silverstripe-framework

mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-06-29 07:59:31 +02:00

Author	SHA1	Message	Date
Maxime Rainville	49fda52b12	Merge pull request #94 from silverstripe-security/fix/cve-2019-19325 CVE-2019-1935	2020-02-17 12:54:40 +13:00
Serge Latyntcev	ad1b00ec7d	[CVE-2019-19325] XSS through non-scalar FormField attributes Silverstripe Forms allow malicious HTML or JavaScript to be inserted through non-scalar FormField attributes, which allows performing XSS (Cross-Site Scripting) on some forms built with user input (Request data). This can lead to phishing attempts to obtain a user's credentials or other sensitive user input. There is no known attack vector for extracting user-session information or credentials automatically, it required a user to fall for the phishing attempt. XSS can also be used to modify the presentation of content in malicious ways.	2020-02-17 09:58:29 +13:00
Steve Boyd	8dcaed25f4	Merge pull request #9386 from silverstripe-terraformers/feature/orm-column ORM bugfix and enhancement	2020-02-11 15:56:03 +13:00
Mojmir Fendek	285e6caafa	PR fixes	2020-02-11 10:43:01 +13:00
Mojmir Fendek	448147c2f1	PR fixes	2020-02-10 09:17:34 +13:00
Mojmir Fendek	660f80d284	PR fixes	2020-02-07 13:49:19 +13:00
Mojmir Fendek	99786dda22	ORM Column now supports related table lookup	2020-01-28 15:46:30 +13:00
Robbie Averill	26e3b6f4e3	Merge branch '4.3' into 4.4	2020-01-16 19:59:24 -08:00
Robbie Averill	7c1a0571f7	Merge pull request #9367 from martinduparc/patch-2 array_key_exists() on objects is deprecated in PHP 7.4	2020-01-14 09:39:49 -08:00
Martin D	ec6a353543	array_key_exists() on objects is deprecated Ref: https://wiki.php.net/rfc/deprecations_php_7_4#array_key_exists_with_objects	2020-01-14 09:22:49 -08:00
Stevie Mayhew	92acc764f7	Merge pull request #9327 from kinglozzer/9259-session-restart FIX: Session::restart() didn't correctly restart session (fixes #9259)	2019-11-21 11:52:36 +13:00
Loz Calver	453945da14	FIX: Session::restart() didn't correctly restart session (fixes #9259 )	2019-11-20 14:21:30 +00:00
Serge Latyntcev	8219491705	Merge branch '4.3' into 4.4	2019-11-20 11:08:35 +13:00
Robbie Averill	bd658ca745	Merge pull request #9305 from tractorcow/pulls/4.3/action-title BUG FormAction title property cannot be set if useButtonTag is false	2019-11-14 09:06:46 -08:00
Guy Marriott	44b9e331f6	Ensure Requirements_Backend respects explicit false for async/d… (#9309 ) Ensure Requirements_Backend respects explicit false for async/defer	2019-10-29 14:37:32 -07:00
Michal Kleiner	4f614423ad	Ensure Requirements_Backend respects explicit false for async/defer	2019-10-30 09:59:57 +13:00
Damian Mooyman	e76601e5c8	BUG FormAction title property cannot be set if useButtonTag is false	2019-10-29 17:21:45 +13:00
Serge Latyntcev	0cf5d4cbe2	Merge branch '4.3' into 4.4	2019-10-18 15:58:13 +13:00
Serge Latyntsev	c7597ad265	Merge pull request #9293 from open-sausages/pulls/4.3/psr2-fix PSR2 linting fixes	2019-10-18 15:52:06 +13:00
Serge Latyntcev	46b9530d88	PSR2 linting fixes	2019-10-18 15:31:39 +13:00
Serge Latyntcev	dcbe6d0310	Merge branch '4.3' into 4.4	2019-10-18 10:57:35 +13:00
Robbie Averill	db2aa38228	Merge pull request #9277 from tractorcow/pulls/4.4/respect-can-create BUG Ensure that canCreate() context matches that respected by GridFieldAddNewButton	2019-10-03 18:21:43 -07:00
Damian Mooyman	d7752b7945	Run PSR2 Lint cleaner	2019-10-04 13:26:31 +13:00
Serge Latyntsev	71f810516c	Merge pull request #9275 from open-sausages/pulls/4.3/obfuscated-email-names FIX DebugViewFrendlyErrorFormatter handle of admin_email	2019-10-04 11:27:17 +13:00
Damian Mooyman	f1594fd991	BUG Ensure that canCreate() context matches that respected by GridFieldAddNewButton	2019-10-04 11:24:34 +13:00
Robbie Averill	1265f09f4f	Merge pull request #9271 from michalkleiner/pulls/4/check-array-props-in-custom-methods FIX Check array keys existence when removing methods in CustomMethods	2019-10-03 14:30:22 -07:00
Serge Latyntcev	7db524bd90	FIX DebugViewFrendlyErrorFormatter handle of admin_email	2019-10-04 10:26:54 +13:00
Michal Kleiner	1a2dbfd3a5	Update conditional logic when checking array keys before removing methods in CustomMethods	2019-09-30 10:17:59 +13:00
Michal Kleiner	52a039f631	Check array keys existence prior to their usage when removing methods in CustomMethods	2019-09-27 14:57:15 +12:00
Serge Latyntcev	50a1aa4c4d	Merge branch '4.3' into 4.4	2019-09-24 17:28:31 +12:00
Aaron Carlino	a0ec2f2811	Update translations	2019-09-24 17:26:37 +12:00
Serge Latyntcev	26a4fb38ba	Added 4.3.6 changelog	2019-09-24 17:20:48 +12:00
Aaron Carlino	79a89e751d	Added 4.4.4 changelog	2019-09-24 17:05:26 +12:00
Aaron Carlino	c1047fac32	DOCS: Add docs for versioned files migration	2019-09-24 16:04:22 +12:00
Aaron Carlino	28057e3a71	DOCS: Add FileShortcodeProvider change to changelog	2019-09-24 16:03:48 +12:00
Serge Latyntcev	8b7063a8e2	[CVE-2019-12617] Fix access escalation for CMS users with limited access through permission cache pollution	2019-09-24 16:03:48 +12:00
Serge Latyntcev	eccfa9b10d	[CVE-2019-12203] Session fixation in "change password" form A potential account hijacking may happen if an attacker has physical access to victim's computer to perform session fixation. Also possible if the targeted application contains an XSS vulnerability. Requires the victim to click the password reset link sent to their email. If all the above happens, attackers may reset the password before the actual user does that.	2019-09-24 16:03:48 +12:00
Aaron Carlino	1f92b21a04	DOCS: Add FileShortcodeProvider change to changelog	2019-09-24 16:03:48 +12:00
Aaron Carlino	8ee5e621fd	DOCS: Add docs for versioned files migration	2019-09-24 16:00:51 +12:00
Serge Latyntcev	5af205993d	[CVE-2019-12617] Fix access escalation for CMS users with limited access through permission cache pollution	2019-09-24 16:00:51 +12:00
Serge Latyntcev	569237c0f4	[CVE-2019-12203] Session fixation in "change password" form A potential account hijacking may happen if an attacker has physical access to victim's computer to perform session fixation. Also possible if the targeted application contains an XSS vulnerability. Requires the victim to click the password reset link sent to their email. If all the above happens, attackers may reset the password before the actual user does that.	2019-09-24 16:00:51 +12:00
Aaron Carlino	99ab3c6421	DOCS: Add FileShortcodeProvider change to changelog	2019-09-24 16:00:51 +12:00
Guy Marriott	3659f2888d	FIX Add 'legal empty attributes' to allow empty alt values on i… (#9257 ) FIX Add 'legal empty attributes' to allow empty alt values on imgs	2019-09-23 17:03:01 -07:00
Garion Herman	0d27f32cc9	FIX Add 'legal empty attributes' to allow empty alt values on imgs In some situations, a caption is used in place of a value in the alt attribute, and in others an image may be cosmetic and not in need of an alt attribute value (though the alt attribute must still be rendered in this case).	2019-09-24 11:44:12 +12:00
Robbie Averill	3cfc21c405	Merge pull request #9241 from open-sausages/pulls/4.4.3/fix-file-permission Fix administrators not being able to see files that are restricted to groups	2019-09-23 11:13:26 -07:00
Guy Marriott	aa7c057422	FIX: Don't force-add view button to readonly GridField (fixes #… (#9254 ) FIX: Don't force-add view button to readonly GridField (fixes #9249)	2019-09-23 10:31:25 -07:00
Guy Marriott	190b2f2842	FIX: run member CMS validator when editing via groups (fixes #9… (#9255 ) FIX: run member CMS validator when editing via groups (fixes #9184)	2019-09-23 10:28:38 -07:00
Loz Calver	efdb9cc718	FIX: run member CMS validator when editing via groups (fixes #9184 )	2019-09-23 16:59:58 +01:00
Loz Calver	d85ff3bc44	FIX: Don't force-add view button to readonly GridField (fixes #9249 )	2019-09-23 16:52:47 +01:00
bergice	6a1c6ecec6	Fix administrators not being able to see files that are restricted to groups Resolves https://github.com/silverstripe/silverstripe-asset-admin/issues/777	2019-09-23 16:44:28 +12:00

1 2 3 4 5 ...

21441 Commits