Maxime Rainville
98926e4e6c
[CVE-2019-19326] Stop honouring X-HTTP-Method-Override header, X-Original-Url header and _method POST variable. Add SS_HTTPRequest::setHttpMethod().
2020-07-14 13:25:55 +12:00
Robbie Averill
4182d1b60c
Merge branch '3.6' into 3.7
2019-01-29 13:59:56 +02:00
Loz Calver
746c0679ad
FIX: Injector may instantiate prototypes as if they're singletons ( fixes #8567 )
2019-01-23 11:47:28 +00:00
Daniel Hensby
5f48b3e5d2
FIX txt/json is not a valid content type
2018-08-13 12:16:42 +01:00
Sam Minnee
a4bf2cd1f3
FIX: Correct afterCallActionHandler arguments to match SS4.
...
The extension point RequestHandler::afterCallActionHandler was missing a critical
argument that has since been added to SS4. This patch backports the change to 3.x.
2018-07-18 17:25:50 +12:00
Sam Minnee
72ce2b422d
Update docs for Vary: X-Requested-With
2018-07-04 15:55:52 +12:00
Daniel Hensby
2b4954035f
NEW Add better HTTP cache-control manipulation ( #8086 )
2018-06-08 11:56:31 +12:00
Damian Mooyman
47a9cdfd49
ENHANCEMENT Backport of querystring work to 3.x ( #8026 )
...
* WIP Backport of querystring work to 3.x
* Remove dataextension requirement
* Fix up bootstrapping
* more backporting
* Bug fix some tests
* Fix up some tests
* Fix support for custom stages
Don't set empty stage
* Better cache typehint
* Make sure useDraftSite(false) re-enables secure site
* Remove unnecessary guard around controller property
2018-05-08 10:04:44 +12:00
Daniel Hensby
09726333b7
Merge branch '3.6' into 3
2018-02-13 14:30:59 +00:00
Jonathon Menz
c767e472dc
FIX DataObject singleton creation
...
Ensure DataObject instances are aware they are singletons so functions like populateDefaults() can be skipped. (fixes #4878 )
2018-02-12 20:30:35 -08:00
Daniel Hensby
85e97d204b
Partial revert of #7665 - bad docblock changes
2018-02-09 19:27:11 +00:00
Daniel Hensby
9103816333
NEW Add php 7.2 support
2018-01-30 16:50:32 +00:00
Damian Mooyman
50aa1f22a6
Merge branch '3.6' into 3
2017-12-07 13:20:58 +13:00
Damian Mooyman
44de03da01
Merge pull request #53 from silverstripe-security/pulls/3.5/ss-2017-006
...
[ss-2017-006] Fix user agent invalidation on session startup (3.5 branch)
2017-12-06 16:25:39 +13:00
Daniel Hensby
8d1a5ed8b7
More code style fixes
2017-12-05 14:20:13 +00:00
Damian Mooyman
25e276cf37
[ss-2017-006] Fix user agent invalidation on session startup
2017-12-01 10:55:00 +13:00
Daniel Hensby
fd201bc71b
Merge branch '3.6' into 3
2017-11-25 16:18:46 +00:00
Damian Mooyman
1053de7ec3
BUG Don't redirect in force_redirect() in CLI
...
Replaces #4025
2017-11-23 14:26:55 +13:00
Roman Schmid
dda14e8959
Fix HTTP::get_mime_type with uppercase filenames.
...
The fallback of `HTTP::get_mime_type` (that uses a lookup instead of `finfo`) doesn't ensure the extension is converted to lowercase before the lookup. A file named `Image.JPG` will return `'application/unknown'`.
This change fixes this issue.
2017-11-16 10:56:34 +00:00
Daniel Hensby
0baa996cc0
Merge branch '3.6' into 3
2017-11-14 12:13:08 +00:00
Daniel Hensby
32cef975ef
FIX Use self::inst() for Injector/Config nest methods
2017-10-25 17:48:35 +01:00
Ben Speakman
705d342080
Update regex to only match files with names
2017-05-08 17:22:50 +12:00
Daniel Hensby
602062802e
Merge branch '3.4' into 3.5
2016-11-23 23:55:31 +00:00
Daniel Hensby
6136cf8502
DOCS Update PHPDoc for SS_HTTPResponse
2016-11-14 19:02:56 +00:00
Daniel Hensby
9a6121c867
Merge branch '3.4' into 3
2016-10-16 22:56:37 +01:00
Daniel Hensby
6dde5ce571
FIX Absolute alternate_base_url no longer breaks session cookies
2016-10-04 14:21:32 +01:00
Daniel Hensby
5e9d16646d
Merge branch '3.4' into 3
2016-10-03 10:24:32 +01:00
Anton Smith
ae4108bf00
BUG Content-Disposition header breaks in Firefox ( #4087 )
2016-09-29 13:25:14 +13:00
Andrew Aitken-Fincham
ad0d68d133
add IPUtils.php to control and implement symfony IpUtils ( #6062 )
2016-09-26 12:44:55 +13:00
Daniel Hensby
5959419645
Merge branch '3.3' into 3.4
2016-09-07 09:21:50 +01:00
Daniel Hensby
b80dc6450a
Merge branch '3.2' into 3.3
2016-09-07 09:21:21 +01:00
Daniel Hensby
e7ecf6cf15
FIX Bad strpos call in HTTP::register_etag()
2016-09-06 23:32:57 +01:00
Daniel Hensby
d306c884c7
Merge branch '3.3' into 3.4
2016-08-18 22:20:42 +01:00
Daniel Hensby
dc008b38ab
Merge branch '3.2' into 3.3
2016-08-18 22:18:47 +01:00
Daniel Hensby
41be95c95a
[SS-2016-007] FIX Encode user supplied URL for embeding into page
2016-08-15 15:53:36 +12:00
Daniel Hensby
3fa84cf0c6
[SS-2016-007] FIX Encode user supplied URL for embeding into page
2016-08-15 15:03:42 +12:00
Daniel Hensby
56f0b72e8d
FIX ETag header now properly quoted
2016-08-11 15:49:29 +01:00
Daniel Hensby
679185514d
Merge 3.3 into 3
...
Conflicts:
admin/css/screen.css.map
2016-04-26 00:24:59 +01:00
Daniel Hensby
745faebd81
Merge 3.2 into 3.3
...
Conflicts:
.travis.yml
2016-04-26 00:17:09 +01:00
Daniel Hensby
a0812f987a
Merge 3.1 into 3.2
...
Conflicts:
admin/javascript/LeftAndMain.js
control/HTTPRequest.php
docs/en/00_Getting_Started/00_Server_Requirements.md
2016-04-26 00:09:33 +01:00
Patrick Nelson
707aa14c6c
FIX for #5299 Adding <code> blocks to Injector documentation.
2016-04-11 10:56:46 -07:00
Daniel Hensby
817b836870
FIX getIP from behind a load-balancer that adds many IPs to the header
2016-03-01 21:07:48 +00:00
Damian Mooyman
9fed5561f4
Merge remote-tracking branch 'origin/3.3' into 3
...
# Conflicts:
# core/Constants.php
# dev/DevelopmentAdmin.php
2016-02-24 17:39:04 +13:00
Ingo Schommer
37059eb6b3
[ss-2016-003] Hostname, IP and Protocol Spoofing through HTTP Headers
2016-02-24 11:47:16 +13:00
Ingo Schommer
faa94d51d5
[ss-2016-003] Hostname, IP and Protocol Spoofing through HTTP Headers
2016-02-24 11:33:54 +13:00
Ingo Schommer
893e49703d
[ss-2016-003] Hostname, IP and Protocol Spoofing through HTTP Headers
2016-02-18 17:28:54 +13:00
Sam Minnee
3ee8f505b7
MINORE: Remove training whitespace.
...
The main benefit of this is so that authors who make use of
.editorconfig don't end up with whitespace changes in their PRs.
Spaces vs. tabs has been left alone, although that could do with a
tidy-up in SS4 after the switch to PSR-1/2.
The command used was this:
for match in '*.ss' '*.css' '*.scss' '*.html' '*.yml' '*.php' '*.js' '*.csv' '*.inc' '*.php5'; do
find . -path ./thirdparty -not -prune -o -path ./admin/thirdparty -not -prune -o -type f -name "$match" -exec sed -E -i '' 's/[[:space:]]+$//' {} \+
find . -path ./thirdparty -not -prune -o -path ./admin/thirdparty -not -prune -o -type f -name "$match" | xargs perl -pi -e 's/ +$//'
done
2016-01-07 10:15:54 +13:00
Damian Mooyman
fce82519bd
BUG Workaround for issues in testing version
2015-12-22 17:47:53 +13:00
Damian Mooyman
48a30909f3
Merge remote-tracking branch 'origin/3.2' into 3
...
# Conflicts:
# admin/javascript/LeftAndMain.BatchActions.js
# css/UploadField.css
# forms/HtmlEditorField.php
2015-12-22 14:07:52 +13:00
Ingo Schommer
0175167761
Merge pull request #4830 from open-sausages/pulls/3/fix-querystring-stage
...
API Disable unauthenticated get parameter access to site stage mode
2015-12-10 10:44:43 +13:00