tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 14:05:37 +02:00
Code Issues Projects Releases Wiki Activity

BUG Secure composer files from web access (fixes #8011)

Browse Source 
Already applied to root .htaccess, but required for dynamically
generated file from installer as well. Also added upgrade instructions.
This commit is contained in:
Ingo Schommer 2013-02-17 22:33:04 +01:00
parent e21bd49462
commit ede381326b
2 changed files with 43 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
dev/install/install.php5
View File

@ -1280,6 +1280,8 @@ ErrorDocument 500 /assets/error-500.html
<IfModule mod_alias.c>
RedirectMatch 403 /silverstripe-cache(/|$)
RedirectMatch 403 /vendor(/|$)
RedirectMatch 403 /composer\.(json|lock)
</IfModule>
<IfModule mod_rewrite.c>

44
docs/en/changelogs/3.0.4.md
View File

@ -2,14 +2,52 @@
## Overview
* Security: Information leakage through web access on YAML configuration files
* Security: Information leakage through web access on composer files
* Security: Require ADMIN permissions for `?showtemplate=1`
* Changed `dev/tests/setdb` and `dev/tests/startsession` from session to cookie storage.
* Require ADMIN permissions for `?showtemplate=1`
## Details
### Require ADMIN permissions for `?showtemplate=1`
### Security: Prevent web access to YAML and composer files
Avoids information leakage of compiled template data,
Severity: Moderate
Description: YAML files are used to configure the SilverStripe application
since its 3.0 release. These files can contain sensitive values such as database
and API credentials. By default, the installer still stores database credentials
in `_config.php` files which are safe from web access. So this only concerns
configuration values added in your own project, or a third party module.
Resolution: Update your `.htaccess` file (for Apache), or your `web.config` file (for IIS)
with the new files from the project root, and reapply any customizations you've made.
Follow the [general upgrade instructions](/installation/upgrading).
The [nginx installation instructions](/installation/nginx)
have also been updated to reflect those changes.
### Security: Information exposure through web access on composer files
Severity: Low
Description: [Composer](http://getcomposer.org) is a dependency management
tool which can optionally be used to install SilverStripe. The `composer.json`
and `composer.lock` files are required for its operation, so they are included
in the standard release since 3.0.2. These files contain information on the installed
versions of core and thirdparty modules, which could be used to target specific
versions of SilverStripe.
Resolution: Update your `.htaccess` file (for Apache), or your `web.config` file (for IIS)
with the new files from the project root, and reapply any customizations you've made.
Follow the [general upgrade instructions](/installation/upgrading).
The [nginx installation instructions](/installation/nginx)
have also been updated to reflect those changes.
### Security: Require ADMIN permissions for `?showtemplate=1`
Severity: Low
Description: Avoids information leakage of compiled template data,
which might expose some of the internal template logic.
## Upgrading