Commit Graph

23242 Commits

Author SHA1 Message Date
Guy Sartorelli
1a5bb4cbec
[CVE-2023-22729] Escaped double slash is absolute URL 2023-04-26 09:49:59 +12:00
Dylan Wagstaff
92061a3ba6
FIX stabilise typed APIs (#10740)
Since 4.12 the use of typehints and return types has caused issues with
values fetched directly from config without validation. This has lead to
upgrade woes in a minor version (#10721) with no immediate recourse
other than manual system intervention.

To use types, we should ensure types, leaving a stable API that won't
error on a bad value - or should give a thoughtful and directive error
message if so.

Issue #10721 summary:
SessionMiddleware runs before FlushMiddleware
SessionMiddleware causes a PHP fatal error passing `null` to a `string`
parameter.
`null` comes from config, because default string value doesn't exist. We
need flush for this - but system execution never makes it that far.
2023-04-11 10:52:41 +12:00
Maxime Rainville
403f924d22
BUG Update RelatedDataService to properly escape ClassName in Polymorphic relations (#10713) 2023-03-02 09:56:40 +13:00
Michal Kleiner
94b24b2390
Merge pull request #10687 from xini/fix-classinfo-paths-windows 2023-03-01 20:56:49 +13:00
Florian Thoma
6585d499f5 FIX Convert slashes in paths when getting list of classes for file/folder
This is to support the mechanism working on all operating systems where Windows may produce a mix of forward and backward slashes in some paths.
For working with the files it may not be a problem, but for exact string comparison the path delimiters need to be unified.
2023-03-01 20:32:19 +13:00
Florian Thoma
54fc4ee9d2
fix directory separator in i18nTextCollector on Windows (#10681)
* fix directory separator in i18nTextCollector for Windows

* fix typo
2023-02-09 19:09:48 +13:00
Michal Kleiner
20e4aae25b
Merge pull request #10663 from lekoala/patch-33
FIX Prevent backslash in CSS class name
2023-01-30 22:51:09 +13:00
Thomas Portelange
3e5d99dedc
Prevent backslash in class name
since the default code is using get_called_class, you can end up with \ in the class name which is an escape character for css selectors
this update convert for example

even valCMS_ACCESS_SilverStripe\VersionedAdmin\ArchiveAdmin
to
even valCMS_ACCESS_SilverStripe-VersionedAdmin-ArchiveAdmin

ArchiveAdmin class should probably implement     private static $required_permission_codes = 'CMS_ACCESS_ArchiveAdmin '; also
2023-01-30 10:26:22 +01:00
Guy Sartorelli
62f71a321d
Merge pull request #10631 from xini/patch-5
fix: optional return value for paginator state
2023-01-09 10:47:17 +13:00
Florian Thoma
bb8e3b8386
fix: optional return value for paginator state
`$state->getData()->getData('GridFieldPaginator')' (line 598) returns null by default.
2023-01-02 15:32:16 +11:00
Guy Sartorelli
3564f98c9c
Merge pull request #10616 from s-kerdel/10615-Respect-SS_BASE_URL-for-CLI-RequestBuilder
FIX Respect SS_BASE_URL scheme in CLI environment
2022-12-20 11:38:12 +13:00
Shiva Kerdel
4a1eb0c158
ISSUE-10615: Respect SS_BASE_URL scheme in CLI environment.
Additionally set _SERVER variables for HTTPS and SSL to respect SS_BASE_URL scheme when executing builds and tasks through CLI.
This should solve base tags not being provided with the correct HTTP scheme. This is important to resolve mixed content issues and insecure requests.
2022-12-20 11:13:02 +13:00
Guy Sartorelli
ce53318d26
Merge branch '4.12-release' into 4.12 2022-12-19 01:38:05 +00:00
Guy Sartorelli
8bb712a461
Merge branch '4.11' into 4.12-release 2022-11-30 10:54:02 +13:00
Michal Kleiner
b107622400
FIX Improve rounding logic for storing of long decimal numbers (#10593)
Co-authored-by: Michal Kleiner <michal.kleiner@cub3.com>
2022-11-29 15:07:56 +13:00
Michal Kleiner
f57a77dcdd
Merge pull request #10589 from silverstripe-terraformers/pulls/runtemplate-fix 2022-11-24 13:49:35 +13:00
Chris Penny
31d5aef520 Bugfix: SSViewer check object exists before calling prop or method 2022-11-24 13:18:56 +13:00
Steve Boyd
cb76f312a4 Merge branch '4.11' into 4.12-release 2022-11-21 13:44:23 +13:00
Steve Boyd
dc98cad48a Merge branch '4.10' into 4.11 2022-11-21 13:43:59 +13:00
Guy Sartorelli
c7c108b29a
Merge pull request #10582 from creative-commoners/pulls/4.10/cve-2022-38148
Validate SortColumn exists
2022-11-21 13:30:35 +13:00
Guy Sartorelli
20de819d2b
Merge pull request #10586 from creative-commoners/pulls/4.11/cve-2022-37429
Sanitise XSS
2022-11-21 13:30:30 +13:00
Steve Boyd
fe13856769 [CVE-2022-37429] Sanitise XSS 2022-11-21 13:06:40 +13:00
Guy Sartorelli
17f1c7ceed
Merge pull request #10585 from creative-commoners/pulls/4.11/cve-2022-37430
Sanitise mixed case javascript
2022-11-21 13:03:30 +13:00
Guy Sartorelli
e5b81109de
Merge pull request #10584 from creative-commoners/pulls/4.11/cve-2022-38462
Don't allow CRLF in header values
2022-11-21 13:02:25 +13:00
Steve Boyd
4308a93cc8 [CVE-2022-38148] Validate SortColumn exists 2022-11-21 13:01:32 +13:00
Guy Sartorelli
b17b29eea1
Merge pull request #10583 from creative-commoners/pulls/4.11/cve-2022-38724-embed-shortcode
Restrict embed shortcode attributes
2022-11-21 13:01:23 +13:00
Daniel Hensby
c49abf0fcc
Merge remote-tracking branch 'upstream/4.11' into 4.12 2022-11-11 13:25:54 +00:00
Daniel Hensby
bb5b093004
Merge pull request #10578 from MadeHQ/4.11
Prevent infinite loop when getting table name for ComponentID
2022-11-10 21:49:03 +00:00
Lee Bradley
78b661dcf6
Prevent infinite loop when getting table name for ComponentID
If the field isn't in the first 2 classes then would just continue to loop
Fix means it will continue going to parent classes

Can be seen in the UsedOnTable in `admin` module if you have injected a new `Image` class that extends the built in one
2022-11-10 14:00:29 +00:00
Guy Sartorelli
e53380ce89
Merge pull request #10576 from creative-commoners/pulls/4.11/use-blowfish
MNT Explicitly test with blowfish
2022-11-10 17:18:20 +13:00
Guy Sartorelli
f8befa3dcf
Update translations 2022-11-10 01:56:20 +00:00
Steve Boyd
49e637d244 MNT Explicitly test with blowfish 2022-11-10 11:36:56 +13:00
Guy Sartorelli
ed63beeeee
Merge branch '4.11' into 4 2022-11-09 10:53:09 +13:00
Guy Sartorelli
00d1701d37
Merge pull request #10568 from creative-commoners/pulls/4/restore-err
MNT Use restore_error_handler()
2022-11-04 09:29:51 +13:00
Steve Boyd
7cfd827776 MNT Use restore_error_handler() 2022-11-03 16:19:17 +13:00
Daniel Hensby
00f0b01d0e
Merge pull request #10566 from kinglozzer/form-extension-hook
NEW: Add onBeforeRender extension hook to Form
2022-11-02 23:54:22 +00:00
Loz Calver
7f8f5afc91 Ensure forms/fields overridden by onBeforeRender() can override templates 2022-11-02 11:57:57 +00:00
Loz Calver
e2cb683f14 FIX: Stop FormField onBeforeRenderHolder extension result being overridden 2022-11-02 10:06:23 +00:00
Loz Calver
c925fae180 NEW: Add onBeforeRender extension hook to Form 2022-11-02 10:05:02 +00:00
Guy Sartorelli
e454db6dc9
Merge pull request #10563 from creative-commoners/pulls/4/conf-version
FIX Filter out E_USER_DEPRECATED unrelated to unit test
2022-11-02 12:02:33 +13:00
Steve Boyd
128f78c1cf FIX Filter out E_USER_DEPRECATED unrelated to unit test 2022-11-02 11:40:34 +13:00
Guy Sartorelli
001e9c75d7
Merge pull request #10562 from creative-commoners/pulls/4/depr-random
API Deprecate Member::create_new_password()
2022-11-02 11:10:10 +13:00
Steve Boyd
9091d64652 API Deprecate Member::create_new_password() 2022-11-02 10:08:27 +13:00
Guy Sartorelli
e323fe478e
Merge pull request #10559 from creative-commoners/pulls/4/deprecated-config
NEW Record deprecated config
2022-11-01 11:45:03 +13:00
Steve Boyd
b1dc861aac NEW Record deprecated config 2022-10-31 19:00:59 +13:00
Michal Kleiner
27eb390d2b
Merge pull request #10560 from creative-commoners/pulls/4.11/default-admin-encryption 2022-10-27 14:48:52 +13:00
Steve Boyd
a3c1cb0ddf
ENH Set PasswordEncryption on default admin 2022-10-27 13:57:27 +13:00
Guy Sartorelli
168ca00555
[CVE-2022-38724] Restrict embed shortcode attributes 2022-10-26 09:31:12 +13:00
Steve Boyd
59b980edd7 Merge branch '4.11' into 4 2022-10-21 11:46:39 +13:00
Maxime Rainville
25241a98e1
Merge pull request #10556 from creative-commoners/pulls/4/deprecation-no-manifests
FIX Handle calling Deprecation::notice() before manifests are available
2022-10-21 10:28:40 +13:00