71db45b18b
[CVE-2019-19326] Stop honouring X-HTTP-Method-Override header, X-Original-Url header and _method POST variable. Add SS_HTTPRequest::setHttpMethod()
2020-07-10 14:57:26 +12:00
acccdd8a1c
Merge branch '4.5' into 4
2020-05-26 14:31:06 +12:00
42bb28965c
Merge branch '4.4' into 4.5
2020-05-26 14:30:27 +12:00
395893b559
Merge branch '4.3' into 4.4
2020-05-26 14:30:02 +12:00
86fcb9e29c
Merge branch '4.2' into 4.3
2020-05-26 14:29:16 +12:00
21129b1624
Use short array syntax across the framework's codebase
2020-05-16 10:34:45 +01:00
1d19051c10
Add sha1 and md5 hashing options in resource URL
2020-05-12 18:14:03 +12:00
2f3c0fc8dd
Update src/Control/Session.php
...
Co-Authored-By: Guy Marriott <guy.the.person@gmail.com>
2020-04-28 19:21:52 +02:00
b38c35fe90
Fixes warning if session is not active
...
See issue https://github.com/silverstripe/silverstripe-framework/issues/9496
2020-04-27 13:51:19 +02:00
33b0b6985a
Update file paths for autoloading compatibility
2020-04-25 10:28:28 +01:00
237b2d5f74
Convert array delcarations to short array syntax
2020-04-20 18:58:09 +01:00
1fb574a5bd
NEW: Variadic URL parameter matches for url_handlers ( #9438 )
...
* Add wildcard URL parameter matches for url_handlers
* Extra tests for wildcard parameters
* Add a PHP warning if more params appear after wildcard param
2020-03-25 09:16:13 +13:00
c31de772ab
Merge pull request #8838 from creative-commoners/pulls/4/slash-means-root
...
Use '/' as an alternative designation for root in routing
2020-02-14 11:29:32 -08:00
9d1d59d8d1
NEW Accept / as designation for root URL controller
2020-02-14 14:41:10 +13:00
4121099484
Merge branch '4.5' into 4
2020-01-16 20:00:02 -08:00
53fcd47dfc
Merge branch '4.4' into 4.5
2020-01-16 19:59:42 -08:00
26e3b6f4e3
Merge branch '4.3' into 4.4
2020-01-16 19:59:24 -08:00
453945da14
FIX: Session::restart() didn't correctly restart session ( fixes #9259 )
2019-11-20 14:21:30 +00:00
501d9a1480
Update HTTPRequest.php
2019-10-23 22:52:53 +13:00
630c6c0514
Update src/Control/HTTPRequest.php
...
Co-Authored-By: Robbie Averill <robbie@averill.co.nz>
2019-10-23 21:05:22 +13:00
d3a17958ef
Update src/Control/HTTPRequest.php
...
Co-Authored-By: Robbie Averill <robbie@averill.co.nz>
2019-10-22 16:17:04 +13:00
67c944c962
Improvement to docs for send_file function
2019-10-22 15:18:03 +13:00
7873efde9c
Merge branch '4.4' into 4
2019-10-18 10:58:19 +13:00
dcbe6d0310
Merge branch '4.3' into 4.4
2019-10-18 10:57:35 +13:00
d7752b7945
Run PSR2 Lint cleaner
2019-10-04 13:26:31 +13:00
7db524bd90
FIX DebugViewFrendlyErrorFormatter handle of admin_email
2019-10-04 10:26:54 +13:00
b002ef1171
Merge branch '4.4' into 4
2019-09-24 17:26:50 +12:00
eccfa9b10d
[CVE-2019-12203] Session fixation in "change password" form
...
A potential account hijacking may happen if an attacker has physical access to
victim's computer to perform session fixation. Also possible if the targeted application contains an XSS vulnerability.
Requires the victim to click the password reset link sent to their email.
If all the above happens, attackers may reset the password before the actual user does that.
2019-09-24 16:03:48 +12:00
569237c0f4
[CVE-2019-12203] Session fixation in "change password" form
...
A potential account hijacking may happen if an attacker has physical access to
victim's computer to perform session fixation. Also possible if the targeted application contains an XSS vulnerability.
Requires the victim to click the password reset link sent to their email.
If all the above happens, attackers may reset the password before the actual user does that.
2019-09-24 16:00:51 +12:00
aa6b244db9
Merge branch '4.4' into 4
2019-09-13 18:11:46 -07:00
6759af3767
Escape strings a bit safer for doc generation
2019-09-03 19:38:19 +12:00
f649657182
Clarify Director::absoluteURL behaviour
...
Fixes #9111
2019-09-03 19:34:16 +12:00
4380d7d155
API Add option to disable user-agent header session validation
2019-08-06 22:00:01 +12:00
0672f8b76b
NEW HTTPRequest now has hasSession() to determine whether a session exists for it
2019-08-02 11:29:23 +12:00
0abfed3e06
FIX Skip md5-ing the whole contents of a stream for etags
2019-07-30 08:25:03 +12:00
d1c927ff23
FIX Remove curly brace access to string offsets, deprecated in PHP 7.4
2019-07-24 12:17:49 +02:00
7ef13e7ef6
FIX Confirmation components to respect SS_BASE_URL ( #9074 )
2019-07-05 16:05:41 +12:00
8e87264864
FIX: Email::render() generating object instead of string for plaintext part ( fixes #9069 )
2019-06-14 11:39:47 +01:00
c747b1f8d3
Merge branch '4.3' into 4.4
2019-06-10 17:32:07 +12:00
f766555d61
Merge branch '4.2' into 4.3
2019-06-10 17:27:05 +12:00
ca56e8d78e
[CVE-2019-12246] Denial of Service on flush and development URL tools
2019-06-10 17:23:56 +12:00
66c372ce28
Include baseURL with relative setGetVar() links ( #8834 )
...
* Return baseURL with setGetVar
* Adjust testSetGetVar tests for base url
2019-04-15 14:50:46 +12:00
ca781c684d
FIX: RequestHandler::__construct() should run after middlewares ( fixes #8848 )
2019-03-11 11:08:03 +00:00
765d1568ab
Merge branch '4.3' into 4
2019-03-06 11:04:50 +00:00
a8605b04e0
Merge branch '4.2' into 4.3
2019-03-06 11:04:14 +00:00
7e34167ddf
Merge branch '4.1' into 4.2
2019-03-06 11:01:17 +00:00
625e6d5f54
Merge branch '4.0' into 4.1
2019-03-06 11:00:41 +00:00
7416ce275b
FIX doInit comparison should be lowercased
2019-03-05 19:01:12 +00:00
8ec9c50c58
DOCS Correct documentation for ExecMetricMiddleware
2019-01-30 13:58:09 +13:00
c4bf06f600
NEW Add new execmetric debug URL parameter to print out exection time and peak memory usage
2019-01-29 17:28:28 +13:00
Maxime Rainville
Michal Kleiner
Brett Tasker
Thomas Portelange
Dan Hensby
Daniel Hensby
Guy Marriott
Garion Herman
Robbie Averill
Loz Calver
LABCAT
Serge Latyntcev
Damian Mooyman
Aaron Carlino
Robbie Averill
Ralph Slooten
Daniel Hensby