Merge branch '4.6' into 4

This commit is contained in:
Garion Herman 2020-07-13 12:28:14 +12:00
commit d408a4e714
15 changed files with 962 additions and 186 deletions

View File

@ -205,8 +205,6 @@ mappings:
FunctionalTest: SilverStripe\Dev\FunctionalTest FunctionalTest: SilverStripe\Dev\FunctionalTest
InstallerTest: SilverStripe\Dev\InstallerTest InstallerTest: SilverStripe\Dev\InstallerTest
MigrationTask: SilverStripe\Dev\MigrationTask MigrationTask: SilverStripe\Dev\MigrationTask
SapphireInfo: SilverStripe\Dev\SapphireInfo
SapphireREPL: SilverStripe\Dev\SapphireREPL
SapphireTest: SilverStripe\Dev\SapphireTest SapphireTest: SilverStripe\Dev\SapphireTest
TaskRunner: SilverStripe\Dev\TaskRunner TaskRunner: SilverStripe\Dev\TaskRunner
TestMailer: SilverStripe\Dev\TestMailer TestMailer: SilverStripe\Dev\TestMailer
@ -1016,6 +1014,14 @@ warnings:
message: 'Use SilverStripe\CMS\BatchActions\CMSBatchAction_Archive instead' message: 'Use SilverStripe\CMS\BatchActions\CMSBatchAction_Archive instead'
'EncryptAllPasswordsTask': 'EncryptAllPasswordsTask':
message: 'Removed' message: 'Removed'
'SapphireInfo':
message: 'Removed'
'SilverStripe\Dev\SapphireREPL':
message: 'Removed'
'SilverStripe\Dev\SapphireInfo':
message: 'Deprecated'
'SilverStripe\Dev\InstallerTest':
message: 'Deprecated'
methods: methods:
'SilverStripe\Security\Authenticator::register()': 'SilverStripe\Security\Authenticator::register()':
message: 'Custom authenticators work differently now' message: 'Custom authenticators work differently now'

View File

@ -14,10 +14,6 @@ SilverStripe\Control\Director:
'Security//$Action/$ID/$OtherID': SilverStripe\Security\Security 'Security//$Action/$ID/$OtherID': SilverStripe\Security\Security
'CMSSecurity//$Action/$ID/$OtherID': SilverStripe\Security\CMSSecurity 'CMSSecurity//$Action/$ID/$OtherID': SilverStripe\Security\CMSSecurity
'dev': SilverStripe\Dev\DevelopmentAdmin 'dev': SilverStripe\Dev\DevelopmentAdmin
'interactive': SilverStripe\Dev\SapphireREPL
'InstallerTest//$Action/$ID/$OtherID': SilverStripe\Dev\InstallerTest
'SapphireInfo//$Action/$ID/$OtherID': SilverStripe\Dev\SapphireInfo
'SapphireREPL//$Action/$ID/$OtherID': SilverStripe\Dev\SapphireREPL
--- ---
Name: security-limited Name: security-limited
After: After:

View File

@ -0,0 +1,159 @@
---
title: Controlling CanView access to DataObjects returned by GraphQL
summary: Your GraphQL service should honour the CanView permission when fetching DataObjects. Learn how to customise this access control check.
icon: cookie-bite
---
# Controlling who can view results in a GraphQL result set
The [Silverstripe ORM provides methods to control permissions on DataObject](Developer_Guides/Model/Permissions). In
most cases, you'll want to extend this permission model to any GraphQL service you implement that returns a DataObject.
## The QueryPermissionChecker interface
The GraphQL module includes a `QueryPermissionChecker` interface. This interface can be used to specify how GraphQL
services should validate that users have access to the DataObjects they are requesting.
The default implementation of `QueryPermissionChecker` is `CanViewPermissionChecker`. `CanViewPermissionChecker` directly calls the `CanView` method of each DataObject in your result set and filters out the entries not visible to the current user.
Out of the box, the `CanView` permission of your DataObjects are honoured when Scaffolding GraphQL queries.
## Customising how the results are filtered
`CanViewPermissionChecker` has some limitations. It's rather simplistic and will load each entry in your results set to perform a CanView call on it. It will also convert the results set to an `ArrayList` which can be inconvenient if you need to alter the underlying query after the _CanView_ check.
Depending on your exact use case, you may want to implement your own `QueryPermissionChecker` instead of relying
on `CanViewPermissionChecker`.
Some of the reasons you might consider this are:
* the access permissions on your GraphQL service differ from the ones implemented directly on your DataObject
* you want to speed up your request by filtering out results the user doesn't have access to directly in the query
* you would rather have a `DataList` be returned.
### Implementing your own QueryPermissionChecker class
The `QueryPermissionChecker` requires your class to implement two methods:
* `applyToList` which filters a `Filterable` list based on whether a provided `Member` can view the results
* `checkItem` which checks if a provided object can be viewed by a specific `Member`.
#### Filtering results based on the user's permissions
In some context, whether a user can view an object is entirely determined on their permissions. When that's the
case, you don't even need to get results to know if the user will be able to see them or not.
```php
<?php
use SilverStripe\GraphQL\Permission\QueryPermissionChecker;
use SilverStripe\ORM\ArrayList;
use SilverStripe\ORM\Filterable;
use SilverStripe\Security\Member;
use SilverStripe\Security\Permission;
/**
* This implementation assumes that only users with the ADMIN permission can view results.
*/
class AdminPermissionChecker implements QueryPermissionChecker
{
public function applyToList(Filterable $list, Member $member = null)
{
return Permission::check('ADMIN', 'any', $member) ?
$list :
ArrayList::create([]);
}
public function checkItem($item, Member $member = null)
{
return Permission::check('ADMIN', 'any', $member);
}
}
```
#### Filtering results based on the user's permissions
Some times, whether a user can view an object is determined by some information on the record. If that's the case,
you can filter out results the user can not see by altering the query. This has some performance advantage, because
the results are filtered directly by the query.
```php
<?php
use SilverStripe\GraphQL\Permission\QueryPermissionChecker;
use SilverStripe\ORM\Filterable;
use SilverStripe\Security\Member;
/**
* This implementation assumes that the results are assigned an owner and that only the owner can view a record.
*/
class OwnerPermissionChecker implements QueryPermissionChecker
{
public function applyToList(Filterable $list, Member $member = null)
{
return $list->filter('OwnerID', $member ? $member->ID : -1);
}
public function checkItem($item, Member $member = null)
{
return $member && $item->OwnerID === $member->ID;
}
}
```
### Using a custom QueryPermissionChecker implementation
There's three classes that expect a `QueryPermissionChecker`:
* `SilverStripe\GraphQL\Scaffolding\Scaffolders\ItemQueryScaffolder`
* `SilverStripe\GraphQL\Scaffolding\Scaffolders\ListQueryScaffolder`
* `SilverStripe\GraphQL\Pagination\Connection`
Those classes all implement the `SilverStripe\GraphQL\Permission\PermissionCheckerAware` and receive the default
`QueryPermissionChecker` from the Injector. They also have a `setPermissionChecker` method that can be use to provide a custom `QueryPermissionChecker`.
#### Scaffolding types with a custom QueryPermissionChecker implementation
There's not any elegant way of defining a custom `QueryPermissionChecker` when scaffolding types at this time. If
you need the ability to use a custom `QueryPermissionChecker`, you'll have to build your query manually.
#### Overriding the QueryPermissionChecker for a class extending ListQueryScaffolder
If you've created a GraphQL query by creating a subclass of `ListQueryScaffolder`, you can use the injector to
override `QueryPermissionChecker`.
```yaml
---
Name: custom-graphqlconfig
After: graphqlconfig
---
SilverStripe\Core\Injector\Injector:
SilverStripe\GraphQL\Permission\QueryPermissionChecker.my-custom:
class: App\Project\CustomQueryPermissionChecker
App\Project\CustomListQueryScaffolder:
properties:
permissionChecker: '%$SilverStripe\GraphQL\Permission\QueryPermissionChecker.my-custom'
```
#### Manually specifying a QueryPermissionChecker on a Connection
If you're manually instantiating an instance of `SilverStripe\GraphQL\Pagination\Connection` to resolve your results,
you can pass an instance of your own custom `QueryPermissionChecker`.
```php
$childrenConnection = Connection::create('Children')
->setConnectionType($this->manager->getType('Children'))
->setSortableFields([
'id' => 'ID',
'title' => 'Title',
'created' => 'Created',
'lastEdited' => 'LastEdited',
])
->setPermissionChecker(new CustomQueryPermissionChecker());
```
## API Documentation
* [CanViewPermissionChecker](api:SilverStripe\GraphQL\Permission\CanViewPermissionChecker)
* [Connection](api:SilverStripe\GraphQL\Pagination\Connection)
* [ItemQueryScaffolder](api:SilverStripe\GraphQL\Scaffolding\Scaffolders\ItemQueryScaffolder)
* [ListQueryScaffolder](api:SilverStripe\GraphQL\Scaffolding\Scaffolders\ListQueryScaffolder)
* [PermissionCheckerAware](api:SilverStripe\GraphQL\Permission\PermissionCheckerAware)
* [QueryPermissionChecker](api:SilverStripe\GraphQL\Permission\QueryPermissionChecker)

View File

@ -0,0 +1,20 @@
---
title: GraphQL
summary: Learn how to create and customise GraphQL services on your Silverstripe CMS project.
introduction: Learn how to create and customise GraphQL services on your Silverstripe CMS project.
icon: cookie
---
[CHILDREN]
## Additional documentation
A substantial part of the GraphQL documentation for Silverstripe CMS still
reside on the GraphQL module's _Readme_ file. We are in the process of folding
this information back into the main Silverstripe CMS documentation.
* [silverstripe/graphql](https://github.com/silverstripe/silverstripe-graphql/)
## API Documentation
* [GraphQL](api:SilverStripe\GraphQL)

View File

@ -0,0 +1,131 @@
# 4.4.7
## Security patches
This release contains security patches. Some of those patches might require some updates to your project.
* [CVE-2020-9309 Script execution on protected files](https://www.silverstripe.org/download/security-releases/CVE-2020-9309)
* [CVE-2019-19326 Web Cache Poisoning](https://www.silverstripe.org/download/security-releases/CVE-2019-19326)
* [CVE-2020-6164 Information disclosure on /interactive URL path](https://www.silverstripe.org/download/security-releases/CVE-2020-6164)
### CVE-2020-9309 Script execution on protected files {#CVE-2020-9309}
Silverstripe can be susceptible to script execution from malicious upload contents under allowed file extensions (for example HTML code in a TXT file). When these files are stored as protected or draft files, the MIME detection can cause browsers to execute the file contents.
#### Risk factors
If your project already includes the `silverstripe/mimevalidator` module, it's already protected. CWP projects are already protected.
If your project includes the `silverstripe/userforms` module or allows anonymous users to upload files, it's at a higher risk because malicious users can create files without requiring a CMS access.
#### Actions you need to take
If your project already includes the `silverstripe/mimevalidator` module, you do not need to do anything. To check if the `silverstripe/mimevalidator` module is installed in your project, run this command from your project root.
```sh
composer show silverstripe/mimevalidator
```
If you get an error, the module is not installed.
**Upgrading to `silverstripe/recipe-cms` 4.4.7 will NOT automatically install `silverstripe/mimevalidator`**. You need to manually install the module `silverstripe/mimevalidator`. To add `silverstripe/mimevalidator` to your project, run this command.
```sh
composer require silverstripe/mimevalidator
```
After installing the `mimevalidator` module, you need to enable it by adding this code snippet to your YML configuration.
```yml
SilverStripe\Core\Injector\Injector:
SilverStripe\Assets\Upload_Validator:
class: SilverStripe\MimeValidator\MimeUploadValidator
```
If your project overrides the defaults allowed file types, it's important that you take the time to review your configuration and adjust it as need be to work with `silverstripe/mimevalidator`.
Read the [Allowed file types](/Developer_Guides/Files/Allowed_file_types) documentation for more details on controling the type of files that can be stored in your Silverstrip CMS Project.
#### Special consideration when upgrading Userforms
The `silverstripe/userforms` module now also includes `silverstripe/mimevalidator` in its dependencies. Upgrading to the following versions of userforms will automatically install `silverstripe/mimevalidator`:
* 5.4.3 or later
* 5.5.3 or later
* 5.6.0 or later (requires CMS 4.6.0)
Userforms that include a file upload field will automatically use the`MimeUploadValidator`. Beware that this will NOT change the default upload validator for other file upload fields in the CMS. You'll need to update your YML configuration for the `MimeUploadValidator` to be used everywhere.
### CVE-2019-19326 Web Cache Poisoning {#CVE-2019-19326}
Silverstripe sites using HTTP cache headers and HTTP caching proxies (e.g. CDNs) can be susceptible to web cache poisoning through the:
* `X-Original-Url` HTTP header
* `X-HTTP-Method-Override` HTTP header
* `_method` POST variable.
In order to remedy this vulnerability, Silverstripe Framework 4.4.7 removes native support for these features. While this is technically a semantic versioning breakage, these features are inherently insecure and date back to a time when browsers didn't natively support the full range of HTTP methods. Sites who still require these features will have highly unusual requirements that are best served by a tailored solution.
### Re-enabling the support for removed features
These features are best implemented by defining a `Middleware`.
The following example illustrates how to implement an `HTTPMiddleware` that restores support for the `X-Original-Url` header and the `_method` POST parameter for requests originating from a trusted proxy.
```php
<?php
use SilverStripe\Control\Middleware\HTTPMiddleware;
use SilverStripe\Control\HTTPRequest;
/**
* This is meant to illustrate how to implement an HTTPMiddleware. If you blindly
* copy-paste this in in your code base, you'll simply replicate the vulnerability.
*/
class InsecureHeaderMiddleware implements HTTPMiddleware
{
public function process(HTTPRequest $request, callable $delegate)
{
// Normally, you would validate that the request is coming from a trusted source at this point.
// View SilverStripe\Control\Middleware\TrustedProxyMiddleware for an example.
$trustedProxy = true;
if ($trustedProxy) {
$originalUrl = $request->getHeader('X-Original-Url');
if ($originalUrl) {
$_SERVER['REQUEST_URI'] = $originalUrl;
$request->setUrl($originalUrl);
}
$methodOverride = $request->postVar('_method');
$validMethods = ['GET', 'POST', 'PUT', 'DELETE', 'HEAD'];
if ($methodOverride && in_array(strtoupper($methodOverride), $validMethods)) {
$request->setHttpMethod($methodOverride);
}
}
return $delegate($request);
}
}
```
To learn more about re-implementing support for the disabled features:
* read [how to configure trusted proxies](/developer_guides/security/secure_coding/#request-hostname-forgery) on the Silverstripe documentation.
* read the [documentation about HTTP Middlewares](/developer_guides/controllers/middlewares/).
### CVE-2020-6164 Information disclosure on /interactive URL path
A specific URL path configured by default through the silverstripe/framework module can be used to disclose the fact that a domain is hosting a Silverstripe application. There is no disclosure of the specific version. The functionality on this URL path is limited to execution in a CLI context, and is not known to present a vulnerability through web-based access. As a side-effect, this preconfigured path also blocks the creation of other resources on this path (e.g. a page).
<!--- Changes below this line will be automatically regenerated -->
## Change Log
### Security
* 2020-05-13 [91d30db88](https://github.com/silverstripe/silverstripe-framework/commit/91d30db88f68b9b87980ef9a59e208a81980b72c) Remove/deprecate unused controllers that can potentially give away some information about the underlying project. (Maxime Rainville) - See [cve-2020-6164](https://www.silverstripe.org/download/security-releases/cve-2020-6164)
* 2020-05-11 [107706c12](https://github.com/silverstripe/silverstripe-framework/commit/107706c12cd9cf4d1b8b96b6a6e223633209d851) Stop honouring X-HTTP-Method-Override header, X-Original-Url header and _method POST variable. Add SS_HTTPRequest::setHttpMethod() (Maxime Rainville) - See [cve-2019-19326](https://www.silverstripe.org/download/security-releases/cve-2019-19326)
### Bugfixes
* 2020-06-01 [3df2222](https://github.com/silverstripe/silverstripe-asset-admin/commit/3df222203ee563fac840e5e0727c75ddfe244886) Prevent react-selectable from interfering with pagination (Maxime Rainville)
* 2020-05-05 [2cc037b](https://github.com/silverstripe/silverstripe-versioned/commit/2cc037b2d305ed98056a9232587351949e59561f) Fix merge conflict in Travis configuration (Robbie Averill)
* 2020-02-24 [bba0f2f72](https://github.com/silverstripe/silverstripe-framework/commit/bba0f2f72fa2e631dbf60357a908d5d57d4467ee) Fixed issue where TimeField_Readonly would only show "(not set)" instead of the value (UndefinedOffset)
* 2020-02-18 [e0de15f](https://github.com/silverstripe/silverstripe-errorpage/commit/e0de15f85a09ac848cb110f49cef58624d1e892f) Fix broken test when FulltextSearchable is enabled (Maxime Rainville)
* 2019-09-02 [6d8a4bc](https://github.com/silverstripe/silverstripe-assets/commit/6d8a4bc4f4178c0b56ede1b01f87b162066d550a) Make AbsoluteLink work with manipulated images (fixes #322) (Loz Calver)
<!--- Changes above this line will be automatically regenerated -->

View File

@ -0,0 +1,176 @@
# 4.5.3
## Security patches
This release contains security patches. Some of those patches might require some updates to your project.
* [CVE-2020-9309 Script execution on protected files](https://www.silverstripe.org/download/security-releases/CVE-2020-9309)
* [CVE-2019-19326 Web Cache Poisoning](https://www.silverstripe.org/download/security-releases/CVE-2019-19326)
* [CVE-2020-6164 Information disclosure on /interactive URL path](https://www.silverstripe.org/download/security-releases/CVE-2020-6164)
* [CVE-2020-6165 Limited queries break CanViewPermissionChecker](https://www.silverstripe.org/download/security-releases/CVE-2020-6165)
### CVE-2020-9309 Script execution on protected files {#CVE-2020-9309}
Silverstripe can be susceptible to script execution from malicious upload contents under allowed file extensions (for example HTML code in a TXT file). When these files are stored as protected or draft files, the MIME detection can cause browsers to execute the file contents.
#### Risk factors
If your project already includes the `silverstripe/mimevalidator` module, it's already protected. CWP projects are already protected.
If your project includes the `silverstripe/userforms` module or allows anonymous users to upload files, it's at a higher risk because malicious users can create files without requiring a CMS access.
#### Actions you need to take
If your project already includes the `silverstripe/mimevalidator` module, you do not need to do anything. To check if the `silverstripe/mimevalidator` module is installed in your project, run this command from your project root.
```sh
composer show silverstripe/mimevalidator
```
If you get an error, the module is not installed.
**Upgrading to `silverstripe/recipe-cms` 4.5.3 will NOT automatically install `silverstripe/mimevalidator`**. You need to manually install the module `silverstripe/mimevalidator`. To add `silverstripe/mimevalidator` to your project, run this command.
```sh
composer require silverstripe/mimevalidator
```
After installing the `mimevalidator` module, you need to enable it by adding this code snippet to your YML configuration.
```yml
SilverStripe\Core\Injector\Injector:
SilverStripe\Assets\Upload_Validator:
class: SilverStripe\MimeValidator\MimeUploadValidator
```
If your project overrides the defaults allowed file types, it's important that you take the time to review your configuration and adjust it as need be to work with `silverstripe/mimevalidator`.
Read the [Allowed file types](/Developer_Guides/Files/Allowed_file_types) documentation for more details on controling the type of files that can be stored in your Silverstrip CMS Project.
#### Special consideration when upgrading Userforms
The `silverstripe/userforms` module now also includes `silverstripe/mimevalidator` in its dependencies. Upgrading to the following versions of userforms will automatically install `silverstripe/mimevalidator`:
* 5.4.3 or later
* 5.5.3 or later
* 5.6.0 or later (requires CMS 4.6.0)
Userforms that include a file upload field will automatically use the`MimeUploadValidator`. Beware that this will NOT change the default upload validator for other file upload fields in the CMS. You'll need to update your YML configuration for the `MimeUploadValidator` to be used everywhere.
### CVE-2019-19326 Web Cache Poisoning {#CVE-2019-19326}
Silverstripe sites using HTTP cache headers and HTTP caching proxies (e.g. CDNs) can be susceptible to web cache poisoning through the:
* `X-Original-Url` HTTP header
* `X-HTTP-Method-Override` HTTP header
* `_method` POST variable.
In order to remedy this vulnerability, Silverstripe Framework 4.5.3 removes native support for these features. While this is technically a semantic versioning breakage, these features are inherently insecure and date back to a time when browsers didn't natively support the full range of HTTP methods. Sites who still require these features will have highly unusual requirements that are best served by a tailored solution.
### Re-enabling the support for removed features
These features are best implemented by defining a `Middleware`.
The following example illustrates how to implement an `HTTPMiddleware` that restores support for the `X-Original-Url` header and the `_method` POST parameter for requests originating from a trusted proxy.
```php
<?php
use SilverStripe\Control\Middleware\HTTPMiddleware;
use SilverStripe\Control\HTTPRequest;
/**
* This is meant to illustrate how to implement an HTTPMiddleware. If you blindly
* copy-paste this in in your code base, you'll simply replicate the vulnerability.
*/
class InsecureHeaderMiddleware implements HTTPMiddleware
{
public function process(HTTPRequest $request, callable $delegate)
{
// Normally, you would validate that the request is coming from a trusted source at this point.
// View SilverStripe\Control\Middleware\TrustedProxyMiddleware for an example.
$trustedProxy = true;
if ($trustedProxy) {
$originalUrl = $request->getHeader('X-Original-Url');
if ($originalUrl) {
$_SERVER['REQUEST_URI'] = $originalUrl;
$request->setUrl($originalUrl);
}
$methodOverride = $request->postVar('_method');
$validMethods = ['GET', 'POST', 'PUT', 'DELETE', 'HEAD'];
if ($methodOverride && in_array(strtoupper($methodOverride), $validMethods)) {
$request->setHttpMethod($methodOverride);
}
}
return $delegate($request);
}
}
```
To learn more about re-implementing support for the disabled features:
* read [how to configure trusted proxies](/developer_guides/security/secure_coding/#request-hostname-forgery) on the Silverstripe documentation.
* read the [documentation about HTTP Middlewares](/developer_guides/controllers/middlewares/).
### CVE-2020-6164 Information disclosure on /interactive URL path
A specific URL path configured by default through the silverstripe/framework module can be used to disclose the fact that a domain is hosting a Silverstripe application. There is no disclosure of the specific version. The functionality on this URL path is limited to execution in a CLI context, and is not known to present a vulnerability through web-based access. As a side-effect, this preconfigured path also blocks the creation of other resources on this path (e.g. a page).
### CVE-2020-6165 Limited queries break CanViewPermissionChecker
The automatic permission checking mechanism in the silverstripe/graphql module does not provide complete protection against lists that are limited (e.g. through pagination), resulting in records that should fail the permission check being added to the final result set.
If your project implements custom GraphQL queries using the `CanViewPermissionChecker`, you should validate that they still work as expected after the upgrade.
Read [Controlling who can view results in a GraphQL result set](/Developer_Guides/GraphQL/Verifying_CanView_Permission)
for more information on updating your GraphQL queries.
<!--- Changes below this line will be automatically regenerated -->
## Change Log
### Security
* 2020-05-13 [cce2b1630](https://github.com/silverstripe/silverstripe-framework/commit/cce2b1630937895aa28c2914837651e7cd56d74b) Remove/deprecate unused controllers that can potentially give away some information about the underlying project. (Maxime Rainville) - See [cve-2020-6164](https://www.silverstripe.org/download/security-releases/cve-2020-6164)
* 2020-05-11 [8518987cb](https://github.com/silverstripe/silverstripe-framework/commit/8518987cbd1eaca71b65dd4a4b35591db941509a) Stop honouring X-HTTP-Method-Override header, X-Original-Url header and _method POST variable. Add SS_HTTPRequest::setHttpMethod() (Maxime Rainville) - See [cve-2019-19326](https://www.silverstripe.org/download/security-releases/cve-2019-19326)
* 2020-02-17 [d3968ad](https://github.com/silverstripe/silverstripe-asset-admin/commit/d3968adcbdb759cb20571865af3b6356c8922cde) Move the query resolution after the DataListQuery has been altered (Maxime Rainville) - See [cve-2020-6165](https://www.silverstripe.org/download/security-releases/cve-2020-6165)
* 2020-02-11 [107e6c9](https://github.com/silverstripe/silverstripe-graphql/commit/107e6c918bb6a6a536dd9e3d8f5c74b4acdfd852) Ensure canView() check is run on items (Steve Boyd) - See [cve-2020-6165](https://www.silverstripe.org/download/security-releases/cve-2020-6165)
### API Changes
* 2020-06-30 [ec83959f2](https://github.com/silverstripe/silverstripe-framework/commit/ec83959f2c3ff7784fdd9503601732b5d006de13) Remove UpgradeBootstrap (not part of our official API) (Maxime Rainville)
### Features and Enhancements
* 2020-04-15 [daa80d8](https://github.com/silverstripe/silverstripe-admin/commit/daa80d8d2c2a5eabf75cfd23bb40d5a4b0fab02a) Add secure icons (Sacha Judd)
### Bugfixes
* 2020-07-09 [b780c4f50](https://github.com/silverstripe/silverstripe-framework/commit/b780c4f504555e5ae2d3861f8772f87ab20e016e) Tweak DBHTMLText::Plain to avoid treating some chinese characters as line breaks. (Maxime Rainville)
* 2020-06-23 [e033f26](https://github.com/silverstripe/silverstripe-admin/commit/e033f26d16527c04fb09c9ae3c1582367cf1dcaf) Fix external link setting text to `undefined` on text (#1059) (Andre Kiste)
* 2020-06-01 [3df2222](https://github.com/silverstripe/silverstripe-asset-admin/commit/3df222203ee563fac840e5e0727c75ddfe244886) Prevent react-selectable from interfering with pagination (Maxime Rainville)
* 2020-05-26 [3e52b1a](https://github.com/silverstripe/silverstripe-admin/commit/3e52b1ae3e5fd45dfde05913fe2fc0edd7309d82) Vertically align form description contents (including icons) (bergice)
* 2020-05-26 [09d2061](https://github.com/silverstripe/silverstripe-asset-admin/commit/09d20617620571650509b2b250117c295d58d5bb) Asset revision timestamps are no longer underlined in asset admin history tabs (Robbie Averill)
* 2020-05-19 [b9de9e6](https://github.com/silverstripe/silverstripe-asset-admin/commit/b9de9e6d608aa2b7f6d01e9c609369998d3ab0d8) Remove direct descendant selector to apply correct margins (Sacha Judd)
* 2020-05-11 [9dcc030](https://github.com/silverstripe/silverstripe-admin/commit/9dcc030aa8c2c3dab4c6a4206f883cb40e6a1458) Resize address-card-warning (Sacha Judd)
* 2020-05-08 [afc1759](https://github.com/silverstripe/silverstripe-admin/commit/afc1759f6cc74ce58be68bfb167bf52c1e972915) Page search form layout overflow issue (Mojmir Fendek)
* 2020-05-05 [2cc037b](https://github.com/silverstripe/silverstripe-versioned/commit/2cc037b2d305ed98056a9232587351949e59561f) Fix merge conflict in Travis configuration (Robbie Averill)
* 2020-05-01 [b1f6e52](https://github.com/silverstripe/silverstripe-asset-admin/commit/b1f6e521aac9bc17ee400593724e4a9290678938) Remove grid view sorting hack to correct initial state (Garion Herman)
* 2020-05-01 [891f0682](https://github.com/silverstripe/silverstripe-cms/commit/891f068202a3c7926a813c994b2802eacb7847f0) Correct placement of 'Page location' field title (Garion Herman)
* 2020-04-30 [fff806ca](https://github.com/silverstripe/silverstripe-cms/commit/fff806ca33cf6cdfd17c073f736e0faba42964a3) Prevent Treeview from always reloading (Maxime Rainville)
* 2020-04-18 [216989165](https://github.com/silverstripe/silverstripe-framework/commit/2169891651aded4defe33a1d08e1b07f79b9f086) Ensure realpath returns a string for stripos (mattclegg)
* 2020-04-15 [be80813](https://github.com/silverstripe/silverstripe-asset-admin/commit/be80813eaa8f5005b63978a53da2162c88645173) Campaign admin permission fix (Mojmir Fendek)
* 2020-04-15 [d7c76bdb](https://github.com/silverstripe/silverstripe-cms/commit/d7c76bdbba0af815d61146a1cbfc2529b3b2fe55) Published pages filter correction (missing default filter) (Mojmir Fendek)
* 2020-04-14 [e2a6281](https://github.com/silverstripe/silverstripe-asset-admin/commit/e2a6281305f23bd43d43a23adaa6807a54263f61) Legacy max upload size setting removal (Mojmir Fendek)
* 2020-03-23 [5002f514b](https://github.com/silverstripe/silverstripe-framework/commit/5002f514b3fde8e4ef75a72c964d649f46ab31f0) Capitalisation fixes in welcome back message (#9439) (Robbie Averill)
* 2020-03-23 [e5aa94c](https://github.com/silverstripe/silverstripe-admin/commit/e5aa94cfdd4fadcc87db3eee127f2f4f751ef6a7) "My profile" title in CMS is now vertical centered as other LeftAndMain screens are (Robbie Averill)
* 2020-03-20 [14fd29a](https://github.com/silverstripe/silverstripe-admin/commit/14fd29ad2c607951eff1bab65921748916a6c72e) Switch incorrect modified and draft state indicator colours (Sacha Judd)
* 2020-03-17 [7ad5f1bb1](https://github.com/silverstripe/silverstripe-framework/commit/7ad5f1bb14814bd05c6fe97e11b94c9f34936b15) Ensure diff arrays are one-dimensional (Aaron Carlino)
* 2020-03-08 [b269d8749](https://github.com/silverstripe/silverstripe-framework/commit/b269d874909cd70bb60c1a2974ea5446b43b0436) Register new sub tasks to fix files affected by CVE-2020-9280 and CVE-2019-12245 (Serge Latyntcev)
* 2020-03-04 [12ea7cd](https://github.com/silverstripe/silverstripe-assets/commit/12ea7cd2037bebcb3196dd5e3aaa72e6dbc7c7b2) Create NormaliseAccessMigrationHelper to fix files affected by CVE-2019-12245 (Maxime Rainville)
* 2020-02-24 [bba0f2f72](https://github.com/silverstripe/silverstripe-framework/commit/bba0f2f72fa2e631dbf60357a908d5d57d4467ee) Fixed issue where TimeField_Readonly would only show "(not set)" instead of the value (UndefinedOffset)
* 2020-02-20 [ff417ca](https://github.com/silverstripe/silverstripe-asset-admin/commit/ff417ca53405a4022c4fece82d50638e72940d4f) Fix last file upload showing as errored when uploading multiple files. (bergice)
* 2020-02-19 [7455d14](https://github.com/silverstripe/silverstripe-asset-admin/commit/7455d141aa6340e33674f72516e0e6b97d6d6232) Handle case where provided $context is null (Garion Herman)
* 2020-02-19 [8402966](https://github.com/silverstripe/silverstripe-assets/commit/84029664c21ba54d895aac8fa036a9c4277e56a0) Correct deprecated implode syntax for PHP 7.4 compat (Garion Herman)
* 2020-02-18 [9900d07](https://github.com/silverstripe/silverstripe-asset-admin/commit/9900d07eeb41a9c5c9dac758ee56f9397301bbdb) Tweak UsedOnTableTest ti dynamically switch protocol (Maxime Rainville)
* 2020-02-05 [c92e3b9d](https://github.com/silverstripe/silverstripe-cms/commit/c92e3b9d7967142ce59c918916441fce796c9fd8) Prioritise same-level pages in OldPageRedirector (Klemen Dolinšek)
* 2019-10-17 [b62288cc9](https://github.com/silverstripe/silverstripe-framework/commit/b62288cc92bd7e58182e1b02b083eeb474366d52) Disabled the UpgradeBootstrap upgrader doctor task (Maxime Rainville)
* 2019-09-02 [6d8a4bc](https://github.com/silverstripe/silverstripe-assets/commit/6d8a4bc4f4178c0b56ede1b01f87b162066d550a) Make AbsoluteLink work with manipulated images (fixes #322) (Loz Calver)
<!--- Changes above this line will be automatically regenerated -->

View File

@ -9,13 +9,116 @@
* [Simplify customisation of ModelAdmin](#modeladmin-customisation) * [Simplify customisation of ModelAdmin](#modeladmin-customisation)
* [Login forms module ships with installer](#loginforms) * [Login forms module ships with installer](#loginforms)
## Security patches
This release contains security patches. Some of those patches might require some
updates to your project.
* [CVE-2020-9309 Script execution on protected files](https://www.silverstripe.org/download/security-releases/CVE-2020-9309)
* [CVE-2019-19326 Web Cache Poisoning](https://www.silverstripe.org/download/security-releases/CVE-2019-19326)
* [CVE-2020-6164 Information disclosure on /interactive URL path](https://www.silverstripe.org/download/security-releases/CVE-2020-6164)
* [CVE-2020-6165 Limited queries break CanViewPermissionChecker](https://www.silverstripe.org/download/security-releases/CVE-2020-6165)
### CVE-2020-9309 Script execution on protected files {#CVE-2020-9309}
Silverstripe can be susceptible to script execution from malicious upload
contents under allowed file extensions (for example HTML code in a TXT file).
When these files are stored as protected or draft files, the MIME detection can
cause browsers to execute the file contents.
#### Risk factors
If your project already includes the `silverstripe/mimevalidator` module, it's
already protected. CWP projects are already protected.
If your project includes the `silverstripe/userforms` module or allows anonymous
users to upload files, it's at a higher risk because malicious users can create
files without requiring a CMS access.
#### Actions you need to take
Upgrading to `silverstripe/recipe-core` 4.6.0 will automatically install the
`silverstripe/mimevalidator` module.
Read [MIME validator is now part of recipe-core](#MimeValidator) to understand
how this will impact your project.
### CVE-2019-19326 Web Cache Poisoning {#CVE-2019-19326}
Silverstripe sites using HTTP cache headers and HTTP caching proxies (e.g. CDNs) can be susceptible to web cache poisoning through the:
* `X-Original-Url` HTTP header
* `X-HTTP-Method-Override` HTTP header
* `_method` POST variable.
In order to remedy this vulnerability, Silverstripe Framework 4.6.0 removes native support for these features. While this is technically a semantic versioning breakage, these features are inherently insecure and date back to a time when browsers didn't natively support the full range of HTTP methods. Sites who still require these features will have highly unusual requirements that are best served by a tailored solution.
### Re-enabling the support for removed features
These features are best implemented by defining a `Middleware`.
The following example illustrates how to implement an `HTTPMiddleware` that restores support for the `X-Original-Url` header and the `_method` POST parameter for requests originating from a trusted proxy.
```php
<?php
use SilverStripe\Control\Middleware\HTTPMiddleware;
use SilverStripe\Control\HTTPRequest;
/**
* This is meant to illustrate how to implement an HTTPMiddleware. If you blindly
* copy-paste this in in your code base, you'll simply replicate the vulnerability.
*/
class InsecureHeaderMiddleware implements HTTPMiddleware
{
public function process(HTTPRequest $request, callable $delegate)
{
// Normally, you would validate that the request is coming from a trusted source at this point.
// View SilverStripe\Control\Middleware\TrustedProxyMiddleware for an example.
$trustedProxy = true;
if ($trustedProxy) {
$originalUrl = $request->getHeader('X-Original-Url');
if ($originalUrl) {
$_SERVER['REQUEST_URI'] = $originalUrl;
$request->setUrl($originalUrl);
}
$methodOverride = $request->postVar('_method');
$validMethods = ['GET', 'POST', 'PUT', 'DELETE', 'HEAD'];
if ($methodOverride && in_array(strtoupper($methodOverride), $validMethods)) {
$request->setHttpMethod($methodOverride);
}
}
return $delegate($request);
}
}
```
To learn more about re-implementing support for the disabled features:
* read [how to configure trusted proxies](/developer_guides/security/secure_coding/#request-hostname-forgery) on the Silverstripe documentation.
* read the [documentation about HTTP Middlewares](/developer_guides/controllers/middlewares/).
### CVE-2020-6164 Information disclosure on /interactive URL path
A specific URL path configured by default through the silverstripe/framework module can be used to disclose the fact that a domain is hosting a Silverstripe application. There is no disclosure of the specific version. The functionality on this URL path is limited to execution in a CLI context, and is not known to present a vulnerability through web-based access. As a side-effect, this preconfigured path also blocks the creation of other resources on this path (e.g. a page).
### CVE-2020-6165 Limited queries break CanViewPermissionChecker
The automatic permission checking mechanism in the silverstripe/graphql module does not provide complete protection against lists that are limited (e.g. through pagination), resulting in records that should fail the permission check being added to the final result set.
If your project implements custom GraphQL queries using the `CanViewPermissionChecker`, you should validate that they still work as expected after the upgrade.
Read [Controlling who can view results in a GraphQL result set](/Developer_Guides/GraphQL/Verifying_CanView_Permission)
for more information on updating your GraphQL queries.
## MySQL tables are auto-converted from MyISAM to InnoDB {#myisam} ## MySQL tables are auto-converted from MyISAM to InnoDB {#myisam}
Beginning with [4.4.0](https://docs.silverstripe.org/en/4/changelogs/4.4.0/), Beginning with [4.4.0](https://docs.silverstripe.org/en/4/changelogs/4.4.0/),
our minimum requirement for MySQL is 5.6 (since MySQL 5.5 end of life reached in December 2018). our minimum requirement for MySQL is 5.6 (since MySQL 5.5 end of life reached
Starting with MySQL 5.6, [InnoDB](https://dev.mysql.com/doc/refman/5.6/en/innodb-introduction.html) in December 2018). Starting with MySQL 5.6, [InnoDB](https://dev.mysql.com/doc/refman/5.6/en/innodb-introduction.html)
is the new default storage engine, is the new default storage engine, replacing the older [MyISAM](https://dev.mysql.com/doc/refman/5.6/en/myisam-storage-engine.html)
replacing the older [MyISAM](https://dev.mysql.com/doc/refman/5.6/en/myisam-storage-engine.html) engine. engine.
Silverstripe CMS already creates InnoDB tables by default, Silverstripe CMS already creates InnoDB tables by default,
mainly in order to benefit from their better support for database transactions. mainly in order to benefit from their better support for database transactions.
@ -59,35 +162,140 @@ class MyDataObject extends DataObject
} }
``` ```
## Editing files directly in the insert-media modal{#in-modal-editing} ## Editing files directly in the Insert Media modal {#in-modal-editing}
Editors can now directly edit file details when selecting a file in an UploadField or when inserting media in a Authors can now directly edit file details when selecting a file in an
HTMLEditorField. The "image placement" and "file link" forms that show when inserting an image or a link in an `UploadField` or when inserting media in a `HTMLEditorField`. The "image
HTMLEditorField have been simplified. placement" and "file link" forms that show when inserting an image or a link in
an `HTMLEditorField` have been simplified.
This does mean that the order and structure of fields have changed somewhat. If you have customised the forms in the If you have customised the fields in the asset administration UI or Insert Media
asset administration area or in the "Insert Media Modal", you should do some regression testing when upgrading to modal, you will need to do some regression testing when upgrading, and will
make sure your customisations still work as expected. likely need to make some minor adjustments to your code.
If your project uses the popular [jonom/focuspoint](https://github.com/jonom/silverstripe-focuspoint) community Implementing the new Edit Details UI required filtering the fields generated in
module, you should upgrade it as well. `File::getCMSFields()` into two `Form`s. The implementation in 4.6.0 does not
expose a clear API to custom fields for differentiating between the `Form`s, and
by default any fields added via an extension will appear in both views. For the
time being, a simple way to resolve this is to check for the presence of the
`Editor.Details.Title` field and add your field based on this. See the community
module [jonom/focuspoint](https://github.com/jonom/silverstripe-focuspoint/pull/78/files#diff-cc697eb8345aa25a5f88c89d1a87ff6aR27-R34)
for an example implementation, and ensure you update this module during your
upgrade to 4.6.0 if you have it installed.
We intend to improve this pattern in a future release of Silverstripe CMS.
## MIME Type validation now a core module {#mime-validator} ## MIME Type validation now a core module {#mime-validator}
`silverstripe/mimevalidator` is now a core module and will ship by default on new projects. Projects referencing `silverstripe/recipe-core` will automatically install `silverstripe/mimevalidator` when they upgrade to 4.6.0. The Silverstripe CMS installer now includes the `silverstripe/mimevalidator`.
This change was implemented to address `CVE-2020-9309` vulnerability and the
inherent limits of controlling allowed file types by looking only at file
extensions.
Read [Allowed file types](Developer_Guides/Files/Allowed_file_types) in the Silverstripe CMS doc for all the details. For most Silverstripe CMS projects, this will be a transparent upgrade. However,
they are some situations where you might need to make some adjustments.
### Who will get MIME validator installed automatically?
If your Silverstripe CMS project references `silverstripe/recipe-core` or
`silverstripe/recipe-cms` in its `composer.json` file,
`silverstripe/mimevalidator` will be automatically installed once you upgrade to
Silverstripe CMS 4.6.0. Those recipes might also be indirectly installed via
other recipes (e.g.: `cwp/cwp-recipe-core`). You can run this command from your
project root to know for sure:
```bash
composer show silverstripe/recipe-core
```
If you get an error, you will not be automatically get
`silverstripe/mimevalidator` following your upgrade.
After upgrading your project, composer should automatically create the following
file in your project: `app/_config/mimevalidator.yml`. This file contains the
default configuration for the new module. You'll need to commit
`mimevalidator.yml` and your updated `composer.json` file to your source control
system.
### If you're not using recipe-core/recipe-cms?
If your project doesn't reference `silverstripe/recipe-core` or
`silverstripe/recipe-cms`, you will need to manually add
`silverstripe/mimevalidator` to your project dependencies. Run this command to
install `silverstripe/mimevalidator`:
```bash
composer require silverstripe/mimevalidator
```
Then, add this code snippet to your YML configuration to enable MIME type
validation:
```yml
SilverStripe\Core\Injector\Injector:
SilverStripe\Assets\Upload_Validator:
class: SilverStripe\MimeValidator\MimeUploadValidator
```
### Customising allowed file types
If you've customised your project allowed file types, you might need to tweak
the boilerplate MIME validator configuration and confirm the new module doesn't
interfere with your existing logic.
Read [Allowed file types](/Developer_Guides/Files/Allowed_file_types) in the
Silverstripe CMS documentation to learn how to Control the type of files that
can be stored in your project.
### What if the MIME validator module is already installed?
If your project already requires `silverstripe/mimevalidator`, you probably
don't need to do anything.
If you didn't have a pre-existing `app/_config/mimevalidator.yml` file and your
MIME validator configuration is contained somewhere else in your project, feel
free to discard `mimevalidator.yml`.
If you explicitly required `silverstripe/mimevalidator` in your `composer.json`
file, you can remove the explicit reference and rely on the module being
installed via the recipes.
If your version constrain for `silverstripe/mimevalidator` in your
`composer.json` is too strict, you might get an error while upgrading to the
latest version of `recipe-core`. If this occurs, either loosen the constraint
for `silverstripe/mimevalidator` or remove it altogether.
### What if I don't want the MIME validator module?
This is not advise, but you can upgrade to Silverstripe CMS 4.6.0 without
installing the `silverstripe/mimevalidator` module.
To achieve this, you will need to "inline" recipes in your `composer.json`. This
means you will have an explicit dependency for each individual Silverstripe CMS
module. You can inline recipes by running this command.
```bash
composer require-recipe silverstripe/recipe-cms
```
Then you just need to remove the reference to `silverstripe/mimevalidator`.
Beware that this will make future upgrade more difficult because you will have
to manually edit each module constraint.
## File status icons in the file manager ## File status icons in the file manager
![File status icons](https://raw.githubusercontent.com/silverstripe/silverstripe-framework/blob/4/docs/en/04_Changelogs/_images/file-status-icons.png "A screenshot of file status icons being displayed in the file manager") ![File status icons](https://raw.githubusercontent.com/silverstripe/silverstripe-framework/blob/4/docs/en/04_Changelogs/_images/file-status-icons.png "A screenshot of file status icons being displayed in the file manager")
Files and folders with permissions of either "Logged in users" or "Only these groups (choose from list)" now show Files and folders with permissions of either "Logged in users" or "Only these
a "Restricted access" icon in the file manager. These permissions can either be directly on the DataObject or groups (choose from list)" now show a "Restricted access" icon in the file
they can be inherited from the parent folder. manager. These permissions can either be directly on the DataObject or they can
be inherited from the parent folder.
Websites with the optional [UserForms](https://github.com/silverstripe/silverstripe-userforms) module installed will Websites with the optional [UserForms](https://github.com/silverstripe/silverstripe-userforms)
show a "Form submission" icon on files uploaded through a UserForm. UserForm uploaded files without a "Restricted access" icon show a "Form submission, unrestricted access" icon instead. module installed will show a "Form submission" icon on files uploaded through a
UserForm. UserForm uploaded files without a "Restricted access" icon show a
"Form submission, unrestricted access" icon instead.
## Solr no longer indexes draft/restricted content {#solr-updates} ## Solr no longer indexes draft/restricted content {#solr-updates}
@ -124,6 +332,132 @@ login form.
View the [Silverstripe Login Forms readme](https://github.com/silverstripe/silverstripe-login-forms) on Github for more details. View the [Silverstripe Login Forms readme](https://github.com/silverstripe/silverstripe-login-forms) on Github for more details.
## Regressions
- [File section, icons broken until page is refreshed](https://github.com/silverstripe/silverstripe-admin/issues/1064)
<!--- Changes below this line will be automatically regenerated --> <!--- Changes below this line will be automatically regenerated -->
## Change Log
### Security
* 2020-05-13 [996c1b571](https://github.com/silverstripe/silverstripe-framework/commit/996c1b57195029ef2d385123e22a3222cd7e5f18) Remove/deprecate unused controllers that can potentially give away some information about the underlying project. (Maxime Rainville) - See [cve-2020-6164](https://www.silverstripe.org/download/security-releases/cve-2020-6164)
* 2020-05-11 [71db45b18](https://github.com/silverstripe/silverstripe-framework/commit/71db45b18b4a3bce6a4630ff3a6c116c15f35874) Stop honouring X-HTTP-Method-Override header, X-Original-Url header and _method POST variable. Add SS_HTTPRequest::setHttpMethod() (Maxime Rainville) - See [cve-2019-19326](https://www.silverstripe.org/download/security-releases/cve-2019-19326)
* 2020-03-08 [6779fd3](https://github.com/silverstripe/silverstripe-assets/commit/6779fd3c8c1c05a3db5035bf6e541c9483d161fc) Add FolderMigrationHelper (Serge Latyntcev)
* 2020-02-17 [6c3a619](https://github.com/silverstripe/silverstripe-asset-admin/commit/6c3a6197e5bd5bb8f45e007338b4c2c3b4f3a6c6) Move the query resolution after the DataListQuery has been altered (Maxime Rainville) - See [cve-2020-6165](https://www.silverstripe.org/download/security-releases/cve-2020-6165)
* 2020-02-11 [044eb43](https://github.com/silverstripe/silverstripe-graphql/commit/044eb43ad02428b17a881e47a0ff8aa8d159eb9c) Ensure canView() check is run on items (Steve Boyd) - See [cve-2020-6165](https://www.silverstripe.org/download/security-releases/cve-2020-6165)
### API Changes
* 2020-05-28 [422a9a2](https://github.com/silverstripe/recipe-core/commit/422a9a23dc7b16f635fbc3a7fe5e6ec0d2fba77a) Bump to require 4.6.x-dev branches (Steve Boyd)
* 2020-04-28 [df8004b](https://github.com/silverstripe/silverstripe-versioned-admin/commit/df8004bebd0ac8008f4ae23889bcfc110271085e) Bump @silverstripe/webpack-config to 1.5.0 (Maxime Rainville)
* 2020-04-24 [d513932](https://github.com/silverstripe/silverstripe-admin/commit/d51393203a65ae2f102de6940be1660a89e75c89) Bump @silverstripe/webpack-config to 1.5.0 (Maxime Rainville)
* 2020-04-17 [99eeb59](https://github.com/silverstripe/silverstripe-assets/commit/99eeb5920b500b7dbda04367c617c76da8083a6f) Add new updateResponse hook to allow extension to update the response (Maxime Rainville)
* 2020-02-14 [29943f904](https://github.com/silverstripe/silverstripe-framework/commit/29943f9049e7e9ec8b99f7def34a7fc9656d4fe3) TestSession request methods now use the correct HTTP method (#8987) (Garion Herman)
* 2019-11-20 [0c9be1b](https://github.com/silverstripe/silverstripe-admin/commit/0c9be1b522644e835aea39732c2d2c426a79569e) Add updateGridFieldConfig and updateGridField hooks to ModelAdmin (Maxime Rainville)
* 2019-11-19 [ba831dc](https://github.com/silverstripe/silverstripe-admin/commit/ba831dc41efbd13f4cb065f201681976c36aea5f) Break up ModelAdmin::getEditForm into getGridField and getGridFieldConfig (Maxime Rainville)
* 2019-10-16 [67398ed](https://github.com/silverstripe/silverstripe-admin/commit/67398edb9050b75638a40b042cc0eaa5d12e99be) Add Silverstripe specific button UI (Maxime Rainville)
### Features and Enhancements
* 2020-06-12 [ae97a20](https://github.com/silverstripe/silverstripe-admin/commit/ae97a2000e44c5cc1a67b7dcbc523d062aff5785) Update gridfield sort to use text default on focus (#1055) (Sacha Judd)
* 2020-06-12 [05e0e5c](https://github.com/silverstripe/silverstripe-asset-admin/commit/05e0e5c522f8bf46d3f3c44e060c2df9cf41fea2) Update draft state indicator on thumbnails to use correct background colour (#1104) (Sacha Judd)
* 2020-05-25 [5a1b634](https://github.com/silverstripe/silverstripe-admin/commit/5a1b63447d32725dcf455cc473c6303265d7b40a) Add new variations of block icons and update existing (Sacha Judd)
* 2020-05-25 [da241a2](https://github.com/silverstripe/silverstripe-asset-admin/commit/da241a28edfd8561bccdd993688e8d1cabd199d5) Add file status icons to file manager (#1087) (Steve Boyd)
* 2020-05-25 [d93d63b](https://github.com/silverstripe/silverstripe-admin/commit/d93d63b955c95c6be4abe3cc3e865d7cc94af3e0) Add FileStatusIcon component (#1033) (Steve Boyd)
* 2020-05-21 [5220dc1](https://github.com/silverstripe/silverstripe-admin/commit/5220dc1c6d8ae4999d3bed07346a8e2c68b174b6) Separate storybook icons into different sections for people to easily see where different icons belong (Scott Hutchinson)
* 2020-05-21 [239c559](https://github.com/silverstripe/silverstripe-assets/commit/239c559fda6c89b9ed50d3269258480ea3930dfd) Methods to support file status icons (Steve Boyd)
* 2020-05-11 [39f3032](https://github.com/silverstripe/silverstripe-admin/commit/39f303209ed2f35920825ed555b37e78d337bafb) Add Bootstrap Tooltip support outside of React contexts (Garion Herman)
* 2020-05-08 [0874950](https://github.com/silverstripe/recipe-core/commit/0874950373c380c49836b517e1c71fe8e09d7b37) Add MIME type validation out of the box (Maxime Rainville)
* 2020-05-04 [4ba8a7e](https://github.com/silverstripe/silverstripe-admin/commit/4ba8a7e93b0f3daac8496d5aa0f41189f3d5867a) Enable TreeDropdownField in pattern library, reorder addon tabs (Garion Herman)
* 2020-05-01 [77b896f](https://github.com/silverstripe/silverstripe-admin/commit/77b896fe4cfb75dd9195ff8b9d12dc278c954b7a) Add mid-blue colour, update info elements to match designs (Garion Herman)
* 2020-04-15 [daa80d8](https://github.com/silverstripe/silverstripe-admin/commit/daa80d8d2c2a5eabf75cfd23bb40d5a4b0fab02a) Add secure icons (Sacha Judd)
* 2020-04-06 [c6b698cb0](https://github.com/silverstripe/silverstripe-framework/commit/c6b698cb027a14e9b0a2ce3e403ce12d1bc132d3) Allow InnoDB for FULLTEXT indexes (Ingo Schommer)
* 2020-04-04 [2bbc280c](https://github.com/silverstripe/silverstripe-cms/commit/2bbc280ce6b7d8a9dd44bc09598f6d37dfd010c6) Remove unused $controller from lambda function (mattclegg)
* 2020-04-02 [b664b8d](https://github.com/silverstripe/silverstripe-graphql/commit/b664b8d2bc9fe775317be54b445fcb98b9c6f64d) Boot typenames outside graphql request (#254) (Aaron Carlino)
* 2020-03-24 [1fb574a5b](https://github.com/silverstripe/silverstripe-framework/commit/1fb574a5bd024fc36b3eaad08cb5eeabfe2c6213) Variadic URL parameter matches for url_handlers (#9438) (Daniel Hensby)
* 2020-03-13 [159a42a](https://github.com/silverstripe/silverstripe-graphql/commit/159a42af05507c7bd56e5d03bc80539f87839c2c) Allow instance override of CORS config (Aaron Carlino)
* 2020-02-14 [30c3b127c](https://github.com/silverstripe/silverstripe-framework/commit/30c3b127c1fdef2de66ec13cdb423ba7e4f76c43) Add ClassInfo method to get all classes with a given extension applied (Michal Kleiner)
* 2020-01-24 [82387cb4](https://github.com/silverstripe/silverstripe-cms/commit/82387cb4443c8b3736cfdd1c15b831fa1e0efa1f) Add extension hook updateRedirectionLink() (#2518) (Guy Marriott)
* 2020-01-24 [6ee17a83](https://github.com/silverstripe/silverstripe-cms/commit/6ee17a83e3aabec3d86c0edc86c1b1e1c94480fc) Add extension hook updateRedirectionLink() (Will Rossiter)
* 2019-12-17 [5449014](https://github.com/silverstripe/silverstripe-asset-admin/commit/544901433e5688dc094f7ee03d8753ab547bcd5d) Update language and conditions in BulkDeleteConfirmation (Garion Herman)
* 2019-12-16 [a54fff8](https://github.com/silverstripe/silverstripe-assets/commit/a54fff847ec0cf53515db831cd2fe78c3466569e) add option to prevent InterventionBackend cache flush + task (Christopher Darling)
* 2019-12-09 [0eed58a](https://github.com/silverstripe/silverstripe-admin/commit/0eed58a3aa6b6a4c5a32b8bc1ba4a55d2488a5df) Export url lib in admin vendor bundle (Maxime Rainville)
* 2019-11-18 [688890146](https://github.com/silverstripe/silverstripe-framework/commit/688890146863704d0942f76d830624bad0395ffa) Update docs to be compliant with Gatsby site (#9314) (Aaron Carlino)
* 2019-07-05 [9171342](https://github.com/silverstripe/silverstripe-installer/commit/9171342ec21ba39b57e8fc217146d91f04750db3) Add silverstripe/login-forms (Ingo Schommer)
* 2019-02-23 [9d1d59d8d](https://github.com/silverstripe/silverstripe-framework/commit/9d1d59d8d172ee6670ab1ff26797449822e86385) Accept / as designation for root URL controller (Garion Herman)
* 2019-02-07 [54a3649](https://github.com/silverstripe/silverstripe-versioned/commit/54a364967b8cabdbcf793b83511535dbedc12929) Apply versioned filters to reading state (Ingo Schommer)
### Bugfixes
* 2020-06-05 [d7ed6e3](https://github.com/silverstripe/silverstripe-assets/commit/d7ed6e314cfe54ae54955d653733d3e9a67ef1ec) ImageShortcodeProvider follow FileShortcodeProvider session access grant policy (#402) (Serge Latyntsev)
* 2020-06-01 [3df2222](https://github.com/silverstripe/silverstripe-asset-admin/commit/3df222203ee563fac840e5e0727c75ddfe244886) Prevent react-selectable from interfering with pagination (Maxime Rainville)
* 2020-05-28 [43c119b](https://github.com/silverstripe/silverstripe-graphql/commit/43c119bc0edcfcf79477b12fbff3255684ea97bf) Require frameworktest for behat test (#261) (Maxime Rainville)
* 2020-05-27 [27231bf](https://github.com/silverstripe/silverstripe-installer/commit/27231bf315ca5f592ac79e59ca84325d21923a76) Treat login-forms as a core module (Maxime Rainville)
* 2020-05-26 [3e52b1a](https://github.com/silverstripe/silverstripe-admin/commit/3e52b1ae3e5fd45dfde05913fe2fc0edd7309d82) Vertically align form description contents (including icons) (bergice)
* 2020-05-26 [09d2061](https://github.com/silverstripe/silverstripe-asset-admin/commit/09d20617620571650509b2b250117c295d58d5bb) Asset revision timestamps are no longer underlined in asset admin history tabs (Robbie Averill)
* 2020-05-25 [32e7b46](https://github.com/silverstripe/recipe-core/commit/32e7b464bd96d567160f4b0b8ea3fc7ca032d19e) Make sure the new mime validator config does not clash with the cwp config (#54) (Maxime Rainville)
* 2020-05-19 [b9de9e6](https://github.com/silverstripe/silverstripe-asset-admin/commit/b9de9e6d608aa2b7f6d01e9c609369998d3ab0d8) Remove direct descendant selector to apply correct margins (Sacha Judd)
* 2020-05-13 [b1b61f866](https://github.com/silverstripe/silverstripe-framework/commit/b1b61f866eb1ae0d9ef86255458277d6ba2cfd57) Set nonce style on unit tests (Steve Boyd)
* 2020-05-11 [9dcc030](https://github.com/silverstripe/silverstripe-admin/commit/9dcc030aa8c2c3dab4c6a4206f883cb40e6a1458) Resize address-card-warning (Sacha Judd)
* 2020-05-08 [afc1759](https://github.com/silverstripe/silverstripe-admin/commit/afc1759f6cc74ce58be68bfb167bf52c1e972915) Page search form layout overflow issue (Mojmir Fendek)
* 2020-05-05 [2cc037b](https://github.com/silverstripe/silverstripe-versioned/commit/2cc037b2d305ed98056a9232587351949e59561f) Fix merge conflict in Travis configuration (Robbie Averill)
* 2020-05-01 [e344b66db](https://github.com/silverstripe/silverstripe-framework/commit/e344b66dbe64436815236350387159b52322fd4e) Fixed broken link to the module creation docs (Dustin Quam)
* 2020-05-01 [b1f6e52](https://github.com/silverstripe/silverstripe-asset-admin/commit/b1f6e521aac9bc17ee400593724e4a9290678938) Remove grid view sorting hack to correct initial state (Garion Herman)
* 2020-05-01 [891f0682](https://github.com/silverstripe/silverstripe-cms/commit/891f068202a3c7926a813c994b2802eacb7847f0) Correct placement of 'Page location' field title (Garion Herman)
* 2020-04-30 [fff806ca](https://github.com/silverstripe/silverstripe-cms/commit/fff806ca33cf6cdfd17c073f736e0faba42964a3) Prevent Treeview from always reloading (Maxime Rainville)
* 2020-04-29 [ed4c436](https://github.com/silverstripe/silverstripe-admin/commit/ed4c436dd1e2171820c97a8bc996bbfbf90f080d) built dist files (Niklas Forsdahl)
* 2020-04-27 [5bcc574](https://github.com/silverstripe/silverstripe-admin/commit/5bcc574060cba305523d237462a92650119914cc) GET parameter handling in GridField reload (Niklas Forsdahl)
* 2020-04-27 [eac547a](https://github.com/silverstripe/silverstripe-admin/commit/eac547a2411c406841cb648d763f6c090f39cf11) Grid field reload always triggers change event if request has GET parameters (Niklas Forsdahl)
* 2020-04-21 [bb0fc12](https://github.com/silverstripe/silverstripe-asset-admin/commit/bb0fc12522107dc6bd890a7a475027c203e1cb53) Stops an image's "Title text (tooltip)" being set to the filename by default (#1058) (James Cocker)
* 2020-04-20 [080ce157c](https://github.com/silverstripe/silverstripe-framework/commit/080ce157ce2c97f0d3a2347d4fe6c58b28358aaa) Fix various typos in comments (Daniel Hensby)
* 2020-04-18 [216989165](https://github.com/silverstripe/silverstripe-framework/commit/2169891651aded4defe33a1d08e1b07f79b9f086) Ensure realpath returns a string for stripos (mattclegg)
* 2020-04-15 [be80813](https://github.com/silverstripe/silverstripe-asset-admin/commit/be80813eaa8f5005b63978a53da2162c88645173) Campaign admin permission fix (Mojmir Fendek)
* 2020-04-15 [d7c76bdb](https://github.com/silverstripe/silverstripe-cms/commit/d7c76bdbba0af815d61146a1cbfc2529b3b2fe55) Published pages filter correction (missing default filter) (Mojmir Fendek)
* 2020-04-14 [e2a6281](https://github.com/silverstripe/silverstripe-asset-admin/commit/e2a6281305f23bd43d43a23adaa6807a54263f61) Legacy max upload size setting removal (Mojmir Fendek)
* 2020-04-10 [ab87bdc04](https://github.com/silverstripe/silverstripe-framework/commit/ab87bdc04466cf9da95da3670a5db9e30cfce64d) Fix SS_BASE_URL logic when undefined and docroot without public folder (Michal Kleiner)
* 2020-04-09 [a50e15e5e](https://github.com/silverstripe/silverstripe-framework/commit/a50e15e5eec7406e6034875ec9c3d8da6788daee) Avoid VACUUM on test dbs in Postgres (Ingo Schommer)
* 2020-04-08 [2c5deceeb](https://github.com/silverstripe/silverstripe-framework/commit/2c5deceeb475a6842c30dd42ff3a9990dda50707) Filter out all FULLTEXT BOOLEAN chars (Ingo Schommer)
* 2020-04-08 [e51bd421](https://github.com/silverstripe/silverstripe-cms/commit/e51bd421a6996e0a2794799c9475ef115bcf7673) InnoDB FULLTEXT compat in tests (Ingo Schommer)
* 2020-04-08 [dd839ca2](https://github.com/silverstripe/silverstripe-cms/commit/dd839ca2d9b8cc56501e466da9421b11d76fa967) Remove searchEngine() test that's using API wrong (Ingo Schommer)
* 2020-04-08 [052c5cbc3](https://github.com/silverstripe/silverstripe-framework/commit/052c5cbc38210476ffce7d98dc052fa09b4e5e5f) Infinite loops in TempDatabase (fixes #8902) (Ingo Schommer)
* 2020-04-05 [d6fc7fe80](https://github.com/silverstripe/silverstripe-framework/commit/d6fc7fe8040a9701a380bfa9c25497a9dc63fbe9) Fix issue with the GridField documenation - many_many_extraFields code example (tdenev)
* 2020-04-02 [9e0ed0a50](https://github.com/silverstripe/silverstripe-framework/commit/9e0ed0a50a383bd83f405d3cb8fb091708bd251d) Fix spaces around concatenation operator (Dan Hensby)
* 2020-03-23 [5002f514b](https://github.com/silverstripe/silverstripe-framework/commit/5002f514b3fde8e4ef75a72c964d649f46ab31f0) Capitalisation fixes in welcome back message (#9439) (Robbie Averill)
* 2020-03-23 [e5aa94c](https://github.com/silverstripe/silverstripe-admin/commit/e5aa94cfdd4fadcc87db3eee127f2f4f751ef6a7) "My profile" title in CMS is now vertical centered as other LeftAndMain screens are (Robbie Averill)
* 2020-03-20 [14fd29a](https://github.com/silverstripe/silverstripe-admin/commit/14fd29ad2c607951eff1bab65921748916a6c72e) Switch incorrect modified and draft state indicator colours (Sacha Judd)
* 2020-03-18 [fe5f965](https://github.com/silverstripe/silverstripe-assets/commit/fe5f9651942c7a1bcbb1f69d1da1ccf9565d7aee) Update FileIDHelpers to replace backslashes with forward slashes (Maxime Rainville)
* 2020-03-17 [7ad5f1bb1](https://github.com/silverstripe/silverstripe-framework/commit/7ad5f1bb14814bd05c6fe97e11b94c9f34936b15) Ensure diff arrays are one-dimensional (Aaron Carlino)
* 2020-03-08 [b269d8749](https://github.com/silverstripe/silverstripe-framework/commit/b269d874909cd70bb60c1a2974ea5446b43b0436) Register new sub tasks to fix files affected by CVE-2020-9280 and CVE-2019-12245 (Serge Latyntcev)
* 2020-03-05 [6c25480](https://github.com/silverstripe/silverstripe-admin/commit/6c254803e6dac4fe58aa59166c35a8dc506f5027) Rename exposed url module to node-url to avoid API clash (Garion Herman)
* 2020-03-04 [12ea7cd](https://github.com/silverstripe/silverstripe-assets/commit/12ea7cd2037bebcb3196dd5e3aaa72e6dbc7c7b2) Create NormaliseAccessMigrationHelper to fix files affected by CVE-2019-12245 (Maxime Rainville)
* 2020-02-27 [fe14d39](https://github.com/silverstripe/silverstripe-graphql/commit/fe14d39dd39015f4dafc1028035e573563e4b4df) Increment targeted version of recipe-cms on travis build (Maxime Rainville)
* 2020-02-24 [bba0f2f72](https://github.com/silverstripe/silverstripe-framework/commit/bba0f2f72fa2e631dbf60357a908d5d57d4467ee) Fixed issue where TimeField_Readonly would only show "(not set)" instead of the value (UndefinedOffset)
* 2020-02-21 [9733060d1](https://github.com/silverstripe/silverstripe-framework/commit/9733060d1ca74c22416fba4134eb82e7266a8331) Fix Related section at bottom of document (Zubair)
* 2020-02-20 [ff417ca](https://github.com/silverstripe/silverstripe-asset-admin/commit/ff417ca53405a4022c4fece82d50638e72940d4f) Fix last file upload showing as errored when uploading multiple files. (bergice)
* 2020-02-19 [7455d14](https://github.com/silverstripe/silverstripe-asset-admin/commit/7455d141aa6340e33674f72516e0e6b97d6d6232) Handle case where provided $context is null (Garion Herman)
* 2020-02-19 [8402966](https://github.com/silverstripe/silverstripe-assets/commit/84029664c21ba54d895aac8fa036a9c4277e56a0) Correct deprecated implode syntax for PHP 7.4 compat (Garion Herman)
* 2020-02-18 [9900d07](https://github.com/silverstripe/silverstripe-asset-admin/commit/9900d07eeb41a9c5c9dac758ee56f9397301bbdb) Tweak UsedOnTableTest ti dynamically switch protocol (Maxime Rainville)
* 2020-02-18 [e0de15f](https://github.com/silverstripe/silverstripe-errorpage/commit/e0de15f85a09ac848cb110f49cef58624d1e892f) Fix broken test when FulltextSearchable is enabled (Maxime Rainville)
* 2020-02-14 [939cb93](https://github.com/silverstripe/silverstripe-assets/commit/939cb932873936fa33d874738f23211f6360c2b8) Fix wording in comment in assets htaccess (aNickzz)
* 2020-02-12 [202d061](https://github.com/silverstripe/silverstripe-asset-admin/commit/202d061e6019aab381901e99257c571b7f71ded0) Display bulk publish button on modified files as well as draft file (Maxime Rainville)
* 2020-02-05 [c92e3b9d](https://github.com/silverstripe/silverstripe-cms/commit/c92e3b9d7967142ce59c918916441fce796c9fd8) Prioritise same-level pages in OldPageRedirector (Klemen Dolinšek)
* 2020-01-14 [64bf56a](https://github.com/silverstripe/silverstripe-asset-admin/commit/64bf56a79776632c1eb5177132d5f8d5a859a8fb) Improve grammar in BulkDeleteMessage strings (Garion Herman)
* 2020-01-13 [e294214](https://github.com/silverstripe/silverstripe-asset-admin/commit/e29421499be38318ee2b56a95f5a2db653917ffb) Behat test should now verify that folder in use CAN be deleted (Garion Herman)
* 2019-12-23 [c8c1c86d7](https://github.com/silverstripe/silverstripe-framework/commit/c8c1c86d701f58ee779d36f19649fb08342306f6) module link "recaptcha" not found (Valentino Pesce)
* 2019-12-20 [1d7a0b7](https://github.com/silverstripe/silverstripe-versioned-admin/commit/1d7a0b71edcbea9b4380a8808785f340c40ac1cd) Use more resilient method to manipulate URL of preview (#137) (Maxime Rainville)
* 2019-12-19 [944cf5a](https://github.com/silverstripe/silverstripe-admin/commit/944cf5a16e693edbbeda0bc2b0ce79aa205ed76d) Upgrade webpack config to 1.4 (Maxime Rainville)
* 2019-12-19 [910f5efbf](https://github.com/silverstripe/silverstripe-framework/commit/910f5efbf21b66ffb26f6ec540af885cb4a23fd2) fix markdown tables for url variables documentation (Andrew Aitken-Fincham)
* 2019-12-18 [8d69cf9f7](https://github.com/silverstripe/silverstripe-framework/commit/8d69cf9f758abe7e495ba300a8bd81cc624a29c3) Remove bad default when scaffolding form field for DBHTMLVarchar (Maxime Rainville)
* 2019-12-09 [1633ddea9](https://github.com/silverstripe/silverstripe-framework/commit/1633ddea9c8c2bb3643b87b9f5fe2297560b8ea8) Fix PHP versions in upgrade guide (Matt Peel)
* 2019-12-04 [de96188c](https://github.com/silverstripe/silverstripe-cms/commit/de96188c8a724ff33a31e1bbe8618f52836bd00c) If no parent in RelativeLink() return null (Amol Wankhede)
* 2019-11-21 [f3db5f72](https://github.com/silverstripe/silverstripe-reports/commit/f3db5f72aab6bfbac5f9902b4fcd63e27ed11315) Fix codestyle (Serge Latyntcev)
* 2019-11-19 [e520a2b99](https://github.com/silverstripe/silverstripe-framework/commit/e520a2b990a829ad1bf67f6b03ce5091a1f82c2d) Fix broken callout tags (Aaron Carlino)
* 2019-11-18 [6ff0f3f46](https://github.com/silverstripe/silverstripe-framework/commit/6ff0f3f4664b9af0ebf8a55a7f84fa4031e235a2) The "Link existing" should be disabled rather than readonly. (Maxime Rainville)
* 2019-11-18 [48f9ec3](https://github.com/silverstripe/silverstripe-admin/commit/48f9ec3590b5060c8a847faae03d9c9bb16b4566) Set min-width on loading button to avoid having the loading indicator break over 2 lines (Maxime Rainville)
* 2019-11-18 [5e611341](https://github.com/silverstripe/silverstripe-cms/commit/5e6113414fc50498e78728a15ddb5494ab250852) Fixed 404s in Contributing doc (Rob Mac Neil)
* 2019-09-02 [6d8a4bc](https://github.com/silverstripe/silverstripe-assets/commit/6d8a4bc4f4178c0b56ede1b01f87b162066d550a) Make AbsoluteLink work with manipulated images (fixes #322) (Loz Calver)
* 2019-03-20 [1d406c64b](https://github.com/silverstripe/silverstripe-framework/commit/1d406c64b99065461f4fdd47e8731e36b1fa7944) Fix: Allow editing of relation if item is created. (Kong Jin Jie)
<!--- Changes above this line will be automatically regenerated --> <!--- Changes above this line will be automatically regenerated -->

View File

@ -18,9 +18,6 @@ use SilverStripe\ORM\ArrayLib;
* The intention is that a single HTTPRequest object can be passed from one object to another, each object calling * The intention is that a single HTTPRequest object can be passed from one object to another, each object calling
* match() to get the information that they need out of the URL. This is generally handled by * match() to get the information that they need out of the URL. This is generally handled by
* {@link RequestHandler::handleRequest()}. * {@link RequestHandler::handleRequest()}.
*
* @todo Accept X_HTTP_METHOD_OVERRIDE http header and $_REQUEST['_method'] to override request types (useful for
* webclients not supporting PUT and DELETE)
*/ */
class HTTPRequest implements ArrayAccess class HTTPRequest implements ArrayAccess
{ {
@ -156,7 +153,7 @@ class HTTPRequest implements ArrayAccess
*/ */
public function __construct($httpMethod, $url, $getVars = [], $postVars = [], $body = null) public function __construct($httpMethod, $url, $getVars = [], $postVars = [], $body = null)
{ {
$this->httpMethod = strtoupper(self::detect_method($httpMethod, $postVars)); $this->httpMethod = strtoupper($httpMethod);
$this->setUrl($url); $this->setUrl($url);
$this->getVars = (array) $getVars; $this->getVars = (array) $getVars;
$this->postVars = (array) $postVars; $this->postVars = (array) $postVars;
@ -853,6 +850,21 @@ class HTTPRequest implements ArrayAccess
return $this->httpMethod; return $this->httpMethod;
} }
/**
* Explicitly set the HTTP method for this request.
* @param string $method
* @return $this
*/
public function setHttpMethod($method)
{
if (!self::isValidHttpMethod($method)) {
user_error('HTTPRequest::setHttpMethod: Invalid HTTP method', E_USER_ERROR);
}
$this->httpMethod = strtoupper($method);
return $this;
}
/** /**
* Return the URL scheme (e.g. "http" or "https"). * Return the URL scheme (e.g. "http" or "https").
* Equivalent to PSR-7 getUri()->getScheme() * Equivalent to PSR-7 getUri()->getScheme()
@ -878,25 +890,28 @@ class HTTPRequest implements ArrayAccess
} }
/** /**
* Gets the "real" HTTP method for a request. * @param string $method
* * @return bool
* Used to work around browser limitations of form */
* submissions to GET and POST, by overriding the HTTP method private static function isValidHttpMethod($method)
* with a POST parameter called "_method" for PUT, DELETE, HEAD. {
* Using GET for the "_method" override is not supported, return in_array(strtoupper($method), ['GET','POST','PUT','DELETE','HEAD']);
* as GET should never carry out state changes. }
* Alternatively you can use a custom HTTP header 'X-HTTP-Method-Override'
* to override the original method. /**
* The '_method' POST parameter overrules the custom HTTP header. * Gets the "real" HTTP method for a request. This method is no longer used to mitigate the risk of web cache
* poisoning.
* *
* @see https://www.silverstripe.org/download/security-releases/CVE-2019-19326
* @param string $origMethod Original HTTP method from the browser request * @param string $origMethod Original HTTP method from the browser request
* @param array $postVars * @param array $postVars
* @return string HTTP method (all uppercase) * @return string HTTP method (all uppercase)
* @deprecated 4.4.7
*/ */
public static function detect_method($origMethod, $postVars) public static function detect_method($origMethod, $postVars)
{ {
if (isset($postVars['_method'])) { if (isset($postVars['_method'])) {
if (!in_array(strtoupper($postVars['_method']), ['GET','POST','PUT','DELETE','HEAD'])) { if (!self::isValidHttpMethod($postVars['_method'])) {
user_error('HTTPRequest::detect_method(): Invalid "_method" parameter', E_USER_ERROR); user_error('HTTPRequest::detect_method(): Invalid "_method" parameter', E_USER_ERROR);
} }
return strtoupper($postVars['_method']); return strtoupper($postVars['_method']);

View File

@ -135,16 +135,6 @@ class HTTPRequestBuilder
*/ */
public static function cleanEnvironment(array $variables) public static function cleanEnvironment(array $variables)
{ {
// IIS will sometimes generate this.
if (!empty($variables['_SERVER']['HTTP_X_ORIGINAL_URL'])) {
$variables['_SERVER']['REQUEST_URI'] = $variables['_SERVER']['HTTP_X_ORIGINAL_URL'];
}
// Override REQUEST_METHOD
if (isset($variables['_SERVER']['X-HTTP-Method-Override'])) {
$variables['_SERVER']['REQUEST_METHOD'] = $variables['_SERVER']['X-HTTP-Method-Override'];
}
// Merge $_FILES into $_POST // Merge $_FILES into $_POST
$variables['_POST'] = array_merge((array)$variables['_POST'], (array)$variables['_FILES']); $variables['_POST'] = array_merge((array)$variables['_POST'], (array)$variables['_FILES']);

View File

@ -6,6 +6,7 @@ use SilverStripe\Control\Controller;
/** /**
* Simple controller that the installer uses to test that URL rewriting is working. * Simple controller that the installer uses to test that URL rewriting is working.
* @deprecated 4.4.7 This class will be removed in Silverstripe Framework 5.
*/ */
class InstallerTest extends Controller class InstallerTest extends Controller
{ {

View File

@ -9,6 +9,7 @@ use SilverStripe\Security\Security;
/** /**
* Returns information about the current site instance. * Returns information about the current site instance.
* @deprecated 4.4.7 This class will be removed in Silverstripe Framework 5.
*/ */
class SapphireInfo extends Controller class SapphireInfo extends Controller
{ {

View File

@ -1,110 +0,0 @@
<?php
namespace SilverStripe\Dev;
use SilverStripe\Control\Controller;
use SilverStripe\Control\Director;
use Exception;
/* Don't actually define these, since it'd clutter up the namespace.
define('1',E_ERROR);
define('2',E_WARNING);
define('4',E_PARSE);
define('8',E_NOTICE);
define('16',E_CORE_ERROR);
define('32',E_CORE_WARNING);
define('64',E_COMPILE_ERROR);
define('128',E_COMPILE_WARNING);
define('256',E_USER_ERROR);
define('512',E_USER_WARNING);
define('1024',E_USER_NOTICE);
define('2048',E_STRICT);
define('4096',E_RECOVERABLE_ERROR);
define('8192',E_DEPRECATED);
define('16384',E_USER_DEPRECATED);
define('30719',E_ALL);
*/
/**
*/
class SapphireREPL extends Controller
{
private static $allowed_actions = [
'index'
];
public function error_handler($errno, $errstr, $errfile, $errline, $errctx)
{
// Ignore unless important error
if (($errno & ~( 2048 | 8192 | 16384 )) == 0) {
return ;
}
// Otherwise throw exception to handle in REPL loop
throw new Exception(sprintf("%s:%d\r\n%s", $errfile, $errline, $errstr));
}
public function index()
{
if (!Director::is_cli()) {
return "The SilverStripe Interactive Command-line doesn't work in a web browser."
. " Use 'sake interactive' from the command-line to run.";
}
/* Try using PHP_Shell if it exists */
@include 'php-shell-cmd.php' ;
/* Fall back to our simpler interface */
if (empty($__shell)) {
set_error_handler([$this, 'error_handler']);
echo "SilverStripe Interactive Command-line (REPL interface). Type help for hints.\n\n";
while (true) {
echo CLI::text("?> ", "cyan");
echo CLI::start_colour("yellow");
$command = trim(fgets(STDIN, 4096));
echo CLI::end_colour();
if ($command == 'help' || $command == '?') {
print "help or ? to exit\n" ;
print "quit or \q to exit\n" ;
print "install PHP_Shell for a more advanced interface with"
. " auto-completion and readline support\n\n" ;
continue ;
}
if ($command == 'quit' || $command == '\q') {
break ;
}
// Simple command processing
if (substr($command, -1) == ';') {
$command = substr($command, 0, -1);
}
$is_print = preg_match('/^\s*print/i', $command);
$is_return = preg_match('/^\s*return/i', $command);
if (!$is_print && !$is_return) {
$command = "return ($command)";
}
$command .= ";";
try {
$result = eval($command);
if (!$is_print) {
print_r($result);
}
echo "\n";
} catch (Exception $__repl_exception) {
echo CLI::start_colour("red");
printf(
'%s (code: %d) got thrown' . PHP_EOL,
get_class($__repl_exception),
$__repl_exception->getCode()
);
print $__repl_exception;
echo "\n";
}
}
}
}
}

View File

@ -228,7 +228,7 @@ class DBHTMLText extends DBText
$text = strip_tags($text); $text = strip_tags($text);
// Implode >3 consecutive linebreaks into 2 // Implode >3 consecutive linebreaks into 2
$text = preg_replace('~(\R){2,}~', "\n\n", $text); $text = preg_replace('~(\R){2,}~u', "\n\n", $text);
// Decode HTML entities back to plain text // Decode HTML entities back to plain text
return trim(Convert::xml2raw($text)); return trim(Convert::xml2raw($text));

View File

@ -98,9 +98,15 @@ class HTTPRequestTest extends SapphireTest
[], [],
['_method' => 'DELETE'] ['_method' => 'DELETE']
); );
$this->assertTrue( $this->assertTrue(
$request->isPOST(),
'_method override is no longer honored'
);
$this->assertFalse(
$request->isDELETE(), $request->isDELETE(),
'POST with valid method override to DELETE' 'DELETE _method override is not honored'
); );
$request = new HTTPRequest( $request = new HTTPRequest(
@ -109,9 +115,9 @@ class HTTPRequestTest extends SapphireTest
[], [],
['_method' => 'put'] ['_method' => 'put']
); );
$this->assertTrue( $this->assertFalse(
$request->isPUT(), $request->isPUT(),
'POST with valid method override to PUT' 'PUT _method override is not honored'
); );
$request = new HTTPRequest( $request = new HTTPRequest(
@ -120,31 +126,78 @@ class HTTPRequestTest extends SapphireTest
[], [],
['_method' => 'head'] ['_method' => 'head']
); );
$this->assertTrue( $this->assertFalse(
$request->isHEAD(), $request->isHEAD(),
'POST with valid method override to HEAD ' 'HEAD _method override is not honored'
); );
}
$request = new HTTPRequest( public function detectMethodDataProvider()
'POST', {
'admin/crm', return [
[], 'Plain POST request' => ['POST', [], 'POST'],
['_method' => 'head'] 'Plain GET request' => ['GET', [], 'GET'],
); 'Plain DELETE request' => ['DELETE', [], 'DELETE'],
$this->assertTrue( 'Plain PUT request' => ['PUT', [], 'PUT'],
$request->isHEAD(), 'Plain HEAD request' => ['HEAD', [], 'HEAD'],
'POST with valid method override to HEAD'
);
$request = new HTTPRequest( 'Request with GET method override' => ['POST', ['_method' => 'GET'], 'GET'],
'POST', 'Request with HEAD method override' => ['POST', ['_method' => 'HEAD'], 'HEAD'],
'admin/crm', 'Request with DELETE method override' => ['POST', ['_method' => 'DELETE'], 'DELETE'],
['_method' => 'head'] 'Request with PUT method override' => ['POST', ['_method' => 'PUT'], 'PUT'],
); 'Request with POST method override' => ['POST', ['_method' => 'POST'], 'POST'],
$this->assertTrue(
$request->isPOST(), 'Request with mixed case method override' => ['POST', ['_method' => 'gEt'], 'GET']
'POST with invalid method override by GET parameters to HEAD' ];
); }
/**
* @dataProvider detectMethodDataProvider
*/
public function testDetectMethod($realMethod, $post, $expected)
{
$actual = HTTPRequest::detect_method($realMethod, $post);
$this->assertEquals($expected, $actual);
}
/**
* @expectedException PHPUnit_Framework_Error
*/
public function testBadDetectMethod()
{
HTTPRequest::detect_method('POST', ['_method' => 'Boom']);
}
public function setHttpMethodDataProvider()
{
return [
'POST request' => ['POST','POST'],
'GET request' => ['GET', 'GET'],
'DELETE request' => ['DELETE', 'DELETE'],
'PUT request' => ['PUT', 'PUT'],
'HEAD request' => ['HEAD', 'HEAD'],
'Mixed case POST' => ['gEt', 'GET'],
];
}
/**
* @dataProvider setHttpMethodDataProvider
*/
public function testSetHttpMethod($method, $expected)
{
$request = new HTTPRequest('GET', '/hello');
$returnedRequest = $request->setHttpMethod($method);
$this->assertEquals($expected, $request->httpMethod());
$this->assertEquals($request, $returnedRequest);
}
/**
* @expectedException PHPUnit_Framework_Error
*/
public function testBadSetHttpMethod()
{
$request = new HTTPRequest('GET', '/hello');
$request->setHttpMethod('boom');
} }
public function testRequestVars() public function testRequestVars()

View File

@ -265,6 +265,10 @@ class DBHTMLTextTest extends SapphireTest
[ [
'<p>Collapses</p><p></p><p>Excessive<br/><br /><br>Newlines</p>', '<p>Collapses</p><p></p><p>Excessive<br/><br /><br>Newlines</p>',
"Collapses\n\nExcessive\n\nNewlines", "Collapses\n\nExcessive\n\nNewlines",
],
'Unicode character that could be confused for a line break' =>[
'充美好实的一天',
'充美好实的一天'
] ]
]; ];
} }