Stephen Shkardoon
143317cc86
BUG SQL Injection in CsvBulkLoader ( fixes #6227 )
...
Diff should speak for itself, looks like this will have to be implemented in all supported branches.
2013-03-20 00:45:05 +13:00
Ingo Schommer
a8a10f8a1a
BUG Transaction stub methods for better cross 2.x and 3.x compat
...
The transactionStart() naming is 3.x, and used by some modules
which are otherwise still 2.x compatible.
Specifically, this was added to avoid branching the payment module
into separate 2.x and 3.x compatible branches.
2013-02-26 13:49:46 +01:00
Ingo Schommer
56ad1d027e
Updated changelog
2013-02-18 01:03:57 +01:00
Ingo Schommer
190e0b8a47
Add ContentController->handleWidget() to $allowed_actions
...
Required by recent $allowed_actions security fix
2013-02-18 00:10:06 +01:00
Ingo Schommer
eecd34868f
BUGFIX Keep Member.PasswordEncryption setting on empty passwords
...
This will prevent empty passwords to set the encryption to 'none',
which in turn will store any subsequent password changes in cleartext.
Reproduceable e.g. with ConfirmedPasswordField and setCanBeEmpty(true).
2013-02-17 23:16:25 +01:00
Ingo Schommer
3e27d27f7a
Improved docs on $allowed_actions
...
Added section to "Controllers" and "Form" topics,
added $allowed_actions definitions to all controller examples
2013-02-17 23:16:25 +01:00
Ingo Schommer
50995fbecb
BUG Undefined $allowed_actions
overrides parent definitions, stricter handling of $allowed_actions on Extension
...
Controller (and subclasses) failed to enforce $allowed_action restrictions
on parent classes if a child class didn't have it explicitly defined.
Controllers which are extended with $allowed_actions (through an Extension)
now deny access to methods defined on the controller, unless this class also has them in its own
$allowed_actions definition.
2013-02-17 23:16:22 +01:00
Ingo Schommer
5d3ed12e20
Nginx docs for denying composer file access ( fixes #8011 )
2013-02-15 19:22:21 +01:00
Sean Harvey
9337902fdd
Merge pull request #1181 from chillu/pulls/showtemplate-admin
...
API Require ADMIN for ?showtemplate=1 (2.4)
2013-02-12 15:07:13 -08:00
Ingo Schommer
45c68d6821
API Require ADMIN for ?showtemplate=1
2013-02-12 23:21:13 +01:00
Fred Condo
78d21b511c
Update documentation of nginx configuration
...
- Avoid using "if" to check for file existence (use try_files instead)
- Replicate the behavior of the .htaccess files
- TODO: get static error pages to work
2013-01-11 16:06:11 +01:00
Ingo Schommer
44c41085b9
Copying request params before Core.php exec in PHPUnit bootstrap
...
Same behaviour as with 3.0 bootstrap.php and the
2.4 cli-script.php (which it is based on).
This allows to use GET switches which are evaluated in _config.php
files, e.g. db=<db-alias> settings for running tests
with various DBs without changing the underlying PHP config.
2013-01-06 22:34:29 +01:00
Ingo Schommer
3fad49e2c0
2.4.9 changelog
2012-12-04 22:47:47 +01:00
Ingo Schommer
3be9499c3a
Fixed HTML syntax in config-form.html
2012-12-04 17:27:05 +01:00
Ingo Schommer
d1e65b5657
Support for composer-created themes dir structure
...
Due to git limitations, we can't check out the blackcandy
"parent" theme into themes/blackcandy/ directly, since that
would require sharing paths with git repositories of other themes.
2012-12-04 17:21:53 +01:00
Ingo Schommer
f86bd977a4
Fixed DateTest timezone settings
...
Backport from 3.x, see d1a9e2b3
and 0aeda5c9
2012-12-04 12:36:43 +01:00
Ingo Schommer
3268c0dee8
Merge pull request #977 from simonwelsh/rename-Transliterator
...
API Rename Transliterator to SS_Transliterator to remove conflict with Intl extension
2012-11-30 06:55:53 -08:00
Simon Welsh
f49f1ff5df
API Rename Transliterator to SS_Transliterator to remove conflict with Intl extension
2012-11-29 08:21:05 +13:00
Ingo Schommer
326036a501
Excluded or removed tests relying on actual webserver routing
...
The "sanitychecks" group excludes through phpunit.xml.dist.
Removed RestfulService->testHttpErrorWithoutCache()
since its not sufficiently isolated in terms of testing.
Has been refactored in 3.x, but too intrusive to backport.
Changes mainly necessary to get Travis builds passing,
since we don't want to start mucking around with
dynamically generated file-to-url mappings just to
get *unit* tests passing - as opposed to integration-testing
the whole environment incl. webserver.
2012-11-28 15:35:09 +01:00
Ingo Schommer
7db928ba17
Added cms to travis requirements
2012-11-09 13:31:22 +01:00
Ingo Schommer
0a63f449df
Added README with build status
2012-11-09 13:14:17 +01:00
Ingo Schommer
21791e4114
Added travis support
2012-11-09 13:07:04 +01:00
Mateusz Uzdowski
22095dae6c
API Hash autologin tokens before storing in the database.
...
Backported from 3.0, cc423c38fb
.
2012-11-09 12:03:55 +01:00
Ingo Schommer
59680b52e2
Added composer.json
2012-11-01 16:30:14 +01:00
Ingo Schommer
9e595db7f3
Changelogs
2012-10-30 17:00:41 +01:00
Ingo Schommer
6a06965b37
Merge pull request #881 from simonwelsh/2.4-5.4-fixes
...
Minor PHP5.4 fixes
2012-10-16 06:02:12 -07:00
Simon Welsh
4ff8cff262
Minor PHP5.4 fixes
...
Explictly excludes E_STRICT from live error level and handle arrays in a backtrace
output, rather than trying to convert to string.
2012-10-16 23:37:30 +13:00
Ingo Schommer
392543bde3
BUGFIX Don't' set 'Referer' header in FunctionalTest->get()/post() if its explicitly passed to the method
2012-10-16 10:17:10 +02:00
Ingo Schommer
46064f8f88
SECURITY More solid relative/site URL checks (related to "BackURL" redirection)
...
Return true for Director::is_absolute_url() checks if they're prefixed with two or more slashes (as browsers interpret this as a valid URL)
More solid URL checks in Director::is_site_url(), using a conservative parse_url() hostname comparison rather than Director::makeRelative(), which is not designed for security purposes
2012-10-16 10:17:07 +02:00
Ingo Schommer
2034927d31
Merge pull request #850 from willmorgan/patch-2
...
Fixed grammatical error for Form.FIELDISREQUIRED
2012-10-05 10:28:07 -07:00
Will Morgan
1c7b7d0ab5
Fixed grammatical error for Form.FIELDISREQUIRED
2012-10-05 18:04:38 +02:00
Ingo Schommer
201fb485a9
Merge pull request #797 from stozze/2.4-bugfix
...
BUGFIX Fix to prevent unintended results from getComponentsQuery(...)
2012-09-17 17:04:13 -07:00
stozze
8ec6312f3f
BUG Fix to prevent unintended results from getComponentsQuery(...)
...
Wrapped $filter inside parentheses to prevent unintended results if $filter contains "OR".
2012-09-14 18:25:29 +03:00
Ingo Schommer
33b9b18a4c
Merge pull request #722 from sonet/2.4
...
MINOR fixed array to string conversion to avoid PHP 5.4 warnings
2012-08-16 11:23:14 -07:00
Adam Skrzypulec
766987105d
MINOR fixed array to string conversion to avoid PHP 5.4 warnings
2012-08-15 11:40:40 -05:00
Will Rossiter
f6c69d5241
Update widget documentation ( fixes #706 )
2012-08-08 21:21:58 +12:00
Ingo Schommer
b211c38010
MINOR Manually testing exceptions in SSViewerCacheBlockTest to avoid PHPUnit 3.6 warnings
2012-05-14 17:25:10 +02:00
Andrew O'Neil
9bf3ae9a19
SECURITY: Ensure javascript content type is sent in form responses. If content type is html, and the javascript contains script tags within the content, this content will be executed.
2012-05-03 17:08:08 +02:00
Ingo Schommer
c1d2cd1293
MINOR Corrected Geoip entries for ex-Yugoslavia ... better late than never
2012-03-30 09:51:21 +02:00
Ingo Schommer
44b9d0560b
MINOR Backported bootstrap.php changes from master and cstom TeamCity configuration (required to run tests through phpunit binary)
2012-03-14 14:17:28 +01:00
Sam Minnee
921bf9a439
ENHANCEMENT: Ensure that forceSSL and protocol detection respects the X-Forwarded-Protocol header.
2012-02-03 09:39:10 +13:00
Ingo Schommer
bf4476a3be
API CHANGE silverstripe_version file now contains the plain version number, rather than an SVN path
2012-02-01 18:54:59 +01:00
Sam Minnee
af22d0743a
MINOR: On PHPUnit 3.6, show the output of tests.
2012-02-01 11:01:49 +13:00
Sam Minnee
5956ad82fc
MINOR: Amended PHPUnit execution to work with PHPUnit 3.6
2012-02-01 11:00:58 +13:00
Ingo Schommer
0085876495
BUGFIX Casting return values on text helper methods in StringField, Text, Varchar
2012-01-31 16:28:47 +01:00
Ingo Schommer
252e187015
SECURITY Escape links for SilverStripeNavigatorItem
2012-01-31 15:55:30 +01:00
Ingo Schommer
5fe7091dff
SECURITY Sanitize messages passed to generated JS calls in FormResponse::status_message(), e.g. to avoid XSS on 'Successfully published <page title>' messages
2012-01-31 15:54:59 +01:00
Sam Minnée
84f47f5c86
Merge pull request #63 from simonwelsh/patch-4
...
Documentation fix
2011-11-02 13:34:40 -07:00
Ingo Schommer
96bee47ab8
MINO Switching 'rewriteHashlinks' sanitization from Convert::raw2att() to strip_tags() to make the resulting PHP more portable when mode is set to 'php'
2011-10-18 10:54:30 +02:00
Ingo Schommer
16c32359c6
BUGFIX Escaping base URLs for anchor links rewritten by SSViewer::process() with the 'rewriteHashlinks' option enabled (which is a framework default, and necessary because of the use of a <base> tag). Also added escaping for base URLs rendered through the 'php' variation of 'rewriteHashlinks'
2011-10-18 10:18:29 +02:00