Bernard Hamlin
765810b013
Update CVE number to CVE-2019-19325
2020-02-19 09:58:12 +13:00
Maxime Rainville
a9598eec3f
Added 4.4.5 changelog
2020-02-17 14:02:57 +13:00
Maxime Rainville
0a9866c087
Update translations
2020-02-17 14:01:02 +13:00
Maxime Rainville
49fda52b12
Merge pull request #94 from silverstripe-security/fix/cve-2019-19325
...
CVE-2019-1935
2020-02-17 12:54:40 +13:00
Serge Latyntcev
ad1b00ec7d
[CVE-2019-19325] XSS through non-scalar FormField attributes
...
Silverstripe Forms allow malicious HTML or JavaScript to be inserted
through non-scalar FormField attributes, which allows performing XSS (Cross-Site Scripting)
on some forms built with user input (Request data). This can lead to phishing attempts
to obtain a user's credentials or other sensitive user input.
There is no known attack vector for extracting user-session information or credentials automatically,
it required a user to fall for the phishing attempt.
XSS can also be used to modify the presentation of content in malicious ways.
2020-02-17 09:58:29 +13:00
Steve Boyd
8dcaed25f4
Merge pull request #9386 from silverstripe-terraformers/feature/orm-column
...
ORM bugfix and enhancement
2020-02-11 15:56:03 +13:00
Mojmir Fendek
285e6caafa
PR fixes
2020-02-11 10:43:01 +13:00
Mojmir Fendek
448147c2f1
PR fixes
2020-02-10 09:17:34 +13:00
Mojmir Fendek
660f80d284
PR fixes
2020-02-07 13:49:19 +13:00
Mojmir Fendek
99786dda22
ORM Column now supports related table lookup
2020-01-28 15:46:30 +13:00
Robbie Averill
26e3b6f4e3
Merge branch '4.3' into 4.4
2020-01-16 19:59:24 -08:00
Robbie Averill
7c1a0571f7
Merge pull request #9367 from martinduparc/patch-2
...
array_key_exists() on objects is deprecated in PHP 7.4
2020-01-14 09:39:49 -08:00
Martin D
ec6a353543
array_key_exists() on objects is deprecated
...
Ref: https://wiki.php.net/rfc/deprecations_php_7_4#array_key_exists_with_objects
2020-01-14 09:22:49 -08:00
Stevie Mayhew
92acc764f7
Merge pull request #9327 from kinglozzer/9259-session-restart
...
FIX: Session::restart() didn't correctly restart session (fixes #9259 )
2019-11-21 11:52:36 +13:00
Loz Calver
453945da14
FIX: Session::restart() didn't correctly restart session ( fixes #9259 )
2019-11-20 14:21:30 +00:00
Serge Latyntcev
8219491705
Merge branch '4.3' into 4.4
2019-11-20 11:08:35 +13:00
Robbie Averill
bd658ca745
Merge pull request #9305 from tractorcow/pulls/4.3/action-title
...
BUG FormAction title property cannot be set if useButtonTag is false
2019-11-14 09:06:46 -08:00
Guy Marriott
44b9e331f6
Ensure Requirements_Backend respects explicit false for async/d… ( #9309 )
...
Ensure Requirements_Backend respects explicit false for async/defer
2019-10-29 14:37:32 -07:00
Michal Kleiner
4f614423ad
Ensure Requirements_Backend respects explicit false for async/defer
2019-10-30 09:59:57 +13:00
Damian Mooyman
e76601e5c8
BUG FormAction title property cannot be set if useButtonTag is false
2019-10-29 17:21:45 +13:00
Serge Latyntcev
0cf5d4cbe2
Merge branch '4.3' into 4.4
2019-10-18 15:58:13 +13:00
Serge Latyntsev
c7597ad265
Merge pull request #9293 from open-sausages/pulls/4.3/psr2-fix
...
PSR2 linting fixes
2019-10-18 15:52:06 +13:00
Serge Latyntcev
46b9530d88
PSR2 linting fixes
2019-10-18 15:31:39 +13:00
Serge Latyntcev
dcbe6d0310
Merge branch '4.3' into 4.4
2019-10-18 10:57:35 +13:00
Robbie Averill
db2aa38228
Merge pull request #9277 from tractorcow/pulls/4.4/respect-can-create
...
BUG Ensure that canCreate() context matches that respected by GridFieldAddNewButton
2019-10-03 18:21:43 -07:00
Damian Mooyman
d7752b7945
Run PSR2 Lint cleaner
2019-10-04 13:26:31 +13:00
Serge Latyntsev
71f810516c
Merge pull request #9275 from open-sausages/pulls/4.3/obfuscated-email-names
...
FIX DebugViewFrendlyErrorFormatter handle of admin_email
2019-10-04 11:27:17 +13:00
Damian Mooyman
f1594fd991
BUG Ensure that canCreate() context matches that respected by GridFieldAddNewButton
2019-10-04 11:24:34 +13:00
Robbie Averill
1265f09f4f
Merge pull request #9271 from michalkleiner/pulls/4/check-array-props-in-custom-methods
...
FIX Check array keys existence when removing methods in CustomMethods
2019-10-03 14:30:22 -07:00
Serge Latyntcev
7db524bd90
FIX DebugViewFrendlyErrorFormatter handle of admin_email
2019-10-04 10:26:54 +13:00
Michal Kleiner
1a2dbfd3a5
Update conditional logic when checking array keys before removing methods in CustomMethods
2019-09-30 10:17:59 +13:00
Michal Kleiner
52a039f631
Check array keys existence prior to their usage when removing methods in CustomMethods
2019-09-27 14:57:15 +12:00
Serge Latyntcev
50a1aa4c4d
Merge branch '4.3' into 4.4
2019-09-24 17:28:31 +12:00
Aaron Carlino
a0ec2f2811
Update translations
2019-09-24 17:26:37 +12:00
Serge Latyntcev
26a4fb38ba
Added 4.3.6 changelog
2019-09-24 17:20:48 +12:00
Aaron Carlino
79a89e751d
Added 4.4.4 changelog
2019-09-24 17:05:26 +12:00
Aaron Carlino
c1047fac32
DOCS: Add docs for versioned files migration
2019-09-24 16:04:22 +12:00
Aaron Carlino
28057e3a71
DOCS: Add FileShortcodeProvider change to changelog
2019-09-24 16:03:48 +12:00
Serge Latyntcev
8b7063a8e2
[CVE-2019-12617] Fix access escalation for CMS users with limited access through permission cache pollution
2019-09-24 16:03:48 +12:00
Serge Latyntcev
eccfa9b10d
[CVE-2019-12203] Session fixation in "change password" form
...
A potential account hijacking may happen if an attacker has physical access to
victim's computer to perform session fixation. Also possible if the targeted application contains an XSS vulnerability.
Requires the victim to click the password reset link sent to their email.
If all the above happens, attackers may reset the password before the actual user does that.
2019-09-24 16:03:48 +12:00
Aaron Carlino
1f92b21a04
DOCS: Add FileShortcodeProvider change to changelog
2019-09-24 16:03:48 +12:00
Aaron Carlino
8ee5e621fd
DOCS: Add docs for versioned files migration
2019-09-24 16:00:51 +12:00
Serge Latyntcev
5af205993d
[CVE-2019-12617] Fix access escalation for CMS users with limited access through permission cache pollution
2019-09-24 16:00:51 +12:00
Serge Latyntcev
569237c0f4
[CVE-2019-12203] Session fixation in "change password" form
...
A potential account hijacking may happen if an attacker has physical access to
victim's computer to perform session fixation. Also possible if the targeted application contains an XSS vulnerability.
Requires the victim to click the password reset link sent to their email.
If all the above happens, attackers may reset the password before the actual user does that.
2019-09-24 16:00:51 +12:00
Aaron Carlino
99ab3c6421
DOCS: Add FileShortcodeProvider change to changelog
2019-09-24 16:00:51 +12:00
Guy Marriott
3659f2888d
FIX Add 'legal empty attributes' to allow empty alt values on i… ( #9257 )
...
FIX Add 'legal empty attributes' to allow empty alt values on imgs
2019-09-23 17:03:01 -07:00
Garion Herman
0d27f32cc9
FIX Add 'legal empty attributes' to allow empty alt values on imgs
...
In some situations, a caption is used in place of a value in the alt
attribute, and in others an image may be cosmetic and not in need of an
alt attribute value (though the alt attribute must still be rendered in
this case).
2019-09-24 11:44:12 +12:00
Robbie Averill
3cfc21c405
Merge pull request #9241 from open-sausages/pulls/4.4.3/fix-file-permission
...
Fix administrators not being able to see files that are restricted to groups
2019-09-23 11:13:26 -07:00
Guy Marriott
aa7c057422
FIX: Don't force-add view button to readonly GridField (fixes #… ( #9254 )
...
FIX: Don't force-add view button to readonly GridField (fixes #9249 )
2019-09-23 10:31:25 -07:00
Guy Marriott
190b2f2842
FIX: run member CMS validator when editing via groups (fixes #9… ( #9255 )
...
FIX: run member CMS validator when editing via groups (fixes #9184 )
2019-09-23 10:28:38 -07:00