Commit Graph

88 Commits

Author SHA1 Message Date
Ingo Schommer
37059eb6b3 [ss-2016-003] Hostname, IP and Protocol Spoofing through HTTP Headers 2016-02-24 11:47:16 +13:00
Damian Mooyman
75137dbab2 Ensure only trusted proxy servers have control over certain HTTP headers 2015-05-28 10:12:46 +12:00
Damian Mooyman
ee9bddb808 BUG Fix SS-2015-010 2015-03-20 17:30:37 +13:00
Daniel Hensby
f568052044 Testing empty absolute urls and more thorough tests 2015-03-13 13:56:14 +00:00
Sean Harvey
8063b349c8 BUG Fixing Director::test() failing on BASE_URL prefixed URLs
Example: you have a site in a sub-directory off the webroot, you call
->Link() on a SiteTree record, which returns "/[sitedir]/my-page", and
you pass this URL to Director::test(). It's a valid URL, but
Director::test() will throw a 404.

Director::test() should be ensuring that all URLs passed to it are
properly made relative, not just in the case where it thinks the URL
is absolute.
2014-08-22 15:21:53 +12:00
Damian Mooyman
a89dbd29e1 Revert #3345 #3323 2014-07-31 17:05:57 +12:00
Daniel Hensby
419f308544 FIX Handle empty URLs that are made absolute
When the email sender makes the links absolute, it can't handle empty `href` or `src` attributes as there's no expectation that the string length could be 0
2014-07-25 13:09:47 +01:00
Damian Mooyman
d3c7e41419 BUG using isDev or isTest query string no longer triggers basic auth 2014-07-02 11:51:51 +12:00
Sean Harvey
0ee3a683a5 Better support for overloading start and destroy methods in Session
Move functionality from static start and destroy functions into instance
methods, allowing these to be overloaded. This works the same way as
calling Session::set() which then in turn calls inst_set()

Additionally use Injector to create the default Session instance to
allow the class to be swapped out.
2014-06-20 10:35:53 +12:00
Ingo Schommer
ec325a3c7f API Fix HTTPS proxy header detection
Didn't use the de facto standard HTTP_X_FORWARDED_PROTO or the less standard HTTP_FRONT_END_HTTPS.
Removed the 'X-Forwarded-Proto', since PHP should prefix/underscore all HTTP headers before it hits $_SERVER.

References:
- https://docs.djangoproject.com/en/1.4/ref/settings/#secure-proxy-ssl-header
- https://drupal.org/node/1859252
- https://drupal.org/node/313145
- http://scottwb.com/blog/2013/02/06/always-on-https-with-rails-behind-an-elb/
2014-05-22 18:34:15 +12:00
Damian Mooyman
ae573f829f BUG Fix Versioned stage not persisting in Session. Fixes #962
BUG Disabled disruptive test case in DirectorTest
API RequestProcessor and VersionedRequestFilter now both correctly implement RequestFilter
Better PHPDoc on RequestFilter and implementations
2014-05-06 14:11:44 +12:00
Damian Mooyman
d8836fd488 Merge remote-tracking branch 'origin/3.0' into 3.1 2014-04-08 17:10:07 +12:00
Damian Mooyman
0cbad41d3b Rewrote usages of error suppression operator 2014-03-05 15:48:55 +13:00
Stig Lindqvist
0077e25352 BUG: Director::test() don't respect port settings in $_FILE_TO_URL_MAPPING
Director::test() don't set the HTTP_HOST with the port number if that has been set.
Later call to Director::makeRelative() will return wrong value because of the strict string matching
(http://localhost/ != http://localhost:8000)

This bug affects all modules that are using Director::test in CLI where the $_FILE_TO_URL_MAPPING
have been set to use a domain with a port in it, i.e. static publishers.
2014-02-17 11:54:10 +13:00
Will Rossiter
c61f6540fb BUG Add support for X-Forwarded-Proto checking SSL (Fixes #1416)
De-facto standard for identifying the originating protocol of an HTTP request through a reverse proxy or load balancer.

http://www.geekisp.com/faq/6_65_en.html
2014-01-12 18:05:09 +13:00
Ingo Schommer
9d550f8938 Fixed merge error 2013-11-06 09:46:30 +01:00
Ingo Schommer
91f6039eed Merge remote-tracking branch 'origin/3.0' into 3.1
Conflicts:
	control/Director.php
2013-11-05 10:15:40 +01:00
Hamish Friedlander
8801a50704 FIX oembed to avoid mixed media issues 2013-10-17 17:06:40 +13:00
Marcus Nyeholt
7bcb180f27 BUG Director::test now calls RequestProcessor
This fixes https://github.com/silverstripe/silverstripe-framework/issues/2517
and provides some testing around the use of RequestProcessor in general.
2013-10-15 07:53:34 +11:00
Will Rossiter
63778550e5 FIX: Follow internal redirections for cli operations. 2013-09-16 20:11:28 +12:00
Ingo Schommer
9d764d6794 FIX Avoid infinite loops on ?isDev=1 and Deprecation class
If any of the functionality triggered by Director::isDev()
was causing deprecation errors, the system would go into
an infinite loop. Since the only way to cause this is the DB
checking functionality, we disable that for Deprecation.
Side effect of this change: You can't show deprecation notices
on a live site by forcing the session into dev mode.
2013-07-17 11:55:19 +02:00
Sam Minnée
ecf8f273c0 Merge pull request #2201 from hafriedlander/fix/session
Fixes to session, primarily around cookie_secure
2013-07-06 18:59:07 -07:00
Hamish Friedlander
d629d9422f FIX Session::$cookie_secure so Sessions still work via HTTP
Session::$cookie_secure adds the secure property to the session Set-Cookie
command, so that the browser wouldnt send it to the server over an unencrypted
link. However the server would still send the cookie to the browser
unencrypted. Also Sessions would stop working properly in HTTP,
but SilverStripe needs them for several things, such as form validation

This patch effectively causes HTTP and HTTPS requests to each have
their own session when cookie_secure is true. The two sessions are
independant from each other, so information set in the session via
HTTPS is safe from attacks on the session via HTTP, but parts
of the site that use HTTP and the session will still work
2013-07-07 09:12:10 +12:00
Hamish Friedlander
c6b4d993cc FIX Director::forceSSL and forceWWW not setting Vary header
If you have a Varnish box in front of a SilverStripe install, and
you call forceSSL, the Vary header wouldnt get sent. As a result
Varnish would respond with the same redirect reponse after the
redirect, leading to an infinite loop
2013-07-06 15:24:01 +12:00
Will Rossiter
1325d736a0 API: Add Director::is_https() 2013-05-10 22:31:38 +12:00
Fred Condo
f5c6285240 Anchor regex in Director#is_absolute_url()
- Anchor the regex to the beginning of the string
- Change the regex delimiter to reduce the amount of \ clutter
2013-05-03 16:07:25 -07:00
Ingo Schommer
7121fc3f85 FIX Config isolation in Director::test() 2013-04-07 23:59:10 +02:00
Andrew Short
1fc780ce2b API: Return a 404 error when no director rule is matched 2013-04-06 18:19:03 +11:00
Sean Harvey
6eda25a090 NEW Allow specifying the secure domain to Director::forceSSL() 2013-04-03 17:47:36 +13:00
Ingo Schommer
3334eafcb1 API Marked statics private, use Config API instead (#8317)
See "Static configuration properties are now immutable, you must use Config API." in the 3.1 change log for details.
2013-03-24 17:20:53 +01:00
Ingo Schommer
bea1b9002d Merge remote-tracking branch 'origin/3.0' into 3.1
Conflicts:
	control/HTTP.php
2013-02-26 13:28:35 +01:00
Sam Minnee
b2dfa77056 FIX: Ensure that Director::test() doesn't return a string 2013-02-25 16:27:44 +13:00
Ingo Schommer
0c6ac1960e Fixed whitespace usage 2013-02-18 15:43:52 +01:00
Ingo Schommer
14a56c18e9 Merge remote-tracking branch 'origin/3.0' into 3.1
Conflicts:
	control/Director.php
2013-02-07 21:45:16 +01:00
Ingo Schommer
d77e06d585 Merge pull request #1123 from chillu/pulls/revert-content-length
API Remove Content-Length setting from HTTPResponse (fixes #8010)
2013-01-31 10:19:17 -08:00
Ingo Schommer
634c91c6ff Merge remote-tracking branch 'origin/3.0' into 3.1
Conflicts:
	email/Mailer.php
2013-01-30 12:46:24 +01:00
Sam Minnee
f72c77e984 MINOR: Fixed a glitch that causes warnings in cli-script execution. 2013-01-29 18:03:48 +01:00
Ingo Schommer
c69381c33e API Remove Content-Length setting from HTTPResponse (fixes #8010)
This reverts commit 356a367eb5.
We can't use headers_sent() to determine an accurate
content length, since PHP defaults to buffering a couple of bytes
even without ob_start() (see "output_buffering" setting).
This makes the patch harmful, since it breaks any responses relying
on more structure data, like removing closing brackets from JSON.
Which in turn breaks the CMS in horrible ways (see #8010).
See #7574 for context.
2013-01-23 15:05:33 +01:00
Ingo Schommer
f03ad7b0dd Merge remote-tracking branch 'origin/3.0' into 3.1
Conflicts:
	admin/javascript/LeftAndMain.AddForm.js
	control/Director.php
	control/HTTPResponse.php
	dev/Profiler.php
	email/Mailer.php
	forms/ComplexTableField.php
	forms/ManyManyComplexTableField.php
	forms/SimpleImageField.php
	forms/TableField.php
	forms/TableListField.php
	javascript/ComplexTableField.js
	javascript/ImageFormAction.js
	javascript/TableField.js
	javascript/TableListField.js
	security/Member.php
	tests/behat/features/bootstrap/SilverStripe/Framework/Test/Behaviour/CmsUiContext.php
	tests/forms/TableListFieldTest.php
2012-12-12 10:11:56 +01:00
Simon Welsh
b0121b541c Add codesniffer that ensures indentation is with tabs. 2012-12-12 17:33:31 +13:00
Simon Welsh
fc5dd2994c Add codesniffer that ensures indentation is with tabs. 2012-12-12 00:12:11 +13:00
Sean Harvey
6a868e79e1 Removing deprecated prototype/behaviour libraries 2012-11-16 11:37:56 +13:00
Sean Harvey
491057fa95 Remove deprecated Director dev/test server functions
Use SS_ENVIRONMENT_TYPE in your _ss_environment.php file, or
Director::set_environment_type()
2012-11-15 14:43:13 +13:00
Sean Harvey
66d8ff95de Remove deprecated Director static functions
Director::redirect() -> Controller->redirect()
Director::redirect_to() -> Controller->redirectedTo()
Director::set_status_code() -> Controller->getResponse()->setStatusCode()
Director::get_status_code() -> Controller->getResponse()->getStatusCode()
Director::redirectBack() -> Controller->redirectBack()
2012-11-15 14:43:13 +13:00
Sean Harvey
de0ade9636 Remove deprecated Director::urlParam() and Director::urlParams()
Use the methods param() and params() on SS_HTTPRequest instead.
2012-11-15 14:43:12 +13:00
Ingo Schommer
56f7ce1dcf Merge remote-tracking branch 'origin/3.0'
Conflicts:
	control/Cookie.php
	control/Director.php
	control/HTTPResponse.php
	model/Database.php
	model/MySQLDatabase.php
	model/SQLQuery.php
	view/Requirements.php
	view/SSViewer.php
2012-10-03 16:16:19 +02:00
Sam Minnee
1f7fc1f76a FIX Remove instances of lines longer than 120c
The entire framework repo (with the exception of system-generated files) has been amended to respect the 120c line-length limit.  This is in preparation for the enforcement of this rule with PHP_CodeSniffer.
2012-09-30 17:18:13 +13:00
Ingo Schommer
356a367eb5 BUG Setting response length directly before output (fixes #7574)
Complying to HTTP1.1/RFC2616 in terms of when to
set 'Content-Length' in the first place
2012-09-29 17:24:33 +02:00
Simon Welsh
1e629f4585 Merge branch '3.0'
Conflicts:
	control/Cookie.php
	control/Director.php
	dev/Profiler.php
	view/Requirements.php
2012-09-21 14:56:56 +12:00
Ingo Schommer
e2f073f38a Method visibility according to coding conventions 2012-09-20 10:46:59 +02:00