mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
Merge branch '4.5' into 4.6
This commit is contained in:
commit
fbe0f5a981
@ -0,0 +1,159 @@
|
|||||||
|
---
|
||||||
|
title: Controlling CanView access to DataObjects returned by GraphQL
|
||||||
|
summary: Your GraphQL service should honour the CanView permission when fetching DataObjects. Learn how to customise this access control check.
|
||||||
|
icon: cookie-bite
|
||||||
|
---
|
||||||
|
|
||||||
|
# Controlling who can view results in a GraphQL result set
|
||||||
|
|
||||||
|
The [Silverstripe ORM provides methods to control permissions on DataObject](Developer_Guides/Model/Permissions). In
|
||||||
|
most cases, you'll want to extend this permission model to any GraphQL service you implement that returns a DataObject.
|
||||||
|
|
||||||
|
## The QueryPermissionChecker interface
|
||||||
|
|
||||||
|
The GraphQL module includes a `QueryPermissionChecker` interface. This interface can be used to specify how GraphQL
|
||||||
|
services should validate that users have access to the DataObjects they are requesting.
|
||||||
|
|
||||||
|
The default implementation of `QueryPermissionChecker` is `CanViewPermissionChecker`. `CanViewPermissionChecker` directly calls the `CanView` method of each DataObject in your result set and filters out the entries not visible to the current user.
|
||||||
|
|
||||||
|
Out of the box, the `CanView` permission of your DataObjects are honoured when Scaffolding GraphQL queries.
|
||||||
|
|
||||||
|
## Customising how the results are filtered
|
||||||
|
|
||||||
|
`CanViewPermissionChecker` has some limitations. It's rather simplistic and will load each entry in your results set to perform a CanView call on it. It will also convert the results set to an `ArrayList` which can be inconvenient if you need to alter the underlying query after the _CanView_ check.
|
||||||
|
|
||||||
|
Depending on your exact use case, you may want to implement your own `QueryPermissionChecker` instead of relying
|
||||||
|
on `CanViewPermissionChecker`.
|
||||||
|
|
||||||
|
Some of the reasons you might consider this are:
|
||||||
|
* the access permissions on your GraphQL service differ from the ones implemented directly on your DataObject
|
||||||
|
* you want to speed up your request by filtering out results the user doesn't have access to directly in the query
|
||||||
|
* you would rather have a `DataList` be returned.
|
||||||
|
|
||||||
|
### Implementing your own QueryPermissionChecker class
|
||||||
|
|
||||||
|
The `QueryPermissionChecker` requires your class to implement two methods:
|
||||||
|
* `applyToList` which filters a `Filterable` list based on whether a provided `Member` can view the results
|
||||||
|
* `checkItem` which checks if a provided object can be viewed by a specific `Member`.
|
||||||
|
|
||||||
|
#### Filtering results based on the user's permissions
|
||||||
|
|
||||||
|
In some context, whether a user can view an object is entirely determined on their permissions. When that's the
|
||||||
|
case, you don't even need to get results to know if the user will be able to see them or not.
|
||||||
|
|
||||||
|
```php
|
||||||
|
<?php
|
||||||
|
use SilverStripe\GraphQL\Permission\QueryPermissionChecker;
|
||||||
|
use SilverStripe\ORM\ArrayList;
|
||||||
|
use SilverStripe\ORM\Filterable;
|
||||||
|
use SilverStripe\Security\Member;
|
||||||
|
use SilverStripe\Security\Permission;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* This implementation assumes that only users with the ADMIN permission can view results.
|
||||||
|
*/
|
||||||
|
class AdminPermissionChecker implements QueryPermissionChecker
|
||||||
|
{
|
||||||
|
|
||||||
|
public function applyToList(Filterable $list, Member $member = null)
|
||||||
|
{
|
||||||
|
return Permission::check('ADMIN', 'any', $member) ?
|
||||||
|
$list :
|
||||||
|
ArrayList::create([]);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function checkItem($item, Member $member = null)
|
||||||
|
{
|
||||||
|
return Permission::check('ADMIN', 'any', $member);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Filtering results based on the user's permissions
|
||||||
|
|
||||||
|
Some times, whether a user can view an object is determined by some information on the record. If that's the case,
|
||||||
|
you can filter out results the user can not see by altering the query. This has some performance advantage, because
|
||||||
|
the results are filtered directly by the query.
|
||||||
|
|
||||||
|
```php
|
||||||
|
<?php
|
||||||
|
use SilverStripe\GraphQL\Permission\QueryPermissionChecker;
|
||||||
|
use SilverStripe\ORM\Filterable;
|
||||||
|
use SilverStripe\Security\Member;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* This implementation assumes that the results are assigned an owner and that only the owner can view a record.
|
||||||
|
*/
|
||||||
|
class OwnerPermissionChecker implements QueryPermissionChecker
|
||||||
|
{
|
||||||
|
|
||||||
|
public function applyToList(Filterable $list, Member $member = null)
|
||||||
|
{
|
||||||
|
return $list->filter('OwnerID', $member ? $member->ID : -1);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function checkItem($item, Member $member = null)
|
||||||
|
{
|
||||||
|
return $member && $item->OwnerID === $member->ID;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
### Using a custom QueryPermissionChecker implementation
|
||||||
|
|
||||||
|
There's three classes that expect a `QueryPermissionChecker`:
|
||||||
|
* `SilverStripe\GraphQL\Scaffolding\Scaffolders\ItemQueryScaffolder`
|
||||||
|
* `SilverStripe\GraphQL\Scaffolding\Scaffolders\ListQueryScaffolder`
|
||||||
|
* `SilverStripe\GraphQL\Pagination\Connection`
|
||||||
|
|
||||||
|
Those classes all implement the `SilverStripe\GraphQL\Permission\PermissionCheckerAware` and receive the default
|
||||||
|
`QueryPermissionChecker` from the Injector. They also have a `setPermissionChecker` method that can be use to provide a custom `QueryPermissionChecker`.
|
||||||
|
|
||||||
|
#### Scaffolding types with a custom QueryPermissionChecker implementation
|
||||||
|
|
||||||
|
There's not any elegant way of defining a custom `QueryPermissionChecker` when scaffolding types at this time. If
|
||||||
|
you need the ability to use a custom `QueryPermissionChecker`, you'll have to build your query manually.
|
||||||
|
|
||||||
|
#### Overriding the QueryPermissionChecker for a class extending ListQueryScaffolder
|
||||||
|
|
||||||
|
If you've created a GraphQL query by creating a subclass of `ListQueryScaffolder`, you can use the injector to
|
||||||
|
override `QueryPermissionChecker`.
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
---
|
||||||
|
Name: custom-graphqlconfig
|
||||||
|
After: graphqlconfig
|
||||||
|
---
|
||||||
|
SilverStripe\Core\Injector\Injector:
|
||||||
|
SilverStripe\GraphQL\Permission\QueryPermissionChecker.my-custom:
|
||||||
|
class: App\Project\CustomQueryPermissionChecker
|
||||||
|
App\Project\CustomListQueryScaffolder:
|
||||||
|
properties:
|
||||||
|
permissionChecker: '%$SilverStripe\GraphQL\Permission\QueryPermissionChecker.my-custom'
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Manually specifying a QueryPermissionChecker on a Connection
|
||||||
|
|
||||||
|
If you're manually instantiating an instance of `SilverStripe\GraphQL\Pagination\Connection` to resolve your results,
|
||||||
|
you can pass an instance of your own custom `QueryPermissionChecker`.
|
||||||
|
|
||||||
|
```php
|
||||||
|
$childrenConnection = Connection::create('Children')
|
||||||
|
->setConnectionType($this->manager->getType('Children'))
|
||||||
|
->setSortableFields([
|
||||||
|
'id' => 'ID',
|
||||||
|
'title' => 'Title',
|
||||||
|
'created' => 'Created',
|
||||||
|
'lastEdited' => 'LastEdited',
|
||||||
|
])
|
||||||
|
->setPermissionChecker(new CustomQueryPermissionChecker());
|
||||||
|
```
|
||||||
|
|
||||||
|
## API Documentation
|
||||||
|
|
||||||
|
* [CanViewPermissionChecker](api:SilverStripe\GraphQL\Permission\CanViewPermissionChecker)
|
||||||
|
* [Connection](api:SilverStripe\GraphQL\Pagination\Connection)
|
||||||
|
* [ItemQueryScaffolder](api:SilverStripe\GraphQL\Scaffolding\Scaffolders\ItemQueryScaffolder)
|
||||||
|
* [ListQueryScaffolder](api:SilverStripe\GraphQL\Scaffolding\Scaffolders\ListQueryScaffolder)
|
||||||
|
* [PermissionCheckerAware](api:SilverStripe\GraphQL\Permission\PermissionCheckerAware)
|
||||||
|
* [QueryPermissionChecker](api:SilverStripe\GraphQL\Permission\QueryPermissionChecker)
|
20
docs/en/02_Developer_Guides/19_GraphQL/index.md
Normal file
20
docs/en/02_Developer_Guides/19_GraphQL/index.md
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
---
|
||||||
|
title: GraphQL
|
||||||
|
summary: Learn how to create and customise GraphQL services on your Silverstripe CMS project.
|
||||||
|
introduction: Learn how to create and customise GraphQL services on your Silverstripe CMS project.
|
||||||
|
icon: cookie
|
||||||
|
---
|
||||||
|
|
||||||
|
[CHILDREN]
|
||||||
|
|
||||||
|
## Additional documentation
|
||||||
|
|
||||||
|
A substantial part of the GraphQL documentation for Silverstripe CMS still
|
||||||
|
reside on the GraphQL module's _Readme_ file. We are in the process of folding
|
||||||
|
this information back into the main Silverstripe CMS documentation.
|
||||||
|
|
||||||
|
* [silverstripe/graphql](https://github.com/silverstripe/silverstripe-graphql/)
|
||||||
|
|
||||||
|
## API Documentation
|
||||||
|
|
||||||
|
* [GraphQL](api:SilverStripe\GraphQL)
|
131
docs/en/04_Changelogs/4.4.7.md
Normal file
131
docs/en/04_Changelogs/4.4.7.md
Normal file
@ -0,0 +1,131 @@
|
|||||||
|
# 4.4.7
|
||||||
|
|
||||||
|
## Security patches
|
||||||
|
|
||||||
|
This release contains security patches. Some of those patches might require some updates to your project.
|
||||||
|
|
||||||
|
* [CVE-2020-9309 Script execution on protected files](https://www.silverstripe.org/download/security-releases/CVE-2020-9309)
|
||||||
|
* [CVE-2019-19326 Web Cache Poisoning](https://www.silverstripe.org/download/security-releases/CVE-2019-19326)
|
||||||
|
* [CVE-2020-6164 Information disclosure on /interactive URL path](https://www.silverstripe.org/download/security-releases/CVE-2020-6164)
|
||||||
|
|
||||||
|
|
||||||
|
### CVE-2020-9309 Script execution on protected files {#CVE-2020-9309}
|
||||||
|
|
||||||
|
Silverstripe can be susceptible to script execution from malicious upload contents under allowed file extensions (for example HTML code in a TXT file). When these files are stored as protected or draft files, the MIME detection can cause browsers to execute the file contents.
|
||||||
|
|
||||||
|
#### Risk factors
|
||||||
|
|
||||||
|
If your project already includes the `silverstripe/mimevalidator` module, it's already protected. CWP projects are already protected.
|
||||||
|
|
||||||
|
If your project includes the `silverstripe/userforms` module or allows anonymous users to upload files, it's at a higher risk because malicious users can create files without requiring a CMS access.
|
||||||
|
|
||||||
|
#### Actions you need to take
|
||||||
|
|
||||||
|
If your project already includes the `silverstripe/mimevalidator` module, you do not need to do anything. To check if the `silverstripe/mimevalidator` module is installed in your project, run this command from your project root.
|
||||||
|
|
||||||
|
```sh
|
||||||
|
composer show silverstripe/mimevalidator
|
||||||
|
```
|
||||||
|
|
||||||
|
If you get an error, the module is not installed.
|
||||||
|
|
||||||
|
**Upgrading to `silverstripe/recipe-cms` 4.4.7 will NOT automatically install `silverstripe/mimevalidator`**. You need to manually install the module `silverstripe/mimevalidator`. To add `silverstripe/mimevalidator` to your project, run this command.
|
||||||
|
|
||||||
|
```sh
|
||||||
|
composer require silverstripe/mimevalidator
|
||||||
|
```
|
||||||
|
|
||||||
|
After installing the `mimevalidator` module, you need to enable it by adding this code snippet to your YML configuration.
|
||||||
|
|
||||||
|
```yml
|
||||||
|
SilverStripe\Core\Injector\Injector:
|
||||||
|
SilverStripe\Assets\Upload_Validator:
|
||||||
|
class: SilverStripe\MimeValidator\MimeUploadValidator
|
||||||
|
```
|
||||||
|
|
||||||
|
If your project overrides the defaults allowed file types, it's important that you take the time to review your configuration and adjust it as need be to work with `silverstripe/mimevalidator`.
|
||||||
|
|
||||||
|
Read the [Allowed file types](/Developer_Guides/Files/Allowed_file_types) documentation for more details on controling the type of files that can be stored in your Silverstrip CMS Project.
|
||||||
|
|
||||||
|
#### Special consideration when upgrading Userforms
|
||||||
|
|
||||||
|
The `silverstripe/userforms` module now also includes `silverstripe/mimevalidator` in its dependencies. Upgrading to the following versions of userforms will automatically install `silverstripe/mimevalidator`:
|
||||||
|
|
||||||
|
* 5.4.3 or later
|
||||||
|
* 5.5.3 or later
|
||||||
|
* 5.6.0 or later (requires CMS 4.6.0)
|
||||||
|
|
||||||
|
Userforms that include a file upload field will automatically use the`MimeUploadValidator`. Beware that this will NOT change the default upload validator for other file upload fields in the CMS. You'll need to update your YML configuration for the `MimeUploadValidator` to be used everywhere.
|
||||||
|
|
||||||
|
### CVE-2019-19326 Web Cache Poisoning {#CVE-2019-19326}
|
||||||
|
|
||||||
|
Silverstripe sites using HTTP cache headers and HTTP caching proxies (e.g. CDNs) can be susceptible to web cache poisoning through the:
|
||||||
|
* `X-Original-Url` HTTP header
|
||||||
|
* `X-HTTP-Method-Override` HTTP header
|
||||||
|
* `_method` POST variable.
|
||||||
|
|
||||||
|
In order to remedy this vulnerability, Silverstripe Framework 4.4.7 removes native support for these features. While this is technically a semantic versioning breakage, these features are inherently insecure and date back to a time when browsers didn't natively support the full range of HTTP methods. Sites who still require these features will have highly unusual requirements that are best served by a tailored solution.
|
||||||
|
|
||||||
|
### Re-enabling the support for removed features
|
||||||
|
|
||||||
|
These features are best implemented by defining a `Middleware`.
|
||||||
|
|
||||||
|
The following example illustrates how to implement an `HTTPMiddleware` that restores support for the `X-Original-Url` header and the `_method` POST parameter for requests originating from a trusted proxy.
|
||||||
|
|
||||||
|
```php
|
||||||
|
<?php
|
||||||
|
use SilverStripe\Control\Middleware\HTTPMiddleware;
|
||||||
|
use SilverStripe\Control\HTTPRequest;
|
||||||
|
/**
|
||||||
|
* This is meant to illustrate how to implement an HTTPMiddleware. If you blindly
|
||||||
|
* copy-paste this in in your code base, you'll simply replicate the vulnerability.
|
||||||
|
*/
|
||||||
|
class InsecureHeaderMiddleware implements HTTPMiddleware
|
||||||
|
{
|
||||||
|
public function process(HTTPRequest $request, callable $delegate)
|
||||||
|
{
|
||||||
|
// Normally, you would validate that the request is coming from a trusted source at this point.
|
||||||
|
// View SilverStripe\Control\Middleware\TrustedProxyMiddleware for an example.
|
||||||
|
$trustedProxy = true;
|
||||||
|
if ($trustedProxy) {
|
||||||
|
$originalUrl = $request->getHeader('X-Original-Url');
|
||||||
|
if ($originalUrl) {
|
||||||
|
$_SERVER['REQUEST_URI'] = $originalUrl;
|
||||||
|
$request->setUrl($originalUrl);
|
||||||
|
}
|
||||||
|
$methodOverride = $request->postVar('_method');
|
||||||
|
$validMethods = ['GET', 'POST', 'PUT', 'DELETE', 'HEAD'];
|
||||||
|
if ($methodOverride && in_array(strtoupper($methodOverride), $validMethods)) {
|
||||||
|
$request->setHttpMethod($methodOverride);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return $delegate($request);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
To learn more about re-implementing support for the disabled features:
|
||||||
|
* read [how to configure trusted proxies](/developer_guides/security/secure_coding/#request-hostname-forgery) on the Silverstripe documentation.
|
||||||
|
* read the [documentation about HTTP Middlewares](/developer_guides/controllers/middlewares/).
|
||||||
|
|
||||||
|
### CVE-2020-6164 Information disclosure on /interactive URL path
|
||||||
|
|
||||||
|
A specific URL path configured by default through the silverstripe/framework module can be used to disclose the fact that a domain is hosting a Silverstripe application. There is no disclosure of the specific version. The functionality on this URL path is limited to execution in a CLI context, and is not known to present a vulnerability through web-based access. As a side-effect, this preconfigured path also blocks the creation of other resources on this path (e.g. a page).
|
||||||
|
|
||||||
|
<!--- Changes below this line will be automatically regenerated -->
|
||||||
|
|
||||||
|
## Change Log
|
||||||
|
|
||||||
|
### Security
|
||||||
|
|
||||||
|
* 2020-05-13 [91d30db88](https://github.com/silverstripe/silverstripe-framework/commit/91d30db88f68b9b87980ef9a59e208a81980b72c) Remove/deprecate unused controllers that can potentially give away some information about the underlying project. (Maxime Rainville) - See [cve-2020-6164](https://www.silverstripe.org/download/security-releases/cve-2020-6164)
|
||||||
|
* 2020-05-11 [107706c12](https://github.com/silverstripe/silverstripe-framework/commit/107706c12cd9cf4d1b8b96b6a6e223633209d851) Stop honouring X-HTTP-Method-Override header, X-Original-Url header and _method POST variable. Add SS_HTTPRequest::setHttpMethod() (Maxime Rainville) - See [cve-2019-19326](https://www.silverstripe.org/download/security-releases/cve-2019-19326)
|
||||||
|
|
||||||
|
### Bugfixes
|
||||||
|
|
||||||
|
* 2020-06-01 [3df2222](https://github.com/silverstripe/silverstripe-asset-admin/commit/3df222203ee563fac840e5e0727c75ddfe244886) Prevent react-selectable from interfering with pagination (Maxime Rainville)
|
||||||
|
* 2020-05-05 [2cc037b](https://github.com/silverstripe/silverstripe-versioned/commit/2cc037b2d305ed98056a9232587351949e59561f) Fix merge conflict in Travis configuration (Robbie Averill)
|
||||||
|
* 2020-02-24 [bba0f2f72](https://github.com/silverstripe/silverstripe-framework/commit/bba0f2f72fa2e631dbf60357a908d5d57d4467ee) Fixed issue where TimeField_Readonly would only show "(not set)" instead of the value (UndefinedOffset)
|
||||||
|
* 2020-02-18 [e0de15f](https://github.com/silverstripe/silverstripe-errorpage/commit/e0de15f85a09ac848cb110f49cef58624d1e892f) Fix broken test when FulltextSearchable is enabled (Maxime Rainville)
|
||||||
|
* 2019-09-02 [6d8a4bc](https://github.com/silverstripe/silverstripe-assets/commit/6d8a4bc4f4178c0b56ede1b01f87b162066d550a) Make AbsoluteLink work with manipulated images (fixes #322) (Loz Calver)
|
||||||
|
<!--- Changes above this line will be automatically regenerated -->
|
176
docs/en/04_Changelogs/4.5.3.md
Normal file
176
docs/en/04_Changelogs/4.5.3.md
Normal file
@ -0,0 +1,176 @@
|
|||||||
|
# 4.5.3
|
||||||
|
|
||||||
|
## Security patches
|
||||||
|
|
||||||
|
This release contains security patches. Some of those patches might require some updates to your project.
|
||||||
|
|
||||||
|
* [CVE-2020-9309 Script execution on protected files](https://www.silverstripe.org/download/security-releases/CVE-2020-9309)
|
||||||
|
* [CVE-2019-19326 Web Cache Poisoning](https://www.silverstripe.org/download/security-releases/CVE-2019-19326)
|
||||||
|
* [CVE-2020-6164 Information disclosure on /interactive URL path](https://www.silverstripe.org/download/security-releases/CVE-2020-6164)
|
||||||
|
* [CVE-2020-6165 Limited queries break CanViewPermissionChecker](https://www.silverstripe.org/download/security-releases/CVE-2020-6165)
|
||||||
|
|
||||||
|
|
||||||
|
### CVE-2020-9309 Script execution on protected files {#CVE-2020-9309}
|
||||||
|
|
||||||
|
Silverstripe can be susceptible to script execution from malicious upload contents under allowed file extensions (for example HTML code in a TXT file). When these files are stored as protected or draft files, the MIME detection can cause browsers to execute the file contents.
|
||||||
|
|
||||||
|
#### Risk factors
|
||||||
|
|
||||||
|
If your project already includes the `silverstripe/mimevalidator` module, it's already protected. CWP projects are already protected.
|
||||||
|
|
||||||
|
If your project includes the `silverstripe/userforms` module or allows anonymous users to upload files, it's at a higher risk because malicious users can create files without requiring a CMS access.
|
||||||
|
|
||||||
|
#### Actions you need to take
|
||||||
|
|
||||||
|
If your project already includes the `silverstripe/mimevalidator` module, you do not need to do anything. To check if the `silverstripe/mimevalidator` module is installed in your project, run this command from your project root.
|
||||||
|
|
||||||
|
```sh
|
||||||
|
composer show silverstripe/mimevalidator
|
||||||
|
```
|
||||||
|
|
||||||
|
If you get an error, the module is not installed.
|
||||||
|
|
||||||
|
**Upgrading to `silverstripe/recipe-cms` 4.5.3 will NOT automatically install `silverstripe/mimevalidator`**. You need to manually install the module `silverstripe/mimevalidator`. To add `silverstripe/mimevalidator` to your project, run this command.
|
||||||
|
|
||||||
|
```sh
|
||||||
|
composer require silverstripe/mimevalidator
|
||||||
|
```
|
||||||
|
|
||||||
|
After installing the `mimevalidator` module, you need to enable it by adding this code snippet to your YML configuration.
|
||||||
|
|
||||||
|
```yml
|
||||||
|
SilverStripe\Core\Injector\Injector:
|
||||||
|
SilverStripe\Assets\Upload_Validator:
|
||||||
|
class: SilverStripe\MimeValidator\MimeUploadValidator
|
||||||
|
```
|
||||||
|
|
||||||
|
If your project overrides the defaults allowed file types, it's important that you take the time to review your configuration and adjust it as need be to work with `silverstripe/mimevalidator`.
|
||||||
|
|
||||||
|
Read the [Allowed file types](/Developer_Guides/Files/Allowed_file_types) documentation for more details on controling the type of files that can be stored in your Silverstrip CMS Project.
|
||||||
|
|
||||||
|
#### Special consideration when upgrading Userforms
|
||||||
|
|
||||||
|
The `silverstripe/userforms` module now also includes `silverstripe/mimevalidator` in its dependencies. Upgrading to the following versions of userforms will automatically install `silverstripe/mimevalidator`:
|
||||||
|
|
||||||
|
* 5.4.3 or later
|
||||||
|
* 5.5.3 or later
|
||||||
|
* 5.6.0 or later (requires CMS 4.6.0)
|
||||||
|
|
||||||
|
Userforms that include a file upload field will automatically use the`MimeUploadValidator`. Beware that this will NOT change the default upload validator for other file upload fields in the CMS. You'll need to update your YML configuration for the `MimeUploadValidator` to be used everywhere.
|
||||||
|
|
||||||
|
### CVE-2019-19326 Web Cache Poisoning {#CVE-2019-19326}
|
||||||
|
|
||||||
|
Silverstripe sites using HTTP cache headers and HTTP caching proxies (e.g. CDNs) can be susceptible to web cache poisoning through the:
|
||||||
|
* `X-Original-Url` HTTP header
|
||||||
|
* `X-HTTP-Method-Override` HTTP header
|
||||||
|
* `_method` POST variable.
|
||||||
|
|
||||||
|
In order to remedy this vulnerability, Silverstripe Framework 4.5.3 removes native support for these features. While this is technically a semantic versioning breakage, these features are inherently insecure and date back to a time when browsers didn't natively support the full range of HTTP methods. Sites who still require these features will have highly unusual requirements that are best served by a tailored solution.
|
||||||
|
|
||||||
|
### Re-enabling the support for removed features
|
||||||
|
|
||||||
|
These features are best implemented by defining a `Middleware`.
|
||||||
|
|
||||||
|
The following example illustrates how to implement an `HTTPMiddleware` that restores support for the `X-Original-Url` header and the `_method` POST parameter for requests originating from a trusted proxy.
|
||||||
|
|
||||||
|
```php
|
||||||
|
<?php
|
||||||
|
use SilverStripe\Control\Middleware\HTTPMiddleware;
|
||||||
|
use SilverStripe\Control\HTTPRequest;
|
||||||
|
/**
|
||||||
|
* This is meant to illustrate how to implement an HTTPMiddleware. If you blindly
|
||||||
|
* copy-paste this in in your code base, you'll simply replicate the vulnerability.
|
||||||
|
*/
|
||||||
|
class InsecureHeaderMiddleware implements HTTPMiddleware
|
||||||
|
{
|
||||||
|
public function process(HTTPRequest $request, callable $delegate)
|
||||||
|
{
|
||||||
|
// Normally, you would validate that the request is coming from a trusted source at this point.
|
||||||
|
// View SilverStripe\Control\Middleware\TrustedProxyMiddleware for an example.
|
||||||
|
$trustedProxy = true;
|
||||||
|
if ($trustedProxy) {
|
||||||
|
$originalUrl = $request->getHeader('X-Original-Url');
|
||||||
|
if ($originalUrl) {
|
||||||
|
$_SERVER['REQUEST_URI'] = $originalUrl;
|
||||||
|
$request->setUrl($originalUrl);
|
||||||
|
}
|
||||||
|
$methodOverride = $request->postVar('_method');
|
||||||
|
$validMethods = ['GET', 'POST', 'PUT', 'DELETE', 'HEAD'];
|
||||||
|
if ($methodOverride && in_array(strtoupper($methodOverride), $validMethods)) {
|
||||||
|
$request->setHttpMethod($methodOverride);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return $delegate($request);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
To learn more about re-implementing support for the disabled features:
|
||||||
|
* read [how to configure trusted proxies](/developer_guides/security/secure_coding/#request-hostname-forgery) on the Silverstripe documentation.
|
||||||
|
* read the [documentation about HTTP Middlewares](/developer_guides/controllers/middlewares/).
|
||||||
|
|
||||||
|
### CVE-2020-6164 Information disclosure on /interactive URL path
|
||||||
|
|
||||||
|
A specific URL path configured by default through the silverstripe/framework module can be used to disclose the fact that a domain is hosting a Silverstripe application. There is no disclosure of the specific version. The functionality on this URL path is limited to execution in a CLI context, and is not known to present a vulnerability through web-based access. As a side-effect, this preconfigured path also blocks the creation of other resources on this path (e.g. a page).
|
||||||
|
|
||||||
|
### CVE-2020-6165 Limited queries break CanViewPermissionChecker
|
||||||
|
|
||||||
|
The automatic permission checking mechanism in the silverstripe/graphql module does not provide complete protection against lists that are limited (e.g. through pagination), resulting in records that should fail the permission check being added to the final result set.
|
||||||
|
|
||||||
|
If your project implements custom GraphQL queries using the `CanViewPermissionChecker`, you should validate that they still work as expected after the upgrade.
|
||||||
|
|
||||||
|
Read [Controlling who can view results in a GraphQL result set](/Developer_Guides/GraphQL/Verifying_CanView_Permission)
|
||||||
|
for more information on updating your GraphQL queries.
|
||||||
|
|
||||||
|
<!--- Changes below this line will be automatically regenerated -->
|
||||||
|
|
||||||
|
## Change Log
|
||||||
|
|
||||||
|
### Security
|
||||||
|
|
||||||
|
* 2020-05-13 [cce2b1630](https://github.com/silverstripe/silverstripe-framework/commit/cce2b1630937895aa28c2914837651e7cd56d74b) Remove/deprecate unused controllers that can potentially give away some information about the underlying project. (Maxime Rainville) - See [cve-2020-6164](https://www.silverstripe.org/download/security-releases/cve-2020-6164)
|
||||||
|
* 2020-05-11 [8518987cb](https://github.com/silverstripe/silverstripe-framework/commit/8518987cbd1eaca71b65dd4a4b35591db941509a) Stop honouring X-HTTP-Method-Override header, X-Original-Url header and _method POST variable. Add SS_HTTPRequest::setHttpMethod() (Maxime Rainville) - See [cve-2019-19326](https://www.silverstripe.org/download/security-releases/cve-2019-19326)
|
||||||
|
* 2020-02-17 [d3968ad](https://github.com/silverstripe/silverstripe-asset-admin/commit/d3968adcbdb759cb20571865af3b6356c8922cde) Move the query resolution after the DataListQuery has been altered (Maxime Rainville) - See [cve-2020-6165](https://www.silverstripe.org/download/security-releases/cve-2020-6165)
|
||||||
|
* 2020-02-11 [107e6c9](https://github.com/silverstripe/silverstripe-graphql/commit/107e6c918bb6a6a536dd9e3d8f5c74b4acdfd852) Ensure canView() check is run on items (Steve Boyd) - See [cve-2020-6165](https://www.silverstripe.org/download/security-releases/cve-2020-6165)
|
||||||
|
|
||||||
|
### API Changes
|
||||||
|
|
||||||
|
* 2020-06-30 [ec83959f2](https://github.com/silverstripe/silverstripe-framework/commit/ec83959f2c3ff7784fdd9503601732b5d006de13) Remove UpgradeBootstrap (not part of our official API) (Maxime Rainville)
|
||||||
|
|
||||||
|
### Features and Enhancements
|
||||||
|
|
||||||
|
* 2020-04-15 [daa80d8](https://github.com/silverstripe/silverstripe-admin/commit/daa80d8d2c2a5eabf75cfd23bb40d5a4b0fab02a) Add secure icons (Sacha Judd)
|
||||||
|
|
||||||
|
### Bugfixes
|
||||||
|
|
||||||
|
* 2020-07-09 [b780c4f50](https://github.com/silverstripe/silverstripe-framework/commit/b780c4f504555e5ae2d3861f8772f87ab20e016e) Tweak DBHTMLText::Plain to avoid treating some chinese characters as line breaks. (Maxime Rainville)
|
||||||
|
* 2020-06-23 [e033f26](https://github.com/silverstripe/silverstripe-admin/commit/e033f26d16527c04fb09c9ae3c1582367cf1dcaf) Fix external link setting text to `undefined` on text (#1059) (Andre Kiste)
|
||||||
|
* 2020-06-01 [3df2222](https://github.com/silverstripe/silverstripe-asset-admin/commit/3df222203ee563fac840e5e0727c75ddfe244886) Prevent react-selectable from interfering with pagination (Maxime Rainville)
|
||||||
|
* 2020-05-26 [3e52b1a](https://github.com/silverstripe/silverstripe-admin/commit/3e52b1ae3e5fd45dfde05913fe2fc0edd7309d82) Vertically align form description contents (including icons) (bergice)
|
||||||
|
* 2020-05-26 [09d2061](https://github.com/silverstripe/silverstripe-asset-admin/commit/09d20617620571650509b2b250117c295d58d5bb) Asset revision timestamps are no longer underlined in asset admin history tabs (Robbie Averill)
|
||||||
|
* 2020-05-19 [b9de9e6](https://github.com/silverstripe/silverstripe-asset-admin/commit/b9de9e6d608aa2b7f6d01e9c609369998d3ab0d8) Remove direct descendant selector to apply correct margins (Sacha Judd)
|
||||||
|
* 2020-05-11 [9dcc030](https://github.com/silverstripe/silverstripe-admin/commit/9dcc030aa8c2c3dab4c6a4206f883cb40e6a1458) Resize address-card-warning (Sacha Judd)
|
||||||
|
* 2020-05-08 [afc1759](https://github.com/silverstripe/silverstripe-admin/commit/afc1759f6cc74ce58be68bfb167bf52c1e972915) Page search form layout overflow issue (Mojmir Fendek)
|
||||||
|
* 2020-05-05 [2cc037b](https://github.com/silverstripe/silverstripe-versioned/commit/2cc037b2d305ed98056a9232587351949e59561f) Fix merge conflict in Travis configuration (Robbie Averill)
|
||||||
|
* 2020-05-01 [b1f6e52](https://github.com/silverstripe/silverstripe-asset-admin/commit/b1f6e521aac9bc17ee400593724e4a9290678938) Remove grid view sorting hack to correct initial state (Garion Herman)
|
||||||
|
* 2020-05-01 [891f0682](https://github.com/silverstripe/silverstripe-cms/commit/891f068202a3c7926a813c994b2802eacb7847f0) Correct placement of 'Page location' field title (Garion Herman)
|
||||||
|
* 2020-04-30 [fff806ca](https://github.com/silverstripe/silverstripe-cms/commit/fff806ca33cf6cdfd17c073f736e0faba42964a3) Prevent Treeview from always reloading (Maxime Rainville)
|
||||||
|
* 2020-04-18 [216989165](https://github.com/silverstripe/silverstripe-framework/commit/2169891651aded4defe33a1d08e1b07f79b9f086) Ensure realpath returns a string for stripos (mattclegg)
|
||||||
|
* 2020-04-15 [be80813](https://github.com/silverstripe/silverstripe-asset-admin/commit/be80813eaa8f5005b63978a53da2162c88645173) Campaign admin permission fix (Mojmir Fendek)
|
||||||
|
* 2020-04-15 [d7c76bdb](https://github.com/silverstripe/silverstripe-cms/commit/d7c76bdbba0af815d61146a1cbfc2529b3b2fe55) Published pages filter correction (missing default filter) (Mojmir Fendek)
|
||||||
|
* 2020-04-14 [e2a6281](https://github.com/silverstripe/silverstripe-asset-admin/commit/e2a6281305f23bd43d43a23adaa6807a54263f61) Legacy max upload size setting removal (Mojmir Fendek)
|
||||||
|
* 2020-03-23 [5002f514b](https://github.com/silverstripe/silverstripe-framework/commit/5002f514b3fde8e4ef75a72c964d649f46ab31f0) Capitalisation fixes in welcome back message (#9439) (Robbie Averill)
|
||||||
|
* 2020-03-23 [e5aa94c](https://github.com/silverstripe/silverstripe-admin/commit/e5aa94cfdd4fadcc87db3eee127f2f4f751ef6a7) "My profile" title in CMS is now vertical centered as other LeftAndMain screens are (Robbie Averill)
|
||||||
|
* 2020-03-20 [14fd29a](https://github.com/silverstripe/silverstripe-admin/commit/14fd29ad2c607951eff1bab65921748916a6c72e) Switch incorrect modified and draft state indicator colours (Sacha Judd)
|
||||||
|
* 2020-03-17 [7ad5f1bb1](https://github.com/silverstripe/silverstripe-framework/commit/7ad5f1bb14814bd05c6fe97e11b94c9f34936b15) Ensure diff arrays are one-dimensional (Aaron Carlino)
|
||||||
|
* 2020-03-08 [b269d8749](https://github.com/silverstripe/silverstripe-framework/commit/b269d874909cd70bb60c1a2974ea5446b43b0436) Register new sub tasks to fix files affected by CVE-2020-9280 and CVE-2019-12245 (Serge Latyntcev)
|
||||||
|
* 2020-03-04 [12ea7cd](https://github.com/silverstripe/silverstripe-assets/commit/12ea7cd2037bebcb3196dd5e3aaa72e6dbc7c7b2) Create NormaliseAccessMigrationHelper to fix files affected by CVE-2019-12245 (Maxime Rainville)
|
||||||
|
* 2020-02-24 [bba0f2f72](https://github.com/silverstripe/silverstripe-framework/commit/bba0f2f72fa2e631dbf60357a908d5d57d4467ee) Fixed issue where TimeField_Readonly would only show "(not set)" instead of the value (UndefinedOffset)
|
||||||
|
* 2020-02-20 [ff417ca](https://github.com/silverstripe/silverstripe-asset-admin/commit/ff417ca53405a4022c4fece82d50638e72940d4f) Fix last file upload showing as errored when uploading multiple files. (bergice)
|
||||||
|
* 2020-02-19 [7455d14](https://github.com/silverstripe/silverstripe-asset-admin/commit/7455d141aa6340e33674f72516e0e6b97d6d6232) Handle case where provided $context is null (Garion Herman)
|
||||||
|
* 2020-02-19 [8402966](https://github.com/silverstripe/silverstripe-assets/commit/84029664c21ba54d895aac8fa036a9c4277e56a0) Correct deprecated implode syntax for PHP 7.4 compat (Garion Herman)
|
||||||
|
* 2020-02-18 [9900d07](https://github.com/silverstripe/silverstripe-asset-admin/commit/9900d07eeb41a9c5c9dac758ee56f9397301bbdb) Tweak UsedOnTableTest ti dynamically switch protocol (Maxime Rainville)
|
||||||
|
* 2020-02-05 [c92e3b9d](https://github.com/silverstripe/silverstripe-cms/commit/c92e3b9d7967142ce59c918916441fce796c9fd8) Prioritise same-level pages in OldPageRedirector (Klemen Dolinšek)
|
||||||
|
* 2019-10-17 [b62288cc9](https://github.com/silverstripe/silverstripe-framework/commit/b62288cc92bd7e58182e1b02b083eeb474366d52) Disabled the UpgradeBootstrap upgrader doctor task (Maxime Rainville)
|
||||||
|
* 2019-09-02 [6d8a4bc](https://github.com/silverstripe/silverstripe-assets/commit/6d8a4bc4f4178c0b56ede1b01f87b162066d550a) Make AbsoluteLink work with manipulated images (fixes #322) (Loz Calver)
|
||||||
|
<!--- Changes above this line will be automatically regenerated -->
|
@ -228,7 +228,7 @@ class DBHTMLText extends DBText
|
|||||||
$text = strip_tags($text);
|
$text = strip_tags($text);
|
||||||
|
|
||||||
// Implode >3 consecutive linebreaks into 2
|
// Implode >3 consecutive linebreaks into 2
|
||||||
$text = preg_replace('~(\R){2,}~', "\n\n", $text);
|
$text = preg_replace('~(\R){2,}~u', "\n\n", $text);
|
||||||
|
|
||||||
// Decode HTML entities back to plain text
|
// Decode HTML entities back to plain text
|
||||||
return trim(Convert::xml2raw($text));
|
return trim(Convert::xml2raw($text));
|
||||||
|
@ -265,6 +265,10 @@ class DBHTMLTextTest extends SapphireTest
|
|||||||
[
|
[
|
||||||
'<p>Collapses</p><p></p><p>Excessive<br/><br /><br>Newlines</p>',
|
'<p>Collapses</p><p></p><p>Excessive<br/><br /><br>Newlines</p>',
|
||||||
"Collapses\n\nExcessive\n\nNewlines",
|
"Collapses\n\nExcessive\n\nNewlines",
|
||||||
|
],
|
||||||
|
'Unicode character that could be confused for a line break' =>[
|
||||||
|
'充美好实的一天',
|
||||||
|
'充美好实的一天'
|
||||||
]
|
]
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user