Commit Graph

82 Commits

Author SHA1 Message Date
Maxime Rainville
98926e4e6c [CVE-2019-19326] Stop honouring X-HTTP-Method-Override header, X-Original-Url header and _method POST variable. Add SS_HTTPRequest::setHttpMethod(). 2020-07-14 13:25:55 +12:00
Aaron Carlino
a7d511e739 Merge branch '3.6' into 3.7 2018-11-07 11:36:17 +13:00
Loz Calver
598edd9134 [SS-2018-019] Add confirmation token to dev/build 2018-11-07 11:35:31 +13:00
Daniel Hensby
2b4954035f NEW Add better HTTP cache-control manipulation (#8086) 2018-06-08 11:56:31 +12:00
Nicola Fontana
fe816076fc BUG Make simplexml_load_file work on shared php-fpm
PHP #62577 [1] together with PHP #64938 [2] make simplexml_load_file()
fails when the "disable load external entities" flag is set.

As a workaround, manually enable the entity loader in the bootstrap
code. We are loading internal XML files after all, so no security
implications should arise.

[1] https://bugs.php.net/bug.php?id=62577
[2] https://bugs.php.net/bug.php?id=64938

Fix #6174.
2016-10-31 06:21:04 +01:00
Patrick Nelson
9d9c572cf8 FIX for #5251 to address minor URL decoding/parsing bug. 2016-04-01 11:44:29 -07:00
Damian Mooyman
7ee444e08a Merge remote-tracking branch 'origin/3.1' into 3.2
Conflicts:
	admin/code/LeftAndMain.php
	control/injector/SilverStripeServiceConfigurationLocator.php
	core/ClassInfo.php
	filesystem/File.php
	model/DataObject.php
	model/DataQuery.php
	search/filters/FulltextFilter.php
	search/filters/SearchFilter.php
	tests/core/ClassInfoTest.php
	tests/filesystem/FileTest.php
	tests/model/DataListTest.php
2015-07-31 11:38:18 +12:00
Damian Mooyman
71a14c3035 BUG Prevent url= querystring argument override 2015-06-12 15:39:16 +12:00
Damian Mooyman
0b1f297873 Merge remote-tracking branch 'origin/3.1'
Conflicts:
	.travis.yml
	README.md
	admin/code/LeftAndMain.php
	admin/css/screen.css
	admin/scss/screen.scss
	api/RestfulService.php
	conf/ConfigureFromEnv.php
	control/injector/ServiceConfigurationLocator.php
	control/injector/SilverStripeServiceConfigurationLocator.php
	core/ClassInfo.php
	core/Object.php
	css/AssetUploadField.css
	css/ComplexTableField_popup.css
	dev/CSSContentParser.php
	dev/DevelopmentAdmin.php
	docs/en/changelogs/index.md
	docs/en/misc/contributing/code.md
	docs/en/reference/execution-pipeline.md
	filesystem/GD.php
	filesystem/ImagickBackend.php
	filesystem/Upload.php
	forms/Form.php
	forms/FormField.php
	forms/HtmlEditorConfig.php
	forms/gridfield/GridFieldDetailForm.php
	forms/gridfield/GridFieldSortableHeader.php
	lang/en.yml
	model/Aggregate.php
	model/DataList.php
	model/DataObject.php
	model/DataQuery.php
	model/Image.php
	model/MySQLDatabase.php
	model/SQLQuery.php
	model/fieldtypes/HTMLText.php
	model/fieldtypes/Text.php
	scss/AssetUploadField.scss
	search/filters/SearchFilter.php
	security/Authenticator.php
	security/LoginForm.php
	security/Member.php
	security/MemberAuthenticator.php
	security/MemberLoginForm.php
	security/Security.php
	tests/behat/features/bootstrap/SilverStripe/Framework/Test/Behaviour/CmsFormsContext.php
	tests/control/HTTPTest.php
	tests/control/RequestHandlingTest.php
	tests/filesystem/UploadTest.php
	tests/forms/FormTest.php
	tests/forms/NumericFieldTest.php
	tests/model/DataListTest.php
	tests/model/DataObjectTest.php
	tests/model/TextTest.php
	tests/security/MemberAuthenticatorTest.php
	tests/security/SecurityDefaultAdminTest.php
	tests/view/SSViewerCacheBlockTest.php
	tests/view/SSViewerTest.php
2014-11-18 12:45:54 +13:00
Damian Mooyman
eb069e605d Remove all redundant whitespace 2014-08-19 09:17:15 +12:00
Loz Calver
b27cd73cb9 Add HTTP status code for $databaseConfig error (fixes #3392) 2014-08-18 09:16:57 +01:00
Simon Welsh
c14d58f585 Merge branch '3.1'
Conflicts:
	.travis.yml
	model/ManyManyList.php
	model/fieldtypes/DBField.php
2014-07-16 21:24:02 +10:00
Damian Mooyman
d3c7e41419 BUG using isDev or isTest query string no longer triggers basic auth 2014-07-02 11:51:51 +12:00
Ingo Schommer
4af9143d3b Merge remote-tracking branch 'origin/3.1'
Conflicts:
	docs/en/misc/contributing/code.md
2014-02-07 16:43:22 +13:00
Hamish Friedlander
050115f431 FIX Dont pop up basic auth dialog when trying to flush and isDev=1, just redirect to Security/login like normal 2013-12-10 10:35:03 +13:00
colymba
f89f203392 Raised minimum PHP Veresion to 5.3.3 2013-10-23 11:10:42 +03:00
Hamish Friedlander
a2026add04 FIX flushing on non-dev when Session::cookie_secure is true 2013-08-21 09:50:07 +12:00
Hamish Friedlander
541436feb0 Merge branch 'origin/3.0' into 3.1 2013-07-24 12:09:44 +12:00
Hamish Friedlander
604d9bf7dc Split Core.php into Constants.php and Core.php and adjust main.php startup
The recent flush filter fix had a problem that you couldnt set a custom
BASE_PATH in _ss_environment because that file didnt get included until
after checking the confirmation token. This patch pulls the part of Core.php
that defines BASE_PATH into a seperate file that can be included earlier
in the startup sequence so that ParameterConfirmationToken can access it.

Core.php includes Constants.php with a require_once call, so for startup
scripts that dont pull in Constants.php themselves (like cli-script.php)
no change is needed.
2013-07-22 13:52:00 +12:00
Hamish Friedlander
d38bd7d5cb Merge branch 'origin/3.0' into 3.1 2013-07-19 14:18:49 +12:00
Hamish Friedlander
1298d4a5bd FIX Prevent DOS by checking for env and admin on ?flush=1 (#1692) 2013-07-19 12:24:32 +12:00
Ingo Schommer
3334eafcb1 API Marked statics private, use Config API instead (#8317)
See "Static configuration properties are now immutable, you must use Config API." in the 3.1 change log for details.
2013-03-24 17:20:53 +01:00
Will Rossiter
e72114dad7 API: Remove static main and dev/buildcache
Files moved to a separate module (silverstripe-static).
2012-09-21 19:56:56 +12:00
Sam Minnee
1005571163 NEW: Added support for PHP 5.4's built-in webserver.
PHP 5.4 comes with a built-in webserver.  This addition to main.php adds support for it.  It is designed to be run like so:

php -S localhost:3000 framework/main.php

The router will pass access of any file back to the built-in webserver, and handle all other URLs.
2012-09-11 11:55:37 +12:00
Ingo Schommer
0fe515e182 API Deprecated Profiler class, removed related debug GET params
Use third party tools like XHProf instead.
Removed defunct or unnecessary debug GET parameters:
debug_profile, debug_memory, profile_trace, debug_javascript, debug_behaviour
2012-07-05 12:02:06 +02:00
Sean Harvey
8b607db0a2 BUGFIX Fixing bootstrap.php to work with FakeController properly for
running tests using phpunit.xml file.
2012-05-09 23:05:38 +12:00
Sean Harvey
f63d137d49 ENHANCEMENT Session::start() now only called when there is changed
session data to be saved, and started on Director::direct() when there
is a cookie (or request var) containing the current PHP session name.
2012-04-27 16:28:46 +12:00
Sean Harvey
c55e0b8b95 MINOR Fixing up PHP versions to be consistent with
33ae83640b
2012-04-20 15:08:01 +12:00
Simon Welsh
f07258f3cf MINOR Update @package values to match renaming sapphire 2012-04-15 10:50:19 +12:00
Simon Welsh
3a6341a251 API-CHANGE sapphire folder can now be renamed. 2012-04-15 10:50:19 +12:00
Robert Curry
8b0dafb30d ENHANCEMENT: Change PHP version requirements. Part of #7131. 2012-04-13 13:12:48 +12:00
Sean Harvey
68aaae8cc0 MINOR Update docs and version checking for PHP 5.3+ 2012-04-03 09:54:55 +12:00
Ingo Schommer
755663a00a BUGFIX Set default mbstring encoding in Core.php instead of main.php and cli-script.php so phpunit binary test runs behave consistently (same as running through TestRunner+cli-script.php). Fixes URLSegmentFilterTest 2011-12-04 13:32:03 +01:00
Simon Welsh
75b16f6e1b Don't try redirecting to install.php if there is no install.php to redirect to. 2011-10-29 10:31:58 +13:00
Ingo Schommer
823cae3f32 BUGFIX Setting mbstring defaults in cli-script.php (same as main.php), and default mb_regex_encoding() to UTF-8 as well (in both files) 2011-10-07 14:12:46 +02:00
Sam Minnee
7fbb919ce8 API CHANGE: Introduce DataModel object, as a representation of the project's entire data model, and tie it to $this->model an all DataObjects, Controllers, and RequestHandlers for easy non-static access.
API CHANGE: Add DataList::newObject(), which creates a new object on that DataList.
API CHANGE: RequestHandler::handleRequest() now needs to handle a $model argument, if you override it.
2011-05-01 17:33:02 +12:00
Ingo Schommer
9b29616710 API CHANGE Rearranged files in sapphire to reflect core dependencies more accurately, and have the tests/ folder mirror its folder structure 2011-03-31 09:56:21 +13:00
Sam Minnee
077a119cfb MINOR Database quoting in TreeDropdownField (fixes #5484) (from r103515)
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@112146 467b73ca-7a2a-4603-9d3b-597d59a354a9
2010-10-13 03:56:48 +00:00
Ingo Schommer
0a5321dd10 BUGFIX Installer now opens if mod_rewrite is disabled. Using index.php instead of rewriting the URL didn't quite work with the new BASE_URL, so we need to take this case into account as well (from r98895)
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@102811 467b73ca-7a2a-4603-9d3b-597d59a354a9
2010-04-14 03:47:37 +00:00
Ingo Schommer
bf01c286b0 BUGFIX Fixed big problem on Windows when redirecting to install.php - because of SCRIPT_NAME backslashes caused a bit of havoc and need special treatment (from r98869)
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@102808 467b73ca-7a2a-4603-9d3b-597d59a354a9
2010-04-14 03:46:40 +00:00
Ingo Schommer
40466ccb02 BUG FIX: The 5.1 replacement array_fill_keys function now made available to the cron jobs (from r97300)
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@102441 467b73ca-7a2a-4603-9d3b-597d59a354a9
2010-04-12 05:00:40 +00:00
Ingo Schommer
04857b811f BUGFIX: Check for an empty list of keys before attempting to create an array with them (from r96997)
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@102416 467b73ca-7a2a-4603-9d3b-597d59a354a9
2010-04-12 03:30:19 +00:00
Ingo Schommer
c29cf7d302 BUGFIX: array_fill_keys function created for version prior to PHP 5.2 (from r96680)
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@102332 467b73ca-7a2a-4603-9d3b-597d59a354a9
2010-04-12 01:43:18 +00:00
Sean Harvey
ae083e3c9f MINOR Update the main.php PHP version numbers at the top doc block (from r93449)
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@93751 467b73ca-7a2a-4603-9d3b-597d59a354a9
2009-11-27 01:26:35 +00:00
Sam Minnee
cac8686b3b MINOR: Use version_compare to test for correct PHP version.
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@84142 467b73ca-7a2a-4603-9d3b-597d59a354a9
2009-08-11 03:50:40 +00:00
Ingo Schommer
d2dc9ececc BUGFIX Disabled ?debug_profile=1 on live environment types
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@80057 467b73ca-7a2a-4603-9d3b-597d59a354a9
2009-06-25 09:53:51 +00:00
Sam Minnee
0fbe39262f BUGFIX: Fix URL parsing for certain IIS configurations.
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@76897 467b73ca-7a2a-4603-9d3b-597d59a354a9
2009-05-14 23:14:51 +00:00
Ingo Schommer
b12a00c391 MINOR phpdoc documentation
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@73509 467b73ca-7a2a-4603-9d3b-597d59a354a9
2009-03-22 22:59:14 +00:00
Ingo Schommer
8960c03376 BUGFIX Removed header('Content-Type... from main.php bootstrapping - was defaulting to text/html - an invalid assumption at such an early stage (see #3685)
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@72682 467b73ca-7a2a-4603-9d3b-597d59a354a9
2009-03-09 20:31:12 +00:00
Andrew O'Neil
60f75c5ca4 Merged changes from 2.3 branch
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@71172 467b73ca-7a2a-4603-9d3b-597d59a354a9
2009-02-01 23:49:53 +00:00