Commit Graph

10399 Commits

Author SHA1 Message Date
Ingo Schommer
a7f38f7b4d Merge pull request #2413 from ss23/patch-1
Update 3.0.6.md
2013-09-12 16:08:04 -07:00
Stephen Shkardoon
f765696d26 Update 3.0.6.md
Add reference to information disclosure in Versioned.php (SS-2013-006)
2013-09-13 10:34:51 +12:00
Ingo Schommer
24bae3f922 Tagged 3.0.6-rc2 2013-09-12 16:48:20 +02:00
Ingo Schommer
a6b402f491 Added 3.0.6-rc2 changelog 2013-09-12 16:48:15 +02:00
Ingo Schommer
2da4d76c3b Updated translations 2013-09-12 16:37:12 +02:00
Ingo Schommer
7c99cb4668 Merge branch 'pulls/security-issues-august-3.0' into 3.0 2013-09-12 15:45:13 +02:00
Ingo Schommer
5e0315dc62 Safety note on DataObject::validation_enabled 2013-09-12 15:42:43 +02:00
Ingo Schommer
f803704d91 FIX Disallow permissions assign for APPLY_ROLES (SS-2013-005)
See http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/
2013-09-12 15:42:43 +02:00
Ingo Schommer
8b5c8eab72 Linking to older security issue in change log
Mainly for consistency with the newer format
2013-09-12 15:42:43 +02:00
Ingo Schommer
05757efceb FIX Privilege escalation through APPLY_ROLES assignment (SS-2013-005)
See http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/
2013-09-12 15:42:43 +02:00
Ingo Schommer
6cff9671d4 FIX Privilege escalation through Group and Member CSV upload (SS-2013-004)
See http://www.silverstripe.org/ss-2013-004-privilege-escalation-through-group-and-member-csv-upload/
2013-09-12 15:42:43 +02:00
Ingo Schommer
720c149aee FIX Privilege escalation through Group hierarchy setting (SS-2013-003)
See http://www.silverstripe.org/ss-2013-003-privilege-escalation-through-group-hierarchy-setting/
2013-09-12 15:42:42 +02:00
Sean Harvey
a1939dccd1 Merge pull request #2400 from jbridson/patch-9
Update 2-extending-a-basic-site.md
2013-09-10 21:47:36 -07:00
Simon Welsh
c2105db6d0 Count, not Length 2013-09-11 12:05:43 +12:00
jbridson
a4fbff4df5 Update 2-extending-a-basic-site.md
Fixed a few wording issues and added some clarity to links eg: Tutorial One (Building a basic site)
2013-09-11 11:20:41 +12:00
Ingo Schommer
62608a7772 "edit" form expansion in AssetUploadField
Form wasn't expanding because of fixed heights. Backported fix from 3.1.
2013-09-02 16:48:11 +02:00
Ingo Schommer
71b987edb2 Merge pull request #2363 from jbridson/patch-8
BUGFIX: fixed grammatical errors and formatting issues
2013-08-28 02:21:46 -07:00
jbridson
65ad51024d BUGFIX: fixed grammatical errors and formatting issues 2013-08-26 12:18:35 +12:00
Ingo Schommer
54edc0ddac Fix Behat window switching in chrome
Workaround only, see https://groups.google.com/forum/#!topic/behat/QNhOuGHKEWI
2013-08-22 12:49:38 +02:00
Ingo Schommer
0c859b8587 Merge pull request #2348 from simonwelsh/scrut
Scrutinizer fixes
2013-08-21 04:43:12 -07:00
Simon Welsh
c66cc952d2 Correct line length and indentation 2013-08-21 21:27:16 +12:00
Simon Welsh
2c0d03b2d6 Exclude docs and images foldes from Scrutinizer 2013-08-21 21:02:12 +12:00
Simon Welsh
4cb98f1afd Only have Scrutinizer check PHP files 2013-08-21 21:02:12 +12:00
Ingo Schommer
99da5cd198 Merge pull request #2336 from hafriedlander/fix/flush_30
FIX Double slashes in ParameterConfirmationToken
2013-08-20 06:26:44 -07:00
Hamish Friedlander
4a7aef0e25 FIX Double slashes in ParameterConfirmationToken 2013-08-19 11:35:34 +12:00
Ingo Schommer
74f65540a2 Validate 'archiveDate' user data in Versioned
Not a security issue as such, since the user input is sanitized
before being used in Versioned->augmentSQL(). But it shouldn't
reach the session state either, since that's commonly assumed
to be sanitized data, and it leaves unnecessary room for error.

strtotime() has fairly loose validation rules around dates,
but its a good "first line of defence".
2013-08-15 22:17:38 +02:00
Ingo Schommer
810f505924 Merge pull request #2315 from jbridson/patch-2
Fixed Grammatical errors and issues where sentences didn't make sense.
2013-08-09 02:04:01 -07:00
jbridson
1ce0a0d2b9 Fixed Grammatical errors and issues where sentences didn't make sense. 2013-08-09 15:22:03 +12:00
Sean Harvey
f9dca6f857 Merge pull request #2313 from jbridson/patch-1
Fixed issue with inconsistent use of punctuation and wording of Tutorial...
2013-08-08 19:22:16 -07:00
jbridson
0c4ff76921 Fixed issue with inconsistent use of punctuation and wording of Tutorial 5 summary 2013-08-09 14:20:41 +12:00
Ingo Schommer
7a117fe713 Added 3.0.6-rc1 changelog 2013-08-07 20:55:10 +02:00
Ingo Schommer
a213afd888 Added 3.0 changelog 2013-08-07 20:16:59 +02:00
Ingo Schommer
c0f5007d57 Create folder if required in dev/generatesecuretoken 2013-08-07 16:59:18 +02:00
Ingo Schommer
b159284c6c Fixed "session started" error on install.php 2013-08-07 16:28:54 +02:00
Hamish Friedlander
428391ad1e Merge pull request #2291 from chillu/pulls/transifex-3.0
Translations: Switch to Transifex format (3.0)
2013-08-06 15:26:40 -07:00
Ingo Schommer
00ffe72944 Translations: Switch to Transifex format
- Based on new (last) translation download from getlocalization.com
- Removed untranslated strings. Getlocalization started including those at some point
which is highly annoying, unnecessary and breaks the new transfix system,
since it'll mark all of the english strings as actual translations
- Avoid dots in entities. It confuses the Transifex YML parser
- Removed some locales unknown to Transifex which didn't have any translations anyway
- Removed "lolcat" locale, uses custom notation (en@lolcal)
  which SilverStripe's i18n system can't handle
  (needs mapping from SS naming to Zend naming)
- Renamed "Te Reo/Maori" locale from "mi_NZ" to "mi" (Transifex/CLDR notation)
- Namespaced all entities used in templates (deprecated usage)
- Converted dots to underscores where template filenames are used for namespaces,
since Transifex YML parsing handles them as separate YML keys otherwise
- Removed whitespace in entity names, SilverStripe i18n can't handle it
- Only allow selection of locales registered through i18n::$all_locales to avoid
  issues with unknown locales in Zend's CLDR database
2013-08-07 00:25:16 +02:00
Ingo Schommer
f037cf0781 Merge pull request #2285 from hafriedlander/fix/flush_30
FIX Flush on memory exhaustion and when headers sent
2013-08-06 14:22:16 -07:00
Hamish Friedlander
5f9387c42c FIX Constants magic_quotes handling needs function from Core 2013-08-05 14:58:44 +12:00
Hamish Friedlander
041466fe02 FIX Token redirect where in IIS a / needs adding between host & url 2013-08-05 09:15:11 +12:00
Ingo Schommer
0e7231ff60 API Disable discontinued Google Spellcheck in TinyMCE
Replaced by browser-based spellchecking if available (Chrome, Firefox),
with instructions on how to use PSpell as an alternative.
2013-08-03 16:16:45 +02:00
Hamish Friedlander
a685a8dee9 FIX Include flushtoken when install redirects to successfullyinstalled 2013-08-02 11:00:26 +12:00
Hamish Friedlander
342058742c FIX Flush on memory exhaustion and headers sent 2013-08-02 09:41:16 +12:00
Sam Minnée
3c6ba1c322 Merge pull request #2257 from hafriedlander/fix/flush_30
FIX Nice errors and allows flush on module removal
2013-07-23 16:44:25 -07:00
Hamish Friedlander
a1ea905ca8 FIX Nice errors and allows flush on module removal 2013-07-24 09:57:01 +12:00
Sam Minnée
88d0cbea62 Merge pull request #2255 from hafriedlander/fix/flush_30
Split Core.php into Constants.php and Core.php and adjust main.php startup
2013-07-22 15:33:35 -07:00
Hamish Friedlander
84011aa736 FIX Only suppress fatal errors 2013-07-22 14:48:16 +12:00
Hamish Friedlander
604d9bf7dc Split Core.php into Constants.php and Core.php and adjust main.php startup
The recent flush filter fix had a problem that you couldnt set a custom
BASE_PATH in _ss_environment because that file didnt get included until
after checking the confirmation token. This patch pulls the part of Core.php
that defines BASE_PATH into a seperate file that can be included earlier
in the startup sequence so that ParameterConfirmationToken can access it.

Core.php includes Constants.php with a require_once call, so for startup
scripts that dont pull in Constants.php themselves (like cli-script.php)
no change is needed.
2013-07-22 13:52:00 +12:00
Sam Minnée
7bfc872a8e Merge pull request #2248 from hafriedlander/fix/flush_30
FIX: Have ParameterConfirmationToken work regardless of include path
2013-07-18 20:46:56 -07:00
Hamish Friedlander
a312cd08e1 FIX: Ignore invalid tokens instead of throwing 403 2013-07-19 14:47:05 +12:00
Hamish Friedlander
036c36a7dd FIX: Have ParameterConfirmationToken work regardless of include path 2013-07-19 14:33:56 +12:00