Commit Graph

3008 Commits

Author SHA1 Message Date
Ingo Schommer
37059eb6b3 [ss-2016-003] Hostname, IP and Protocol Spoofing through HTTP Headers 2016-02-24 11:47:16 +13:00
Damian Mooyman
e64d73c1f7 BUG Fix ClassInfo::table_for_object_field 2015-09-17 18:31:46 +12:00
Loz Calver
687de33d0d Ensure ClassInfo is backwards compatible with non-existant classes 2015-08-04 15:07:07 +01:00
Daniel Hensby
ffbeac6b7d Ensuring classinfo is case insensitive 2015-07-28 11:17:50 +01:00
Damian Mooyman
5ace4905c9 BUG Fix issue when SS_ALLOWED_HOSTS is run in CLI 2015-07-08 11:01:06 +12:00
Daniel Hensby
eaec2ad9a8 Safe unnesting of Config and Injector 2015-06-15 00:23:40 +01:00
Damian Mooyman
0319f7855b FIX Incorrect env setting in 3.1.13 2015-06-02 12:27:08 +12:00
Marcus Nyeholt
9c8fa51321 FIX Allow users to specify allowed hosts
Allow users to explicitly state which Hosts are allowed to be requested via
this application instance to avoid Host: header forgery attacks.
2015-05-28 15:58:39 +10:00
Damian Mooyman
a978b891e1 BUG Fix handling of empty parameter token 2015-05-28 10:13:10 +12:00
Damian Mooyman
75137dbab2 Ensure only trusted proxy servers have control over certain HTTP headers 2015-05-28 10:12:46 +12:00
Damian Mooyman
7f983c2bae BUG Fix SS-2014-017 2015-03-20 18:27:30 +13:00
micmania1
6e0afd5b3c FIX Prevent unnecessary call to config system which doesn't exist yet
By passing the Config instantiation through the Injector and service configuration we're unnecessarily calling Config::inst()->get() on a config system which doesn't yet exist.

More specifically it calls Config::inst()->get('Config', 'dependencies') here: 4ae0d90c55/control/injector/Injector.php (L660) which in turn calls Config::inst()->get('Config', 'extensions').

This jumps through hoops trying to find the cached config for this class using the current Config_LRU class. When it doesn't find it, it then tries to look through the manifests which don't get created or brought from cache until later on in Core.php. Eventually this returns null for both Config::inst()->get() calls.

I ran a quick performance test before and after on an ec2 t2.micro box using siege (concurrency 5, 10 repetitions) and saved 400ms on average response times on a default installation - it would be awesome if somebody could confirm this is actually the case?
2015-03-03 11:35:26 +00:00
Zauberfisch
aa77e126c7 Fixed infinity loop when searching _ss_environment 2015-02-17 04:33:40 +00:00
zauberfisch
eb98b003b7 Fixed looking for _ss_environment.php in root dir and removed redundant code 2015-02-13 23:30:29 +00:00
JorisDebonnet
047fe3a410 BUG Include php version in default cache folder name
Update CoreTest.php
2015-02-12 17:29:45 +13:00
Loz Calver
eed709384d FIX: dev/build not flushing manifests if site is in a subfolder 2015-02-11 19:59:22 +00:00
Jonathon Menz
01989aac4e FIX: Manifest flushing
Fixes silverstripe/silverstripe-framework#2325
Fixes silverstripe/silverstripe-framework#3093

Static manifest was not being flushed during a dev/build on some environments (without ?flush in URL) and template manifest was never being flushed during a dev/build.
2014-11-26 10:15:09 +10:30
Damian Mooyman
0a04e2e77b Merge pull request #3484 from dnadesign/object_has_extension_fix
fixed and tested object has_extension
2014-10-24 17:20:00 +13:00
John Milmine
62658a6cca fixed and tested object has_extension 2014-10-24 16:58:50 +13:00
Sean Harvey
f7af0d8955 Merge pull request #3398 from dnadesign/fixsortableheader
API: Add ClassInfo::table_for_object_field to return the table name for ...
2014-09-26 11:14:33 +12:00
Will Rossiter
920978df99 API: Add ClassInfo::table_for_object_field
Returns the table name for a field in a class hierarchy.

This issue raised itself with GridFieldSortableHeader not supporting sorting on fields from parent class fields.
2014-09-26 10:38:31 +12:00
Sean Harvey
2b316e79e5 NEW Provide a consistent way of triggering flush
Provides an interface for classes to implement their own flush()
functionality. This function gets called early in a request on
all implementations of Flushable when flush=1|all is requested in the
URL.

This fix came out of an issue where Requirements combined files were not
being cleaned up after dev/build?flush=1, due to the fact that flush
would only occur when you called it while on a page that used those
combined files, but not in any other contexts. This will now call flush
on any implementors of Flushable regardless of the context of where
flush was called.
2014-08-22 09:24:27 +12:00
Will Morgan
807755f002 FIX TemplateManifest prevent cache collision 2014-07-28 08:52:11 +12:00
Damian Mooyman
c26df0b3c6 Revert "BUG Config::merge_array_low_into_high() ignores falsey values" 2014-07-09 09:57:25 +12:00
Sean Harvey
16e546300f BUG Config::merge_array_low_into_high() ignores falsey values
Specific case: LeftAndMain::$session_keepalive_ping = true cannot be
set to false in config.yml for some cases because the value is ignored
when merge_array_low_into_high() is processing the config arrays.
2014-07-08 15:18:26 +12:00
Damian Mooyman
c30111eee3 Better encoding of javascript
Fixes #2988
2014-07-07 09:01:53 +12:00
Damian Mooyman
d3c7e41419 BUG using isDev or isTest query string no longer triggers basic auth 2014-07-02 11:51:51 +12:00
Loz Calver
3d71a22a98 FIX: ClassManifest errors if files contain duplicate class names (fixes #3210) 2014-06-16 22:18:18 +01:00
Ingo Schommer
ec325a3c7f API Fix HTTPS proxy header detection
Didn't use the de facto standard HTTP_X_FORWARDED_PROTO or the less standard HTTP_FRONT_END_HTTPS.
Removed the 'X-Forwarded-Proto', since PHP should prefix/underscore all HTTP headers before it hits $_SERVER.

References:
- https://docs.djangoproject.com/en/1.4/ref/settings/#secure-proxy-ssl-header
- https://drupal.org/node/1859252
- https://drupal.org/node/313145
- http://scottwb.com/blog/2013/02/06/always-on-https-with-rails-behind-an-elb/
2014-05-22 18:34:15 +12:00
Ingo Schommer
a05d8113af Merge pull request #3103 from simonwelsh/configstatic_nextstring
Adds to nextString() method to ConfigStaticManifest
2014-05-09 16:08:19 +12:00
Simon Welsh
3602ce2db8 Adds to nextString() method to ConfigStaticManifest
This is used to get the classname out of the tokens, rather than assuming that
the class name is a single T_STRING.
2014-05-06 15:35:37 +10:00
Damian Mooyman
d06d5c113b API Injector supports nesting
BUG Resolve issue with DirectorTest breaking RequestProcessor
Injector::nest and Injector::unnest are introduced to better support sandboxing of testings.
Injector and Config ::nest and ::unnest support chaining
Test cases for both Injector::nest and Config::nest
2014-04-29 08:59:33 +12:00
Simon Welsh
1d5706f15c Correct line length and indentation 2014-03-30 21:11:56 +13:00
Ingo Schommer
023641e263 Merge pull request #2776 from ryanwachtl/fix-get-candidate-template
FIX Overriding of theme templates in project folder
2014-03-25 23:08:36 +13:00
Ingo Schommer
5e29249593 Merge remote-tracking branch 'origin/3.0' into 3.1
Conflicts:
	search/filters/PartialMatchFilter.php
2014-02-12 15:18:27 +13:00
Nik Rolls
d1c68e6020 Fix autocompletion on ::create and ::strong_create
This ties in with IDEs that can autocomplete the LSB class when you @return static.
2014-02-04 15:36:24 +13:00
Ingo Schommer
457ec9446b Merge pull request #2700 from ajshort/injector-factory
Injector Factory
2014-02-03 16:50:15 -08:00
Simon Welsh
ed4d32581d $manifest needs to be global for Deprecation. 2014-02-04 12:26:28 +13:00
Andrew Short
4ac5a749b0 Register config as a service. 2014-02-03 11:30:39 +11:00
Simon Erkelens
412cbbccc8 Don't show next for anything above TotalPages
Bots often have the habit of trying a next page, even if there isn't one.
Thus, using CurrentPage < TotalPages, prevents from unwanted next-links being shown.
2014-02-02 21:13:48 +01:00
Ingo Schommer
ab070944d5 Merge branch 'pulls/apidocs-package-list' of https://github.com/madmatt/silverstripe-framework into madmatt-pulls/apidocs-package-list
Conflicts:
	view/SSTemplateParser.php
	view/SSTemplateParser.php.inc
2014-01-31 15:15:59 +13:00
Ryan Wachtl
5f87d344f1 FIX Overriding of theme templates in project folder
Fixes issue of templates not being found when a Page's main/Layout templates are split between the project and theme folders. Adds more expansive testing for template loading.
2014-01-14 15:05:24 -06:00
Andrew Short
b7b041b435 FIX: Only unregister the relevant class when adding an extension.
This fixes an issue where the Config instance could not be injected, as
it would be immediately cleared.
2013-12-01 22:25:19 +11:00
madmatt
bebe0f6e37 Updating @package and @subpackage doc tags 2013-11-29 17:49:30 +13:00
Hamish Friedlander
e161439340 Merge pull request #2470 from sunnysideup/patch-19
more meaningful error message in ConfigStaticManifest.php (depth < 0)
2013-11-04 17:58:10 -08:00
Sean Harvey
07b15db3eb Allow ASSETS_PATH to be overridden like ASSETS_PATH (via jthomerson) 2013-11-01 11:27:03 +13:00
Craig Lyons
27b139bc75 Add backwards compatibility for has_extension 2013-10-11 10:18:00 -04:00
Damian Mooyman
f67b549b77 BUG Fixed cross-platform issues with test cases and file utilities 2013-10-04 13:54:33 +13:00
Damian Mooyman
4b850fb41c BUG Fixed cross-platform issues with test cases and file utilities 2013-10-03 14:49:18 +13:00
Nicolaas
5af97aa885 more meaningful error message in ConfigStaticManifest.php (depth < 0)
Changed error from: Fatal error: Hmm - depth calc wrong, hit negatives in /var/www/tangoio.maori.nz/framework/core/manifest/ConfigStaticManifest.php on line 242 

... to .... 


Fatal error: Hmm - depth calc wrong, hit negatives, see: /var/www/mysite.maori.nz/mymodule/code/MyClass.php in /var/www/mysite.maori.nz/framework/core/manifest/ConfigStaticManifest.php on line 240

The first error is completely meaningless and impossible to debug...
2013-09-30 16:02:11 -10:00