773d1066b7e) add missing $rootCall param from LeftAndMain (Daniel Hensby) + * 2017-06-20 [e2116a7](https://github.com/silverstripe/silverstripe-framework/commit/e2116a70ef34433bfe712b4164ae416a76d4430d) Text colour in GridField filter headers for dropdown fields (Robbie Averill) + * 2017-06-14 [2afe018](https://github.com/silverstripe/silverstripe-framework/commit/2afe018dc7e380ac84f8e1f7986ce0247e9a254b) Ensure HasManyList foreign ID filter includes table name (fixes #7023) (Loz Calver) + * 2017-06-12 [53c84d9](https://github.com/silverstripe/silverstripe-framework/commit/53c84d93da0f0681fdcb3a061ebe529fd3cd9a9e) changetracker checkbox bugs (Brian Cairns) + * 2017-06-12 [a5c84b1](https://github.com/silverstripe/silverstripe-framework/commit/a5c84b12ab3c0759f696fc48fee3475bab6b3e20) Order of conditionals for getting default admin (Daniel Hensby) + * 2017-06-06 [4ad2cae](https://github.com/silverstripe/silverstripe-framework/commit/4ad2cae8642d21e37b5132e4040ca45d2d66c193) Upload_Validator failed to fetch max size from PHP ini values (fixes #6999) (Loz Calver) + * 2017-06-05 [5f5bfa5](https://github.com/silverstripe/silverstripe-framework/commit/5f5bfa5e7045cc96f89fca417f0a7d99dc662fab) create temp folder if it does not exist (Christopher Joe) + * 2017-06-02 [4b9d5dc](https://github.com/silverstripe/silverstripe-framework/commit/4b9d5dceb892a9c41925d058d953a8849b407276) tinymce image selection issue in newer versions of Chrome (Christopher Joe) + * 2017-05-29 [b436819](https://github.com/silverstripe/silverstripe-framework/commit/b4368196d1bcee9fd1714b044c8ae6580c7941c9) Use plural name for ModelAdmin tab name (Robbie Averill) + * 2017-05-09 [3dd3036](https://github.com/silverstripe/silverstripe-framework/commit/3dd3036792962d5384a72aa0132a64aca7d2ebc2) Ensure GridState_Component is added to GridField config even if we set config with GridField::setConfig (Klemen Dolinsek) From fc79a767184f5593b1590ddef16c64c8f543cb51 Mon Sep 17 00:00:00 2001 From: Daniel Hensby Date: Tue, 19 Sep 2017 16:51:57 +0000 Subject: [PATCH 3/9] Added 3.6.2-beta1 changelog --- docs/en/04_Changelogs/beta/3.6.2-beta1.md | 32 +++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 docs/en/04_Changelogs/beta/3.6.2-beta1.md diff --git a/docs/en/04_Changelogs/beta/3.6.2-beta1.md b/docs/en/04_Changelogs/beta/3.6.2-beta1.md new file mode 100644 index 000000000..22e25e5d7 --- /dev/null +++ b/docs/en/04_Changelogs/beta/3.6.2-beta1.md @@ -0,0 +1,32 @@ +# 3.6.2-beta1 + + + +## Change Log + +### Features and Enhancements + + * 2017-08-24 [fdd5011](https://github.com/silverstripe/silverstripe-framework/commit/fdd501182e8403ef082c2954bb66e0b8b6dd7b71) Ability to override SS_TemplateManifest via Injector (fixes #7305) (Patrick Nelson) + +### Bugfixes + + * 2017-08-28 [7b200a2](https://github.com/silverstripe/silverstripe-framework/commit/7b200a2a642a78bffcf0a2f417a4757fb216ecfb) add combinedFiles to clear logic (Christopher Joe) + * 2017-08-16 [eb80a5f](https://github.com/silverstripe/silverstripe-framework/commit/eb80a5f9e89e69480edc7f1c9c66cc7403f547f1) LastEdited no longer updated on skipped writes (Daniel Hensby) + * 2017-08-14 [b04a1ab](https://github.com/silverstripe/silverstripe-framework/commit/b04a1ab41c4051923e9d9a9af5dedfa5a3ef67d8) Truncate Error Issue when using views in a Unittest. (James Pluck) + * 2017-08-06 [59b28f7](https://github.com/silverstripe/silverstripe-framework/commit/59b28f7d5bcefd477766611a99643f121af3dc56) Fixes #7181 to config system for userland config of node display limits. (Russell Michell) + * 2017-07-26 [31c5eeb](https://github.com/silverstripe/silverstripe-framework/commit/31c5eebda089867d61546106b36ca20b21a00026) Avoid JS errors for HTMLEditorFields in small holders (Daniel Hensby) + * 2017-07-26 [82c0632](https://github.com/silverstripe/silverstripe-framework/commit/82c0632f46e00a251d287811652429036d200eff) Use Config API for MemberAuthenticator::$migrate_legacy_hashes (fixes #7208) (Loz Calver) + * 2017-07-19 [292aaf6](https://github.com/silverstripe/silverstripe-framework/commit/292aaf65301b2be4bb5e6e1505ccbe98b8ade67f) Cache IDs grouped by site first (Daniel Hensby) + * 2017-07-18 [b77274c](https://github.com/silverstripe/silverstripe-framework/commit/b77274c1a3c3ab8cfa0abf939aa2e4735e534171) Add unique prefix to cache stores to prevent cache leak (Daniel Hensby) + * 2017-07-17 [515a7cb](https://github.com/silverstripe/silverstripe-cms/commit/515a7cb569f0cf90787b44fca8845760b539fabe) Make sure VirtualPage renders correct templates (Daniel Hensby) + * 2017-07-10 [960a0f8](https://github.com/silverstripe/silverstripe-framework/commit/960a0f8343e5ff8379906c2476af4b74da0fd9c9) Make File::ini2bytes() compliant with binary prefixes (fixes #7145) (Loz Calver) + * 2017-07-06 [a6db16b](https://github.com/silverstripe/silverstripe-framework/commit/a6db16b2298738e1ef1329329cbef7c6b33f993e) OS X issue with `Convert::html2raw`, `HTMLText::FirstSentence`, `HTMLText::Summary` and `Text::FirstSentence`. (Roman Schmid) + * 2017-06-29 [79a7b10](https://github.com/silverstripe/silverstripe-framework/commit/79a7b1016e6046af4f07fcd8bfb40773d1066b7e) add missing $rootCall param from LeftAndMain (Daniel Hensby) + * 2017-06-20 [e2116a7](https://github.com/silverstripe/silverstripe-framework/commit/e2116a70ef34433bfe712b4164ae416a76d4430d) Text colour in GridField filter headers for dropdown fields (Robbie Averill) + * 2017-06-14 [2afe018](https://github.com/silverstripe/silverstripe-framework/commit/2afe018dc7e380ac84f8e1f7986ce0247e9a254b) Ensure HasManyList foreign ID filter includes table name (fixes #7023) (Loz Calver) + * 2017-06-12 [53c84d9](https://github.com/silverstripe/silverstripe-framework/commit/53c84d93da0f0681fdcb3a061ebe529fd3cd9a9e) changetracker checkbox bugs (Brian Cairns) + * 2017-06-12 [a5c84b1](https://github.com/silverstripe/silverstripe-framework/commit/a5c84b12ab3c0759f696fc48fee3475bab6b3e20) Order of conditionals for getting default admin (Daniel Hensby) + * 2017-06-06 [4ad2cae](https://github.com/silverstripe/silverstripe-framework/commit/4ad2cae8642d21e37b5132e4040ca45d2d66c193) Upload_Validator failed to fetch max size from PHP ini values (fixes #6999) (Loz Calver) + * 2017-06-05 [5f5bfa5](https://github.com/silverstripe/silverstripe-framework/commit/5f5bfa5e7045cc96f89fca417f0a7d99dc662fab) create temp folder if it does not exist (Christopher Joe) + * 2017-06-02 [4b9d5dc](https://github.com/silverstripe/silverstripe-framework/commit/4b9d5dceb892a9c41925d058d953a8849b407276) tinymce image selection issue in newer versions of Chrome (Christopher Joe) + * 2017-05-09 [3dd3036](https://github.com/silverstripe/silverstripe-framework/commit/3dd3036792962d5384a72aa0132a64aca7d2ebc2) Ensure GridState_Component is added to GridField config even if we set config with GridField::setConfig (Klemen Dolinsek) From f0262a8fd9ab5fb51b178ace3c3487351217f5a0 Mon Sep 17 00:00:00 2001 From: Daniel Hensby Date: Mon, 4 Sep 2017 17:11:02 +0100 Subject: [PATCH 4/9] [SS-2017-005] User enumeration via timing attack mitigated --- security/LoginForm.php | 11 ++++++++++- security/MemberAuthenticator.php | 9 +++++++++ security/MemberLoginForm.php | 14 ++++++++++---- 3 files changed, 29 insertions(+), 5 deletions(-) diff --git a/security/LoginForm.php b/security/LoginForm.php index dbc047ec7..331950440 100644 --- a/security/LoginForm.php +++ b/security/LoginForm.php @@ -18,9 +18,18 @@ abstract class LoginForm extends Form { * form. * @var string */ - protected $authenticator_class; + /** + * The minimum amount of time authenticating is allowed to take in milliseconds. + * + * Protects against timing enumeration attacks + * + * @config + * @var int + */ + private static $min_auth_time = 350; + /** * Get the authenticator instance * diff --git a/security/MemberAuthenticator.php b/security/MemberAuthenticator.php index 29005bb35..b0baf11da 100644 --- a/security/MemberAuthenticator.php +++ b/security/MemberAuthenticator.php @@ -150,6 +150,10 @@ class MemberAuthenticator extends Authenticator { * @see Security::setDefaultAdmin() */ public static function authenticate($data, Form $form = null) { + // minimum execution time for authenticating a member + $minExecTime = LoginForm::config()->min_auth_time / 1000; + $startTime = microtime(true); + // Find authenticated member $member = static::authenticate_member($data, $form, $success); @@ -170,6 +174,11 @@ class MemberAuthenticator extends Authenticator { if($success) Session::clear('BackURL'); + $waitFor = $minExecTime - (microtime(true) - $startTime); + if ($waitFor > 0) { + usleep($waitFor * 1000000); + } + return $success ? $member : null; } diff --git a/security/MemberLoginForm.php b/security/MemberLoginForm.php index dfacee77a..a9146f7f9 100644 --- a/security/MemberLoginForm.php +++ b/security/MemberLoginForm.php @@ -294,6 +294,10 @@ JS; * @param array $data Submitted data */ public function forgotPassword($data) { + // minimum execution time for authenticating a member + $minExecTime = self::config()->min_auth_time / 1000; + $startTime = microtime(true); + // Ensure password is given if(empty($data['Email'])) { $this->sessionMessage( @@ -311,10 +315,8 @@ JS; // Allow vetoing forgot password requests $results = $this->extend('forgotPassword', $member); if($results && is_array($results) && in_array(false, $results, true)) { - return $this->controller->redirect('Security/lostpassword'); - } - - if($member) { + $this->controller->redirect('Security/lostpassword'); + } elseif ($member) { $token = $member->generateAutologinTokenAndStoreHash(); $e = Member_ForgotPasswordEmail::create(); @@ -338,6 +340,10 @@ JS; $this->controller->redirect('Security/lostpassword'); } + $waitFor = $minExecTime - (microtime(true) - $startTime); + if ($waitFor > 0) { + usleep($waitFor * 1000000); + } } } From 1209b2ae130b1265b1f45d8caaf2c58822598abd Mon Sep 17 00:00:00 2001 From: Daniel Hensby Date: Wed, 20 Sep 2017 13:08:10 +0000 Subject: [PATCH 5/9] Added 3.5.5-beta2 changelog --- docs/en/04_Changelogs/beta/3.5.5-beta2.md | 33 +++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 docs/en/04_Changelogs/beta/3.5.5-beta2.md diff --git a/docs/en/04_Changelogs/beta/3.5.5-beta2.md b/docs/en/04_Changelogs/beta/3.5.5-beta2.md new file mode 100644 index 000000000..f6d15f25a --- /dev/null +++ b/docs/en/04_Changelogs/beta/3.5.5-beta2.md @@ -0,0 +1,33 @@ +# 3.5.5-beta2 + + + +## Change Log + +### Security + + * 2017-09-04 [f0262a8](https://github.com/silverstripe/silverstripe-framework/commit/f0262a8fd9ab5fb51b178ace3c3487351217f5a0) User enumeration via timing attack mitigated (Daniel Hensby) - See [ss-2017-005](http://www.silverstripe.org/download/security-releases/ss-2017-005) + +### Bugfixes + + * 2017-09-12 [0aac4dd](https://github.com/silverstripe/silverstripe-cms/commit/0aac4ddb7ecf0f17eda8add235017c10c9f57255) Default LoginForm generated from default_authenticator (Daniel Hensby) + * 2017-09-12 [091d99f](https://github.com/silverstripe/silverstripe-framework/commit/091d99f599dcacf6aef2ad1df48311c2399f150c) Authenticators are more resilient to incomplete configuration (Daniel Hensby) + * 2017-08-28 [7b200a2](https://github.com/silverstripe/silverstripe-framework/commit/7b200a2a642a78bffcf0a2f417a4757fb216ecfb) add combinedFiles to clear logic (Christopher Joe) + * 2017-08-16 [eb80a5f](https://github.com/silverstripe/silverstripe-framework/commit/eb80a5f9e89e69480edc7f1c9c66cc7403f547f1) LastEdited no longer updated on skipped writes (Daniel Hensby) + * 2017-08-14 [b04a1ab](https://github.com/silverstripe/silverstripe-framework/commit/b04a1ab41c4051923e9d9a9af5dedfa5a3ef67d8) Truncate Error Issue when using views in a Unittest. (James Pluck) + * 2017-07-26 [31c5eeb](https://github.com/silverstripe/silverstripe-framework/commit/31c5eebda089867d61546106b36ca20b21a00026) Avoid JS errors for HTMLEditorFields in small holders (Daniel Hensby) + * 2017-07-26 [82c0632](https://github.com/silverstripe/silverstripe-framework/commit/82c0632f46e00a251d287811652429036d200eff) Use Config API for MemberAuthenticator::$migrate_legacy_hashes (fixes #7208) (Loz Calver) + * 2017-07-19 [292aaf6](https://github.com/silverstripe/silverstripe-framework/commit/292aaf65301b2be4bb5e6e1505ccbe98b8ade67f) Cache IDs grouped by site first (Daniel Hensby) + * 2017-07-18 [b77274c](https://github.com/silverstripe/silverstripe-framework/commit/b77274c1a3c3ab8cfa0abf939aa2e4735e534171) Add unique prefix to cache stores to prevent cache leak (Daniel Hensby) + * 2017-07-17 [515a7cb](https://github.com/silverstripe/silverstripe-cms/commit/515a7cb569f0cf90787b44fca8845760b539fabe) Make sure VirtualPage renders correct templates (Daniel Hensby) + * 2017-07-06 [a6db16b](https://github.com/silverstripe/silverstripe-framework/commit/a6db16b2298738e1ef1329329cbef7c6b33f993e) OS X issue with `Convert::html2raw`, `HTMLText::FirstSentence`, `HTMLText::Summary` and `Text::FirstSentence`. (Roman Schmid) + * 2017-06-29 [79a7b10](https://github.com/silverstripe/silverstripe-framework/commit/79a7b1016e6046af4f07fcd8bfb40773d1066b7e) add missing $rootCall param from LeftAndMain (Daniel Hensby) + * 2017-06-20 [e2116a7](https://github.com/silverstripe/silverstripe-framework/commit/e2116a70ef34433bfe712b4164ae416a76d4430d) Text colour in GridField filter headers for dropdown fields (Robbie Averill) + * 2017-06-14 [2afe018](https://github.com/silverstripe/silverstripe-framework/commit/2afe018dc7e380ac84f8e1f7986ce0247e9a254b) Ensure HasManyList foreign ID filter includes table name (fixes #7023) (Loz Calver) + * 2017-06-12 [53c84d9](https://github.com/silverstripe/silverstripe-framework/commit/53c84d93da0f0681fdcb3a061ebe529fd3cd9a9e) changetracker checkbox bugs (Brian Cairns) + * 2017-06-12 [a5c84b1](https://github.com/silverstripe/silverstripe-framework/commit/a5c84b12ab3c0759f696fc48fee3475bab6b3e20) Order of conditionals for getting default admin (Daniel Hensby) + * 2017-06-06 [4ad2cae](https://github.com/silverstripe/silverstripe-framework/commit/4ad2cae8642d21e37b5132e4040ca45d2d66c193) Upload_Validator failed to fetch max size from PHP ini values (fixes #6999) (Loz Calver) + * 2017-06-05 [5f5bfa5](https://github.com/silverstripe/silverstripe-framework/commit/5f5bfa5e7045cc96f89fca417f0a7d99dc662fab) create temp folder if it does not exist (Christopher Joe) + * 2017-06-02 [4b9d5dc](https://github.com/silverstripe/silverstripe-framework/commit/4b9d5dceb892a9c41925d058d953a8849b407276) tinymce image selection issue in newer versions of Chrome (Christopher Joe) + * 2017-05-29 [b436819](https://github.com/silverstripe/silverstripe-framework/commit/b4368196d1bcee9fd1714b044c8ae6580c7941c9) Use plural name for ModelAdmin tab name (Robbie Averill) + * 2017-05-09 [3dd3036](https://github.com/silverstripe/silverstripe-framework/commit/3dd3036792962d5384a72aa0132a64aca7d2ebc2) Ensure GridState_Component is added to GridField config even if we set config with GridField::setConfig (Klemen Dolinsek) From b4412cedf64a185c05cd8891d9a229f4792c03eb Mon Sep 17 00:00:00 2001 From: Daniel Hensby Date: Thu, 21 Sep 2017 09:11:36 +0000 Subject: [PATCH 6/9] Added 3.6.2-beta2 changelog --- docs/en/04_Changelogs/beta/3.6.2-beta2.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 docs/en/04_Changelogs/beta/3.6.2-beta2.md diff --git a/docs/en/04_Changelogs/beta/3.6.2-beta2.md b/docs/en/04_Changelogs/beta/3.6.2-beta2.md new file mode 100644 index 000000000..1df1adb35 --- /dev/null +++ b/docs/en/04_Changelogs/beta/3.6.2-beta2.md @@ -0,0 +1,5 @@ +# 3.6.2-beta2 + + + +## Change Log From ebe1de8d8b5bc739e74b1001aec3110b6175a303 Mon Sep 17 00:00:00 2001 From: Dylan Wagstaff Date: Wed, 27 Sep 2017 10:52:18 +1300 Subject: [PATCH 7/9] Fix ArrayList sort error with old (supported) PHP PHP 5.3 at least (the reported and tested against version) requires arguments to `call_user_func_array` to be passed by reference. There exists a note as a comment in the code, but was unfortunately overlooked in a previous commit to fix case sensitive sorting https://github.com/silverstripe/silverstripe-framework/commit/4998b8044530a83c617194d544b76a98f742386e#diff-6ba746c3d31fd6b4c4a99d7efe35eb21L442 To solve this issue we simply first assign the constant to a variable, so we can then pass that by reference. This has no functional impact, however fixes an issue for users locked in to old PHP versions which we still list as supported (https://docs.silverstripe.org/en/3/getting_started/server_requirements/#web-server-software-requirements). --- model/ArrayList.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/model/ArrayList.php b/model/ArrayList.php index 784fb55ce..b15e3b04c 100644 --- a/model/ArrayList.php +++ b/model/ArrayList.php @@ -448,7 +448,8 @@ class ArrayList extends ViewableData implements SS_List, SS_Filterable, SS_Sorta // First argument is the direction to be sorted, $multisortArgs[] = &$sortDirection[$column]; if ($firstRun) { - $multisortArgs[] = SORT_REGULAR; + $sortArg = SORT_REGULAR; + $multisortArgs[] = &$sortArg; } $firstRun = false; } From 393d1a9be6b1eb6da40929b58b2b75c911d7c0c2 Mon Sep 17 00:00:00 2001 From: Daniel Hensby Date: Thu, 28 Sep 2017 15:37:07 +0000 Subject: [PATCH 8/9] Added 3.5.5 changelog --- docs/en/04_Changelogs/3.5.5.md | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 docs/en/04_Changelogs/3.5.5.md diff --git a/docs/en/04_Changelogs/3.5.5.md b/docs/en/04_Changelogs/3.5.5.md new file mode 100644 index 000000000..cd8a47bbd --- /dev/null +++ b/docs/en/04_Changelogs/3.5.5.md @@ -0,0 +1,33 @@ +# 3.5.5 + + + +## Change Log + +### Security + + * 2017-09-04 [f0262a8](https://github.com/silverstripe/silverstripe-framework/commit/f0262a8fd9ab5fb51b178ace3c3487351217f5a0) User enumeration via timing attack mitigated (Daniel Hensby) - See [ss-2017-005](http://www.silverstripe.org/download/security-releases/ss-2017-005) + +### Bugfixes + + * 2017-09-26 [ebe1de8](https://github.com/silverstripe/silverstripe-framework/commit/ebe1de8d8b5bc739e74b1001aec3110b6175a303) ArrayList sort error with old (supported) PHP (Dylan Wagstaff) + * 2017-09-12 [091d99f](https://github.com/silverstripe/silverstripe-framework/commit/091d99f599dcacf6aef2ad1df48311c2399f150c) Authenticators are more resilient to incomplete configuration (Daniel Hensby) + * 2017-08-28 [7b200a2](https://github.com/silverstripe/silverstripe-framework/commit/7b200a2a642a78bffcf0a2f417a4757fb216ecfb) add combinedFiles to clear logic (Christopher Joe) + * 2017-08-16 [eb80a5f](https://github.com/silverstripe/silverstripe-framework/commit/eb80a5f9e89e69480edc7f1c9c66cc7403f547f1) LastEdited no longer updated on skipped writes (Daniel Hensby) + * 2017-08-14 [b04a1ab](https://github.com/silverstripe/silverstripe-framework/commit/b04a1ab41c4051923e9d9a9af5dedfa5a3ef67d8) Truncate Error Issue when using views in a Unittest. (James Pluck) + * 2017-07-26 [31c5eeb](https://github.com/silverstripe/silverstripe-framework/commit/31c5eebda089867d61546106b36ca20b21a00026) Avoid JS errors for HTMLEditorFields in small holders (Daniel Hensby) + * 2017-07-26 [82c0632](https://github.com/silverstripe/silverstripe-framework/commit/82c0632f46e00a251d287811652429036d200eff) Use Config API for MemberAuthenticator::$migrate_legacy_hashes (fixes #7208) (Loz Calver) + * 2017-07-19 [292aaf6](https://github.com/silverstripe/silverstripe-framework/commit/292aaf65301b2be4bb5e6e1505ccbe98b8ade67f) Cache IDs grouped by site first (Daniel Hensby) + * 2017-07-18 [b77274c](https://github.com/silverstripe/silverstripe-framework/commit/b77274c1a3c3ab8cfa0abf939aa2e4735e534171) Add unique prefix to cache stores to prevent cache leak (Daniel Hensby) + * 2017-07-17 [515a7cb](https://github.com/silverstripe/silverstripe-cms/commit/515a7cb569f0cf90787b44fca8845760b539fabe) Make sure VirtualPage renders correct templates (Daniel Hensby) + * 2017-07-06 [a6db16b](https://github.com/silverstripe/silverstripe-framework/commit/a6db16b2298738e1ef1329329cbef7c6b33f993e) OS X issue with `Convert::html2raw`, `HTMLText::FirstSentence`, `HTMLText::Summary` and `Text::FirstSentence`. (Roman Schmid) + * 2017-06-29 [79a7b10](https://github.com/silverstripe/silverstripe-framework/commit/79a7b1016e6046af4f07fcd8bfb40773d1066b7e) add missing $rootCall param from LeftAndMain (Daniel Hensby) + * 2017-06-20 [e2116a7](https://github.com/silverstripe/silverstripe-framework/commit/e2116a70ef34433bfe712b4164ae416a76d4430d) Text colour in GridField filter headers for dropdown fields (Robbie Averill) + * 2017-06-14 [2afe018](https://github.com/silverstripe/silverstripe-framework/commit/2afe018dc7e380ac84f8e1f7986ce0247e9a254b) Ensure HasManyList foreign ID filter includes table name (fixes #7023) (Loz Calver) + * 2017-06-12 [53c84d9](https://github.com/silverstripe/silverstripe-framework/commit/53c84d93da0f0681fdcb3a061ebe529fd3cd9a9e) changetracker checkbox bugs (Brian Cairns) + * 2017-06-12 [a5c84b1](https://github.com/silverstripe/silverstripe-framework/commit/a5c84b12ab3c0759f696fc48fee3475bab6b3e20) Order of conditionals for getting default admin (Daniel Hensby) + * 2017-06-06 [4ad2cae](https://github.com/silverstripe/silverstripe-framework/commit/4ad2cae8642d21e37b5132e4040ca45d2d66c193) Upload_Validator failed to fetch max size from PHP ini values (fixes #6999) (Loz Calver) + * 2017-06-05 [5f5bfa5](https://github.com/silverstripe/silverstripe-framework/commit/5f5bfa5e7045cc96f89fca417f0a7d99dc662fab) create temp folder if it does not exist (Christopher Joe) + * 2017-06-02 [4b9d5dc](https://github.com/silverstripe/silverstripe-framework/commit/4b9d5dceb892a9c41925d058d953a8849b407276) tinymce image selection issue in newer versions of Chrome (Christopher Joe) + * 2017-05-29 [b436819](https://github.com/silverstripe/silverstripe-framework/commit/b4368196d1bcee9fd1714b044c8ae6580c7941c9) Use plural name for ModelAdmin tab name (Robbie Averill) + * 2017-05-09 [3dd3036](https://github.com/silverstripe/silverstripe-framework/commit/3dd3036792962d5384a72aa0132a64aca7d2ebc2) Ensure GridState_Component is added to GridField config even if we set config with GridField::setConfig (Klemen Dolinsek) From 3f5ddc7d003920a3f4bd65a33ce1150fbe4ee60e Mon Sep 17 00:00:00 2001 From: Daniel Hensby Date: Thu, 28 Sep 2017 16:05:53 +0000 Subject: [PATCH 9/9] Added 3.6.2 changelog --- docs/en/04_Changelogs/3.6.2.md | 38 ++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 docs/en/04_Changelogs/3.6.2.md diff --git a/docs/en/04_Changelogs/3.6.2.md b/docs/en/04_Changelogs/3.6.2.md new file mode 100644 index 000000000..f495694e0 --- /dev/null +++ b/docs/en/04_Changelogs/3.6.2.md @@ -0,0 +1,38 @@ +# 3.6.2 + + + +## Change Log + +### Security + + * 2017-09-04 [f0262a8](https://github.com/silverstripe/silverstripe-framework/commit/f0262a8fd9ab5fb51b178ace3c3487351217f5a0) User enumeration via timing attack mitigated (Daniel Hensby) - See [ss-2017-005](http://www.silverstripe.org/download/security-releases/ss-2017-005) + +### Features and Enhancements + + * 2017-08-24 [fdd5011](https://github.com/silverstripe/silverstripe-framework/commit/fdd501182e8403ef082c2954bb66e0b8b6dd7b71) Ability to override SS_TemplateManifest via Injector (fixes #7305) (Patrick Nelson) + +### Bugfixes + + * 2017-09-26 [ebe1de8](https://github.com/silverstripe/silverstripe-framework/commit/ebe1de8d8b5bc739e74b1001aec3110b6175a303) ArrayList sort error with old (supported) PHP (Dylan Wagstaff) + * 2017-09-12 [091d99f](https://github.com/silverstripe/silverstripe-framework/commit/091d99f599dcacf6aef2ad1df48311c2399f150c) Authenticators are more resilient to incomplete configuration (Daniel Hensby) + * 2017-08-28 [7b200a2](https://github.com/silverstripe/silverstripe-framework/commit/7b200a2a642a78bffcf0a2f417a4757fb216ecfb) add combinedFiles to clear logic (Christopher Joe) + * 2017-08-16 [eb80a5f](https://github.com/silverstripe/silverstripe-framework/commit/eb80a5f9e89e69480edc7f1c9c66cc7403f547f1) LastEdited no longer updated on skipped writes (Daniel Hensby) + * 2017-08-14 [b04a1ab](https://github.com/silverstripe/silverstripe-framework/commit/b04a1ab41c4051923e9d9a9af5dedfa5a3ef67d8) Truncate Error Issue when using views in a Unittest. (James Pluck) + * 2017-08-06 [59b28f7](https://github.com/silverstripe/silverstripe-framework/commit/59b28f7d5bcefd477766611a99643f121af3dc56) Fixes #7181 to config system for userland config of node display limits. (Russell Michell) + * 2017-07-26 [31c5eeb](https://github.com/silverstripe/silverstripe-framework/commit/31c5eebda089867d61546106b36ca20b21a00026) Avoid JS errors for HTMLEditorFields in small holders (Daniel Hensby) + * 2017-07-26 [82c0632](https://github.com/silverstripe/silverstripe-framework/commit/82c0632f46e00a251d287811652429036d200eff) Use Config API for MemberAuthenticator::$migrate_legacy_hashes (fixes #7208) (Loz Calver) + * 2017-07-19 [292aaf6](https://github.com/silverstripe/silverstripe-framework/commit/292aaf65301b2be4bb5e6e1505ccbe98b8ade67f) Cache IDs grouped by site first (Daniel Hensby) + * 2017-07-18 [b77274c](https://github.com/silverstripe/silverstripe-framework/commit/b77274c1a3c3ab8cfa0abf939aa2e4735e534171) Add unique prefix to cache stores to prevent cache leak (Daniel Hensby) + * 2017-07-17 [515a7cb](https://github.com/silverstripe/silverstripe-cms/commit/515a7cb569f0cf90787b44fca8845760b539fabe) Make sure VirtualPage renders correct templates (Daniel Hensby) + * 2017-07-10 [960a0f8](https://github.com/silverstripe/silverstripe-framework/commit/960a0f8343e5ff8379906c2476af4b74da0fd9c9) Make File::ini2bytes() compliant with binary prefixes (fixes #7145) (Loz Calver) + * 2017-07-06 [a6db16b](https://github.com/silverstripe/silverstripe-framework/commit/a6db16b2298738e1ef1329329cbef7c6b33f993e) OS X issue with `Convert::html2raw`, `HTMLText::FirstSentence`, `HTMLText::Summary` and `Text::FirstSentence`. (Roman Schmid) + * 2017-06-29 [79a7b10](https://github.com/silverstripe/silverstripe-framework/commit/79a7b1016e6046af4f07fcd8bfb40773d1066b7e) add missing $rootCall param from LeftAndMain (Daniel Hensby) + * 2017-06-20 [e2116a7](https://github.com/silverstripe/silverstripe-framework/commit/e2116a70ef34433bfe712b4164ae416a76d4430d) Text colour in GridField filter headers for dropdown fields (Robbie Averill) + * 2017-06-14 [2afe018](https://github.com/silverstripe/silverstripe-framework/commit/2afe018dc7e380ac84f8e1f7986ce0247e9a254b) Ensure HasManyList foreign ID filter includes table name (fixes #7023) (Loz Calver) + * 2017-06-12 [53c84d9](https://github.com/silverstripe/silverstripe-framework/commit/53c84d93da0f0681fdcb3a061ebe529fd3cd9a9e) changetracker checkbox bugs (Brian Cairns) + * 2017-06-12 [a5c84b1](https://github.com/silverstripe/silverstripe-framework/commit/a5c84b12ab3c0759f696fc48fee3475bab6b3e20) Order of conditionals for getting default admin (Daniel Hensby) + * 2017-06-06 [4ad2cae](https://github.com/silverstripe/silverstripe-framework/commit/4ad2cae8642d21e37b5132e4040ca45d2d66c193) Upload_Validator failed to fetch max size from PHP ini values (fixes #6999) (Loz Calver) + * 2017-06-05 [5f5bfa5](https://github.com/silverstripe/silverstripe-framework/commit/5f5bfa5e7045cc96f89fca417f0a7d99dc662fab) create temp folder if it does not exist (Christopher Joe) + * 2017-06-02 [4b9d5dc](https://github.com/silverstripe/silverstripe-framework/commit/4b9d5dceb892a9c41925d058d953a8849b407276) tinymce image selection issue in newer versions of Chrome (Christopher Joe) + * 2017-05-09 [3dd3036](https://github.com/silverstripe/silverstripe-framework/commit/3dd3036792962d5384a72aa0132a64aca7d2ebc2) Ensure GridState_Component is added to GridField config even if we set config with GridField::setConfig (Klemen Dolinsek)