Maxime Rainville
71db45b18b
[CVE-2019-19326] Stop honouring X-HTTP-Method-Override header, X-Original-Url header and _method POST variable. Add SS_HTTPRequest::setHttpMethod()
2020-07-10 14:57:26 +12:00
Maxime Rainville
acccdd8a1c
Merge branch '4.5' into 4
2020-05-26 14:31:06 +12:00
Maxime Rainville
42bb28965c
Merge branch '4.4' into 4.5
2020-05-26 14:30:27 +12:00
Maxime Rainville
395893b559
Merge branch '4.3' into 4.4
2020-05-26 14:30:02 +12:00
Maxime Rainville
86fcb9e29c
Merge branch '4.2' into 4.3
2020-05-26 14:29:16 +12:00
Michal Kleiner
21129b1624
Use short array syntax across the framework's codebase
2020-05-16 10:34:45 +01:00
Brett Tasker
1d19051c10
Add sha1 and md5 hashing options in resource URL
2020-05-12 18:14:03 +12:00
Thomas Portelange
2f3c0fc8dd
Update src/Control/Session.php
...
Co-Authored-By: Guy Marriott <guy.the.person@gmail.com>
2020-04-28 19:21:52 +02:00
Thomas Portelange
b38c35fe90
Fixes warning if session is not active
...
See issue https://github.com/silverstripe/silverstripe-framework/issues/9496
2020-04-27 13:51:19 +02:00
Dan Hensby
33b0b6985a
Update file paths for autoloading compatibility
2020-04-25 10:28:28 +01:00
Daniel Hensby
237b2d5f74
Convert array delcarations to short array syntax
2020-04-20 18:58:09 +01:00
Daniel Hensby
1fb574a5bd
NEW: Variadic URL parameter matches for url_handlers ( #9438 )
...
* Add wildcard URL parameter matches for url_handlers
* Extra tests for wildcard parameters
* Add a PHP warning if more params appear after wildcard param
2020-03-25 09:16:13 +13:00
Guy Marriott
c31de772ab
Merge pull request #8838 from creative-commoners/pulls/4/slash-means-root
...
Use '/' as an alternative designation for root in routing
2020-02-14 11:29:32 -08:00
Garion Herman
9d1d59d8d1
NEW Accept / as designation for root URL controller
2020-02-14 14:41:10 +13:00
Robbie Averill
4121099484
Merge branch '4.5' into 4
2020-01-16 20:00:02 -08:00
Robbie Averill
53fcd47dfc
Merge branch '4.4' into 4.5
2020-01-16 19:59:42 -08:00
Robbie Averill
26e3b6f4e3
Merge branch '4.3' into 4.4
2020-01-16 19:59:24 -08:00
Loz Calver
453945da14
FIX: Session::restart() didn't correctly restart session ( fixes #9259 )
2019-11-20 14:21:30 +00:00
LABCAT
501d9a1480
Update HTTPRequest.php
2019-10-23 22:52:53 +13:00
LABCAT
630c6c0514
Update src/Control/HTTPRequest.php
...
Co-Authored-By: Robbie Averill <robbie@averill.co.nz>
2019-10-23 21:05:22 +13:00
LABCAT
d3a17958ef
Update src/Control/HTTPRequest.php
...
Co-Authored-By: Robbie Averill <robbie@averill.co.nz>
2019-10-22 16:17:04 +13:00
LABCAT
67c944c962
Improvement to docs for send_file function
2019-10-22 15:18:03 +13:00
Serge Latyntcev
7873efde9c
Merge branch '4.4' into 4
2019-10-18 10:58:19 +13:00
Serge Latyntcev
dcbe6d0310
Merge branch '4.3' into 4.4
2019-10-18 10:57:35 +13:00
Damian Mooyman
d7752b7945
Run PSR2 Lint cleaner
2019-10-04 13:26:31 +13:00
Serge Latyntcev
7db524bd90
FIX DebugViewFrendlyErrorFormatter handle of admin_email
2019-10-04 10:26:54 +13:00
Aaron Carlino
b002ef1171
Merge branch '4.4' into 4
2019-09-24 17:26:50 +12:00
Serge Latyntcev
eccfa9b10d
[CVE-2019-12203] Session fixation in "change password" form
...
A potential account hijacking may happen if an attacker has physical access to
victim's computer to perform session fixation. Also possible if the targeted application contains an XSS vulnerability.
Requires the victim to click the password reset link sent to their email.
If all the above happens, attackers may reset the password before the actual user does that.
2019-09-24 16:03:48 +12:00
Serge Latyntcev
569237c0f4
[CVE-2019-12203] Session fixation in "change password" form
...
A potential account hijacking may happen if an attacker has physical access to
victim's computer to perform session fixation. Also possible if the targeted application contains an XSS vulnerability.
Requires the victim to click the password reset link sent to their email.
If all the above happens, attackers may reset the password before the actual user does that.
2019-09-24 16:00:51 +12:00
Robbie Averill
aa6b244db9
Merge branch '4.4' into 4
2019-09-13 18:11:46 -07:00
Damian Mooyman
6759af3767
Escape strings a bit safer for doc generation
2019-09-03 19:38:19 +12:00
Damian Mooyman
f649657182
Clarify Director::absoluteURL behaviour
...
Fixes #9111
2019-09-03 19:34:16 +12:00
Maxime Rainville
4380d7d155
API Add option to disable user-agent header session validation
2019-08-06 22:00:01 +12:00
Robbie Averill
0672f8b76b
NEW HTTPRequest now has hasSession() to determine whether a session exists for it
2019-08-02 11:29:23 +12:00
Guy Marriott
0abfed3e06
FIX Skip md5-ing the whole contents of a stream for etags
2019-07-30 08:25:03 +12:00
Robbie Averill
d1c927ff23
FIX Remove curly brace access to string offsets, deprecated in PHP 7.4
2019-07-24 12:17:49 +02:00
Serge Latyntsev
7ef13e7ef6
FIX Confirmation components to respect SS_BASE_URL ( #9074 )
2019-07-05 16:05:41 +12:00
Loz Calver
8e87264864
FIX: Email::render() generating object instead of string for plaintext part ( fixes #9069 )
2019-06-14 11:39:47 +01:00
Aaron Carlino
c747b1f8d3
Merge branch '4.3' into 4.4
2019-06-10 17:32:07 +12:00
Aaron Carlino
f766555d61
Merge branch '4.2' into 4.3
2019-06-10 17:27:05 +12:00
Serge Latyntcev
ca56e8d78e
[CVE-2019-12246] Denial of Service on flush and development URL tools
2019-06-10 17:23:56 +12:00
Ralph Slooten
66c372ce28
Include baseURL with relative setGetVar() links ( #8834 )
...
* Return baseURL with setGetVar
* Adjust testSetGetVar tests for base url
2019-04-15 14:50:46 +12:00
Loz Calver
ca781c684d
FIX: RequestHandler::__construct() should run after middlewares ( fixes #8848 )
2019-03-11 11:08:03 +00:00
Dan Hensby
765d1568ab
Merge branch '4.3' into 4
2019-03-06 11:04:50 +00:00
Dan Hensby
a8605b04e0
Merge branch '4.2' into 4.3
2019-03-06 11:04:14 +00:00
Dan Hensby
7e34167ddf
Merge branch '4.1' into 4.2
2019-03-06 11:01:17 +00:00
Dan Hensby
625e6d5f54
Merge branch '4.0' into 4.1
2019-03-06 11:00:41 +00:00
Daniel Hensby
7416ce275b
FIX doInit comparison should be lowercased
2019-03-05 19:01:12 +00:00
Maxime Rainville
8ec9c50c58
DOCS Correct documentation for ExecMetricMiddleware
2019-01-30 13:58:09 +13:00
Maxime Rainville
c4bf06f600
NEW Add new execmetric debug URL parameter to print out exection time and peak memory usage
2019-01-29 17:28:28 +13:00
Robbie Averill
d8cd085190
Merge branch '4.3' into 4
2019-01-24 17:14:09 +02:00
Simon Gow
c28670ebed
#8724 - Session timeout regression
...
Only emit the session refresh cookie if the session timeout is set.
2019-01-18 10:07:53 +13:00
Simon Gow
af08328e8e
Existing sessions need to set a new cookie on each request, if the
...
session exists, otherwise our expiry is never updated and sessions
can't roll on every request.
2019-01-17 17:37:35 +13:00
Maxime Rainville
1e01deea39
NEW Make resources dir configurable ( #8519 )
...
* NEW Make resources dir configurable.
* Removing reference to old `resources` and updating doc #8519
* Rrtarget to 4.4 release.
* DOC Reference SS_RESOURCES_DIR in Environment doc.
* API Add a Resources method to SilverStripe\Core\Manifest\Module to read the resources-dir from composer.json
* Clean up reference to SS_RESOURCES_DIR env var
* Set default resources-dir
* Update test to use RESOURCES_DIR const in expected resource url method
* Correcting typos
Co-Authored-By: maxime-rainville <maxime@rainville.me>
* MINOR Correctubg minor typos
* DOCS Document the intricacies of exposing static assets.
2019-01-09 15:35:45 +13:00
Robbie Averill
7c96feef37
Merge branch '4.3' into 4
2019-01-08 12:27:48 +01:00
Simon Gow
d01585cc98
#8543 Resolve Duplicate Headers
...
- fix linting
2018-12-19 12:39:32 +13:00
Simon Gow
1edfa4d956
#8543 Resolve Duplicate Headers
...
- Replace session name lookup with function to also check secure cookies
- Added timeout which defaults to 0 (same as PHP)
- Removed php7 style of session_start from PR
- moved session_start into headers sent block to prevent warnings.
2018-12-19 12:39:32 +13:00
Simon Gow
4eb6669c08
#8543 Resolve Duplicate Headers
...
Put cookie_lifetime back into the session parameters.
2018-12-19 12:39:32 +13:00
Simon Gow
2deb8f4176
Resolve Duplicate Headers
...
Ensure only a single Set-Cookie header is returned from Session once
we have data to save. Include backwards compatibility for PHP56
2018-12-19 12:39:32 +13:00
Maxime Rainville
7f6b80f87d
Correct session doc typo
2018-12-14 13:01:22 +13:00
Guy Marriott
87b74b9cc1
Correcting Max's eggrigious typos
...
Co-Authored-By: maxime-rainville <maxime@rainville.me>
2018-12-13 13:50:35 +13:00
Maxime Rainville
6e214e2e8b
DOCS Updating Session doc to reflect that you need to operation on an instance.
2018-12-13 11:05:49 +13:00
Guy Marriott
b2dd22fb50
Merge pull request #8506 from creative-commoners/pulls/4.3/all-the-unit-tests
...
NEW Adding a stack more unit tests for logging and some form fields
2018-11-11 10:31:24 +13:00
Aaron Carlino
76936d863d
Merge branch '4.3' into 4
2018-11-07 23:20:44 +13:00
Loz Calver
8d7c2dafab
[SS-2018-019] Add confirmation token to dev/build
2018-11-07 11:33:24 +13:00
Loz Calver
af000bea9b
[SS-2018-019] Add confirmation token to dev/build
2018-11-07 11:32:55 +13:00
Loz Calver
0610f76da0
[SS-2018-019] Add confirmation token to dev/build
2018-11-07 11:31:33 +13:00
Loz Calver
3dbb10625c
[SS-2018-019] Add confirmation token to dev/build
2018-11-07 11:24:51 +13:00
Robbie Averill
b02a6fa02d
FIX Replace usage of Convert JSON methods with json_encode
2018-10-28 21:15:29 +00:00
Robbie Averill
e211e27470
Add more unit tests for DebugViewFriendlyErrorFormatter, tidy up Director::is_ajax() return
2018-10-20 14:27:57 +02:00
Robbie Averill
ee24413c30
Merge branch '4.2' into 4
2018-10-03 15:28:05 +02:00
Robbie Averill
4d14e9b6b1
Merge pull request #8421 from creative-commoners/pulls/4.3/psr-5-deprecations
...
Update deprecation PHPDocs to be PSR-5 compliant
2018-09-28 14:18:54 +02:00
Robbie Averill
f842ee2eec
Update deprecation PHPDocs to be PSR-5 compliant
...
See: https://github.com/php-fig/fig-standards/blob/master/proposed/phpdoc-tags.md#55-deprecated
2018-09-28 10:49:14 +02:00
Sam Minnee
b98c87a6c5
FIX: Ensure existing session can be accessed if headers_sent()
...
If a session already exists, and Session::start() isn’t called until
after a large enough block of content is output, then headers_sent()
will be false. The previous code prevented the session from being
started in this case. That might makes sense for the creation of a new
session, but it prevent legitimate access to an existing session.
This mostly manifested when running debugging tools such as showqueries,
which may output content before the session is started.
2018-09-28 13:25:13 +12:00
Robbie Averill
d11911d4dd
Merge pull request #8394 from littlegiant/pulls/4.2/http-status-codes
...
BUG Prevent error on valid response status codes
2018-09-21 13:19:29 +02:00
Damian Mooyman
1d5ecd342e
BUG Prevent error on valid response status codes
2018-09-21 14:54:26 +12:00
Robbie Averill
373a8afeb5
Merge branch '4.2' into 4
2018-09-06 13:26:46 +02:00
Robbie Averill
270aba4007
Merge branch '4.1' into 4.2
2018-09-06 13:26:31 +02:00
Robbie Averill
b6ff21f72a
Merge branch '4.0' into 4.1
2018-09-06 13:26:13 +02:00
Robbie Averill
b922c0d732
FIX Check scheme is truthy before setting it to the request
2018-09-03 08:59:37 +02:00
Robbie Averill
83e461abbf
Merge branch '4.2' into 4
2018-08-27 16:15:57 +12:00
Robbie Averill
37a266f2f0
Merge branch '4.1' into 4.2
2018-08-27 16:14:24 +12:00
Scott Hutchinson
4da5569232
FIX ensure createFromVariables takes correct params on CLIRequestBuilder
2018-08-27 16:12:52 +12:00
Robbie Averill
66c09afc9c
Merge branch '4.0' into 4.1
2018-08-27 16:12:04 +12:00
Robbie Averill
3178fbf3bb
Merge pull request #8028 from andrewandante/pulls/4.0/unset_http_scheme_on_cli
...
unset http scheme on CLIRequestBuilder
2018-08-27 16:11:42 +12:00
Thomas Portelange
27ac001d5b
FIX email rendering should not include requirements
...
If no body is defined, the email is rendered according to a template. Clearing requirements prevent unnecessary styles/scripts to be included in the html (and that needs to be processed/stripped down the line).
2018-08-23 14:01:27 +12:00
Robbie Averill
735c87b709
Merge pull request #8327 from dhensby/pulls/4/application-json
...
FIX text/json is not a valid mimetype
2018-08-19 13:42:27 +12:00
maks
160d595e22
fix trailing whitespace
2018-08-17 18:16:17 +02:00
maks
16217f3655
fix accidentaly deleted comma
2018-08-17 15:13:13 +02:00
maks
aa1e576a3f
convert to php 5.4+ array syntax
2018-08-17 15:03:46 +02:00
Daniel Hensby
d9154bffbf
FIX text/json is not a valid mimetype
2018-08-15 12:10:39 +01:00
Daniel Hensby
ae00147de1
Merge pull request #8280 from open-sausages/pulls/4/simpler-vary-header
...
FIX: Remove X-Requested-With from default Vary header
2018-07-24 01:45:07 +01:00
Ingo Schommer
d12c2fe631
Properly deprecate HTTP.cache_control
2018-07-23 19:09:11 +01:00
Ingo Schommer
d426ecbb89
Add $maxAge arg for caching API
...
See https://github.com/silverstripe/silverstripe-framework/issues/8272
2018-07-23 19:09:10 +01:00
Sam Minnee
bde3121a33
FIX: Remove X-Requested-With from default Vary header
...
3.x forward port of https://github.com/silverstripe/silverstripe-framework/pull/8242
2018-07-23 14:18:05 +01:00
Ingo Schommer
74b655d3fc
Fix tests on unset session data
...
Thanks Robbie!
2018-07-23 14:09:42 +01:00
Ingo Schommer
76ac8465de
BUG Lazy session state ( fixes #8267 )
...
Fixes regression from 3.x, where sessions where lazy started as required:
Either because an existing session identifier was sent through with the request,
or because new session data needed to be persisted as part of the request execution.
Without this lazy starting, *every* request will get a session,
which makes all those responses uncacheable by HTTP layers.
Note that 4.x also changed the $data vs. $changedData payloads:
In 3.x, they both contained key/value pairs.
In 4.x, $data contains key/value, while $changedData contains key/boolean to declare isChanged.
While this reduces duplication in the class, it also surfaced a bug which was latent in 3.x:
When an existing session is lazily resumed via start(), $data is set back to an empty array.
In 3.x, any changed data before this point was *also* retained in $changedData,
ensuring it gets merged into existing $_SESSION data.
In 4.x, this clears out data - hence the need for a more complex merge logic.
Since isset($this->data) is no longer an accurate indicator of a started session,
we introduce a separate $this->started flag.
Note that I've chosen not to make lazy an opt-in (e.g. via start($request, $lazy=false)).
We already have a distinction between lazy starting via init(), and force starting via start().
2018-07-23 14:09:42 +01:00
Daniel Hensby
a3687147fe
State default should be state enabled (no-cache is an enabled state)
2018-07-23 14:07:10 +01:00
Daniel Hensby
9f1471332d
Make augmentState method more efficient
2018-07-23 14:07:10 +01:00
Daniel Hensby
cebed776ab
FIX If theres a max-age set remove no-cache and no-store
2018-07-23 14:07:09 +01:00