Damian Mooyman
8331171f2c
Merge remote-tracking branch 'origin/3.1' into 3
...
Conflicts:
.scrutinizer.yml
admin/javascript/LeftAndMain.Panel.js
core/startup/ParameterConfirmationToken.php
dev/Debug.php
dev/FixtureBlueprint.php
docs/en/00_Getting_Started/05_Coding_Conventions.md
docs/en/00_Getting_Started/index.md
docs/en/02_Developer_Guides/01_Templates/01_Syntax.md
filesystem/File.php
filesystem/Folder.php
forms/FieldList.php
forms/LabelField.php
forms/MoneyField.php
forms/TextField.php
forms/TreeDropdownField.php
forms/Validator.php
forms/gridfield/GridField.php
forms/gridfield/GridFieldExportButton.php
lang/de.yml
lang/fi.yml
model/DataObject.php
model/SQLQuery.php
parsers/ShortcodeParser.php
security/ChangePasswordForm.php
security/Security.php
tests/control/DirectorTest.php
tests/core/startup/ParameterConfirmationTokenTest.php
tests/dev/FixtureBlueprintTest.php
tests/forms/FieldListTest.php
tests/forms/MoneyFieldTest.php
tests/model/SQLQueryTest.php
tests/security/SecurityTest.php
2015-06-02 19:13:38 +12:00
Damian Mooyman
a978b891e1
BUG Fix handling of empty parameter token
2015-05-28 10:13:10 +12:00
Damian Mooyman
75137dbab2
Ensure only trusted proxy servers have control over certain HTTP headers
2015-05-28 10:12:46 +12:00
Damian Mooyman
eb069e605d
Remove all redundant whitespace
2014-08-19 09:17:15 +12:00
Damian Mooyman
d3c7e41419
BUG using isDev or isTest query string no longer triggers basic auth
2014-07-02 11:51:51 +12:00
Ingo Schommer
ec325a3c7f
API Fix HTTPS proxy header detection
...
Didn't use the de facto standard HTTP_X_FORWARDED_PROTO or the less standard HTTP_FRONT_END_HTTPS.
Removed the 'X-Forwarded-Proto', since PHP should prefix/underscore all HTTP headers before it hits $_SERVER.
References:
- https://docs.djangoproject.com/en/1.4/ref/settings/#secure-proxy-ssl-header
- https://drupal.org/node/1859252
- https://drupal.org/node/313145
- http://scottwb.com/blog/2013/02/06/always-on-https-with-rails-behind-an-elb/
2014-05-22 18:34:15 +12:00
Hamish Friedlander
4a7aef0e25
FIX Double slashes in ParameterConfirmationToken
2013-08-19 11:35:34 +12:00
Hamish Friedlander
041466fe02
FIX Token redirect where in IIS a / needs adding between host & url
2013-08-05 09:15:11 +12:00
Hamish Friedlander
342058742c
FIX Flush on memory exhaustion and headers sent
2013-08-02 09:41:16 +12:00
Hamish Friedlander
604d9bf7dc
Split Core.php into Constants.php and Core.php and adjust main.php startup
...
The recent flush filter fix had a problem that you couldnt set a custom
BASE_PATH in _ss_environment because that file didnt get included until
after checking the confirmation token. This patch pulls the part of Core.php
that defines BASE_PATH into a seperate file that can be included earlier
in the startup sequence so that ParameterConfirmationToken can access it.
Core.php includes Constants.php with a require_once call, so for startup
scripts that dont pull in Constants.php themselves (like cli-script.php)
no change is needed.
2013-07-22 13:52:00 +12:00
Hamish Friedlander
a312cd08e1
FIX: Ignore invalid tokens instead of throwing 403
2013-07-19 14:47:05 +12:00
Hamish Friedlander
036c36a7dd
FIX: Have ParameterConfirmationToken work regardless of include path
2013-07-19 14:33:56 +12:00
Hamish Friedlander
1298d4a5bd
FIX Prevent DOS by checking for env and admin on ?flush=1 ( #1692 )
2013-07-19 12:24:32 +12:00