tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 14:05:37 +02:00
Code Issues Projects Releases Wiki Activity

Merge branch 'heads/3.6.6' into 3.6

Browse Source
This commit is contained in:
Robbie Averill 2018-05-28 17:44:28 +12:00
commit d21660971f
3 changed files with 37 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
docs/en/04_Changelogs/3.6.6.md Normal file
View File

@ -0,0 +1,17 @@
# 3.6.6
This security release removes the following file extensions from the default whitelist of accepted types for
uploaded files: `dotm`, `potm`, `jar`, `css`, `js` and `xltm`.
If you require the ability to upload these file types in your projects, you will need to add them back in again.
For more information, see ["Limit the allowed file types"](https://docs.silverstripe.org/en/3/developer_guides/forms/field_types/uploadfield/#limit-the-allowed-filetypes).
<!--- Changes below this line will be automatically regenerated -->
## Change Log
### Security
* 2018-05-08 [19fdebfa2](https://github.com/silverstripe/silverstripe-framework/commit/19fdebfa2) Remove dotm, potm, jar, css, js, xltm from default File.allowed_extensions (Robbie Averill) - See [ss-2018-014](http://www.silverstripe.org/download/security-releases/ss-2018-014)
* 2018-04-11 [577138882](https://github.com/silverstripe/silverstripe-framework/commit/577138882) Restrict non-admins from being assigned to admin groups (Damian Mooyman) - See [ss-2018-001](http://www.silverstripe.org/download/security-releases/ss-2018-001)

16
docs/en/04_Changelogs/rc/3.6.6-rc1.md Normal file
View File

@ -0,0 +1,16 @@
# 3.6.6-rc1
This security release removes the following file extensions from the default whitelist of accepted types for
uploaded files: `dotm`, `potm`, `jar`, `css`, `js` and `xltm`.
If you require the ability to upload these file types in your projects, you will need to add them back in again.
For more information, see ["Limit the allowed file types"](https://docs.silverstripe.org/en/3/developer_guides/forms/field_types/uploadfield/#limit-the-allowed-filetypes).
<!--- Changes below this line will be automatically regenerated -->
## Change Log
### Security
* 2018-05-08 [19fdebfa2]() Remove dotm, potm, jar, css, js, xltm from default File.allowed_extensions (Robbie Averill) - See [ss-2018-014](http://www.silverstripe.org/download/security-releases/ss-2018-014)
* 2018-04-11 [577138882]() Restrict non-admins from being assigned to admin groups (Damian Mooyman) - See [ss-2018-001](http://www.silverstripe.org/download/security-releases/ss-2018-001)

8
filesystem/File.php
View File

@ -126,11 +126,11 @@ class File extends DataObject {
* Instructions for the change you need to make are included in a comment in the config file. * Instructions for the change you need to make are included in a comment in the config file.
*/ */
private static $allowed_extensions = array( private static $allowed_extensions = array(
'','ace','arc','arj','asf','au','avi','bmp','bz2','cab','cda','css','csv','dmg','doc','docx','dotx','dotm', '','ace','arc','arj','asf','au','avi','bmp','bz2','cab','cda','csv','dmg','doc','docx','dotx',
'flv','gif','gpx','gz','hqx','ico','jar','jpeg','jpg','js','kml', 'm4a','m4v', 'flv','gif','gpx','gz','hqx','ico','jpeg','jpg','kml', 'm4a','m4v',
'mid','midi','mkv','mov','mp3','mp4','mpa','mpeg','mpg','ogg','ogv','pages','pcx','pdf','pkg', 'mid','midi','mkv','mov','mp3','mp4','mpa','mpeg','mpg','ogg','ogv','pages','pcx','pdf','pkg',
'png','pps','ppt','pptx','potx','potm','ra','ram','rm','rtf','sit','sitx', 'tar','tgz','tif','tiff', 'png','pps','ppt','pptx','potx','ra','ram','rm','rtf','sit','sitx', 'tar','tgz','tif','tiff',
'txt','wav','webm','wma','wmv','xls','xlsx','xltx','xltm','zip','zipx', 'txt','wav','webm','wma','wmv','xls','xlsx','xltx','zip','zipx',
); );
/** /**