Guy Sartorelli
1a5bb4cbec
[CVE-2023-22729] Escaped double slash is absolute URL
2023-04-26 09:49:59 +12:00
Dylan Wagstaff
92061a3ba6
FIX stabilise typed APIs ( #10740 )
...
Since 4.12 the use of typehints and return types has caused issues with
values fetched directly from config without validation. This has lead to
upgrade woes in a minor version (#10721 ) with no immediate recourse
other than manual system intervention.
To use types, we should ensure types, leaving a stable API that won't
error on a bad value - or should give a thoughtful and directive error
message if so.
Issue #10721 summary:
SessionMiddleware runs before FlushMiddleware
SessionMiddleware causes a PHP fatal error passing `null` to a `string`
parameter.
`null` comes from config, because default string value doesn't exist. We
need flush for this - but system execution never makes it that far.
2023-04-11 10:52:41 +12:00
Maxime Rainville
403f924d22
BUG Update RelatedDataService to properly escape ClassName in Polymorphic relations ( #10713 )
2023-03-02 09:56:40 +13:00
Michal Kleiner
94b24b2390
Merge pull request #10687 from xini/fix-classinfo-paths-windows
2023-03-01 20:56:49 +13:00
Florian Thoma
6585d499f5
FIX Convert slashes in paths when getting list of classes for file/folder
...
This is to support the mechanism working on all operating systems where Windows may produce a mix of forward and backward slashes in some paths.
For working with the files it may not be a problem, but for exact string comparison the path delimiters need to be unified.
2023-03-01 20:32:19 +13:00
Florian Thoma
54fc4ee9d2
fix directory separator in i18nTextCollector on Windows ( #10681 )
...
* fix directory separator in i18nTextCollector for Windows
* fix typo
2023-02-09 19:09:48 +13:00
Michal Kleiner
20e4aae25b
Merge pull request #10663 from lekoala/patch-33
...
FIX Prevent backslash in CSS class name
2023-01-30 22:51:09 +13:00
Thomas Portelange
3e5d99dedc
Prevent backslash in class name
...
since the default code is using get_called_class, you can end up with \ in the class name which is an escape character for css selectors
this update convert for example
even valCMS_ACCESS_SilverStripe\VersionedAdmin\ArchiveAdmin
to
even valCMS_ACCESS_SilverStripe-VersionedAdmin-ArchiveAdmin
ArchiveAdmin class should probably implement private static $required_permission_codes = 'CMS_ACCESS_ArchiveAdmin '; also
2023-01-30 10:26:22 +01:00
Guy Sartorelli
62f71a321d
Merge pull request #10631 from xini/patch-5
...
fix: optional return value for paginator state
2023-01-09 10:47:17 +13:00
Florian Thoma
bb8e3b8386
fix: optional return value for paginator state
...
`$state->getData()->getData('GridFieldPaginator')' (line 598) returns null by default.
2023-01-02 15:32:16 +11:00
Guy Sartorelli
3564f98c9c
Merge pull request #10616 from s-kerdel/10615-Respect-SS_BASE_URL-for-CLI-RequestBuilder
...
FIX Respect SS_BASE_URL scheme in CLI environment
2022-12-20 11:38:12 +13:00
Shiva Kerdel
4a1eb0c158
ISSUE-10615: Respect SS_BASE_URL scheme in CLI environment.
...
Additionally set _SERVER variables for HTTPS and SSL to respect SS_BASE_URL scheme when executing builds and tasks through CLI.
This should solve base tags not being provided with the correct HTTP scheme. This is important to resolve mixed content issues and insecure requests.
2022-12-20 11:13:02 +13:00
Guy Sartorelli
ce53318d26
Merge branch '4.12-release' into 4.12
2022-12-19 01:38:05 +00:00
Guy Sartorelli
8bb712a461
Merge branch '4.11' into 4.12-release
2022-11-30 10:54:02 +13:00
Michal Kleiner
b107622400
FIX Improve rounding logic for storing of long decimal numbers ( #10593 )
...
Co-authored-by: Michal Kleiner <michal.kleiner@cub3.com>
2022-11-29 15:07:56 +13:00
Michal Kleiner
f57a77dcdd
Merge pull request #10589 from silverstripe-terraformers/pulls/runtemplate-fix
2022-11-24 13:49:35 +13:00
Chris Penny
31d5aef520
Bugfix: SSViewer check object exists before calling prop or method
2022-11-24 13:18:56 +13:00
Steve Boyd
cb76f312a4
Merge branch '4.11' into 4.12-release
2022-11-21 13:44:23 +13:00
Steve Boyd
dc98cad48a
Merge branch '4.10' into 4.11
2022-11-21 13:43:59 +13:00
Guy Sartorelli
c7c108b29a
Merge pull request #10582 from creative-commoners/pulls/4.10/cve-2022-38148
...
Validate SortColumn exists
2022-11-21 13:30:35 +13:00
Guy Sartorelli
20de819d2b
Merge pull request #10586 from creative-commoners/pulls/4.11/cve-2022-37429
...
Sanitise XSS
2022-11-21 13:30:30 +13:00
Steve Boyd
fe13856769
[CVE-2022-37429] Sanitise XSS
2022-11-21 13:06:40 +13:00
Guy Sartorelli
17f1c7ceed
Merge pull request #10585 from creative-commoners/pulls/4.11/cve-2022-37430
...
Sanitise mixed case javascript
2022-11-21 13:03:30 +13:00
Guy Sartorelli
e5b81109de
Merge pull request #10584 from creative-commoners/pulls/4.11/cve-2022-38462
...
Don't allow CRLF in header values
2022-11-21 13:02:25 +13:00
Steve Boyd
4308a93cc8
[CVE-2022-38148] Validate SortColumn exists
2022-11-21 13:01:32 +13:00
Guy Sartorelli
b17b29eea1
Merge pull request #10583 from creative-commoners/pulls/4.11/cve-2022-38724-embed-shortcode
...
Restrict embed shortcode attributes
2022-11-21 13:01:23 +13:00
Daniel Hensby
c49abf0fcc
Merge remote-tracking branch 'upstream/4.11' into 4.12
2022-11-11 13:25:54 +00:00
Daniel Hensby
bb5b093004
Merge pull request #10578 from MadeHQ/4.11
...
Prevent infinite loop when getting table name for ComponentID
2022-11-10 21:49:03 +00:00
Lee Bradley
78b661dcf6
Prevent infinite loop when getting table name for ComponentID
...
If the field isn't in the first 2 classes then would just continue to loop
Fix means it will continue going to parent classes
Can be seen in the UsedOnTable in `admin` module if you have injected a new `Image` class that extends the built in one
2022-11-10 14:00:29 +00:00
Guy Sartorelli
e53380ce89
Merge pull request #10576 from creative-commoners/pulls/4.11/use-blowfish
...
MNT Explicitly test with blowfish
2022-11-10 17:18:20 +13:00
Guy Sartorelli
f8befa3dcf
Update translations
2022-11-10 01:56:20 +00:00
Steve Boyd
49e637d244
MNT Explicitly test with blowfish
2022-11-10 11:36:56 +13:00
Guy Sartorelli
ed63beeeee
Merge branch '4.11' into 4
2022-11-09 10:53:09 +13:00
Guy Sartorelli
00d1701d37
Merge pull request #10568 from creative-commoners/pulls/4/restore-err
...
MNT Use restore_error_handler()
2022-11-04 09:29:51 +13:00
Steve Boyd
7cfd827776
MNT Use restore_error_handler()
2022-11-03 16:19:17 +13:00
Daniel Hensby
00f0b01d0e
Merge pull request #10566 from kinglozzer/form-extension-hook
...
NEW: Add onBeforeRender extension hook to Form
2022-11-02 23:54:22 +00:00
Loz Calver
7f8f5afc91
Ensure forms/fields overridden by onBeforeRender() can override templates
2022-11-02 11:57:57 +00:00
Loz Calver
e2cb683f14
FIX: Stop FormField onBeforeRenderHolder extension result being overridden
2022-11-02 10:06:23 +00:00
Loz Calver
c925fae180
NEW: Add onBeforeRender extension hook to Form
2022-11-02 10:05:02 +00:00
Guy Sartorelli
e454db6dc9
Merge pull request #10563 from creative-commoners/pulls/4/conf-version
...
FIX Filter out E_USER_DEPRECATED unrelated to unit test
2022-11-02 12:02:33 +13:00
Steve Boyd
128f78c1cf
FIX Filter out E_USER_DEPRECATED unrelated to unit test
2022-11-02 11:40:34 +13:00
Guy Sartorelli
001e9c75d7
Merge pull request #10562 from creative-commoners/pulls/4/depr-random
...
API Deprecate Member::create_new_password()
2022-11-02 11:10:10 +13:00
Steve Boyd
9091d64652
API Deprecate Member::create_new_password()
2022-11-02 10:08:27 +13:00
Guy Sartorelli
e323fe478e
Merge pull request #10559 from creative-commoners/pulls/4/deprecated-config
...
NEW Record deprecated config
2022-11-01 11:45:03 +13:00
Steve Boyd
b1dc861aac
NEW Record deprecated config
2022-10-31 19:00:59 +13:00
Michal Kleiner
27eb390d2b
Merge pull request #10560 from creative-commoners/pulls/4.11/default-admin-encryption
2022-10-27 14:48:52 +13:00
Steve Boyd
a3c1cb0ddf
ENH Set PasswordEncryption on default admin
2022-10-27 13:57:27 +13:00
Guy Sartorelli
168ca00555
[CVE-2022-38724] Restrict embed shortcode attributes
2022-10-26 09:31:12 +13:00
Steve Boyd
59b980edd7
Merge branch '4.11' into 4
2022-10-21 11:46:39 +13:00
Maxime Rainville
25241a98e1
Merge pull request #10556 from creative-commoners/pulls/4/deprecation-no-manifests
...
FIX Handle calling Deprecation::notice() before manifests are available
2022-10-21 10:28:40 +13:00