Commit Graph

221 Commits

Author SHA1 Message Date
Serge Latyntcev
7873efde9c Merge branch '4.4' into 4 2019-10-18 10:58:19 +13:00
Serge Latyntcev
dcbe6d0310 Merge branch '4.3' into 4.4 2019-10-18 10:57:35 +13:00
Damian Mooyman
d7752b7945
Run PSR2 Lint cleaner 2019-10-04 13:26:31 +13:00
Serge Latyntcev
7db524bd90 FIX DebugViewFrendlyErrorFormatter handle of admin_email 2019-10-04 10:26:54 +13:00
Aaron Carlino
b002ef1171 Merge branch '4.4' into 4 2019-09-24 17:26:50 +12:00
Serge Latyntcev
eccfa9b10d [CVE-2019-12203] Session fixation in "change password" form
A potential account hijacking may happen if an attacker has physical access to
victim's computer to perform session fixation. Also possible if the targeted application contains an XSS vulnerability.
Requires the victim to click the password reset link sent to their email.
If all the above happens, attackers may reset the password before the actual user does that.
2019-09-24 16:03:48 +12:00
Serge Latyntcev
569237c0f4 [CVE-2019-12203] Session fixation in "change password" form
A potential account hijacking may happen if an attacker has physical access to
victim's computer to perform session fixation. Also possible if the targeted application contains an XSS vulnerability.
Requires the victim to click the password reset link sent to their email.
If all the above happens, attackers may reset the password before the actual user does that.
2019-09-24 16:00:51 +12:00
Robbie Averill
aa6b244db9 Merge branch '4.4' into 4 2019-09-13 18:11:46 -07:00
Damian Mooyman
6759af3767
Escape strings a bit safer for doc generation 2019-09-03 19:38:19 +12:00
Damian Mooyman
f649657182
Clarify Director::absoluteURL behaviour
Fixes #9111
2019-09-03 19:34:16 +12:00
Maxime Rainville
4380d7d155 API Add option to disable user-agent header session validation 2019-08-06 22:00:01 +12:00
Robbie Averill
0672f8b76b NEW HTTPRequest now has hasSession() to determine whether a session exists for it 2019-08-02 11:29:23 +12:00
Guy Marriott
0abfed3e06
FIX Skip md5-ing the whole contents of a stream for etags 2019-07-30 08:25:03 +12:00
Robbie Averill
d1c927ff23 FIX Remove curly brace access to string offsets, deprecated in PHP 7.4 2019-07-24 12:17:49 +02:00
Serge Latyntsev
7ef13e7ef6 FIX Confirmation components to respect SS_BASE_URL (#9074) 2019-07-05 16:05:41 +12:00
Loz Calver
8e87264864 FIX: Email::render() generating object instead of string for plaintext part (fixes #9069) 2019-06-14 11:39:47 +01:00
Aaron Carlino
c747b1f8d3 Merge branch '4.3' into 4.4 2019-06-10 17:32:07 +12:00
Aaron Carlino
f766555d61 Merge branch '4.2' into 4.3 2019-06-10 17:27:05 +12:00
Serge Latyntcev
ca56e8d78e [CVE-2019-12246] Denial of Service on flush and development URL tools 2019-06-10 17:23:56 +12:00
Ralph Slooten
66c372ce28 Include baseURL with relative setGetVar() links (#8834)
* Return baseURL with setGetVar

* Adjust testSetGetVar tests for base url
2019-04-15 14:50:46 +12:00
Loz Calver
ca781c684d FIX: RequestHandler::__construct() should run after middlewares (fixes #8848) 2019-03-11 11:08:03 +00:00
Dan Hensby
765d1568ab
Merge branch '4.3' into 4 2019-03-06 11:04:50 +00:00
Dan Hensby
a8605b04e0
Merge branch '4.2' into 4.3 2019-03-06 11:04:14 +00:00
Dan Hensby
7e34167ddf
Merge branch '4.1' into 4.2 2019-03-06 11:01:17 +00:00
Dan Hensby
625e6d5f54
Merge branch '4.0' into 4.1 2019-03-06 11:00:41 +00:00
Daniel Hensby
7416ce275b
FIX doInit comparison should be lowercased 2019-03-05 19:01:12 +00:00
Maxime Rainville
8ec9c50c58 DOCS Correct documentation for ExecMetricMiddleware 2019-01-30 13:58:09 +13:00
Maxime Rainville
c4bf06f600 NEW Add new execmetric debug URL parameter to print out exection time and peak memory usage 2019-01-29 17:28:28 +13:00
Robbie Averill
d8cd085190 Merge branch '4.3' into 4 2019-01-24 17:14:09 +02:00
Simon Gow
c28670ebed #8724 - Session timeout regression
Only emit the session refresh cookie if the session timeout is set.
2019-01-18 10:07:53 +13:00
Simon Gow
af08328e8e Existing sessions need to set a new cookie on each request, if the
session exists, otherwise our expiry is never updated and sessions
can't roll on every request.
2019-01-17 17:37:35 +13:00
Maxime Rainville
1e01deea39 NEW Make resources dir configurable (#8519)
* NEW Make resources dir configurable.

* Removing reference to old `resources` and updating doc #8519

* Rrtarget to 4.4 release.

* DOC Reference SS_RESOURCES_DIR in Environment doc.

* API Add a Resources method to SilverStripe\Core\Manifest\Module to read the resources-dir from composer.json

* Clean up reference to SS_RESOURCES_DIR env var

* Set default resources-dir

* Update test to use RESOURCES_DIR const in expected resource url method

* Correcting typos

Co-Authored-By: maxime-rainville <maxime@rainville.me>

* MINOR Correctubg minor typos

* DOCS Document the intricacies of exposing static assets.
2019-01-09 15:35:45 +13:00
Robbie Averill
7c96feef37 Merge branch '4.3' into 4 2019-01-08 12:27:48 +01:00
Simon Gow
d01585cc98 #8543 Resolve Duplicate Headers
- fix linting
2018-12-19 12:39:32 +13:00
Simon Gow
1edfa4d956 #8543 Resolve Duplicate Headers
- Replace session name lookup with function to also check secure cookies
- Added timeout which defaults to 0 (same as PHP)
- Removed php7 style of session_start from PR
- moved session_start into headers sent block to prevent warnings.
2018-12-19 12:39:32 +13:00
Simon Gow
4eb6669c08 #8543 Resolve Duplicate Headers
Put cookie_lifetime back into the session parameters.
2018-12-19 12:39:32 +13:00
Simon Gow
2deb8f4176 Resolve Duplicate Headers
Ensure only a single Set-Cookie header is returned from Session once
we have data to save. Include backwards compatibility for PHP56
2018-12-19 12:39:32 +13:00
Maxime Rainville
7f6b80f87d Correct session doc typo 2018-12-14 13:01:22 +13:00
Guy Marriott
87b74b9cc1
Correcting Max's eggrigious typos
Co-Authored-By: maxime-rainville <maxime@rainville.me>
2018-12-13 13:50:35 +13:00
Maxime Rainville
6e214e2e8b DOCS Updating Session doc to reflect that you need to operation on an instance. 2018-12-13 11:05:49 +13:00
Guy Marriott
b2dd22fb50
Merge pull request #8506 from creative-commoners/pulls/4.3/all-the-unit-tests
NEW Adding a stack more unit tests for logging and some form fields
2018-11-11 10:31:24 +13:00
Aaron Carlino
76936d863d Merge branch '4.3' into 4 2018-11-07 23:20:44 +13:00
Loz Calver
8d7c2dafab [SS-2018-019] Add confirmation token to dev/build 2018-11-07 11:33:24 +13:00
Loz Calver
af000bea9b [SS-2018-019] Add confirmation token to dev/build 2018-11-07 11:32:55 +13:00
Loz Calver
0610f76da0 [SS-2018-019] Add confirmation token to dev/build 2018-11-07 11:31:33 +13:00
Loz Calver
3dbb10625c [SS-2018-019] Add confirmation token to dev/build 2018-11-07 11:24:51 +13:00
Robbie Averill
b02a6fa02d FIX Replace usage of Convert JSON methods with json_encode 2018-10-28 21:15:29 +00:00
Robbie Averill
e211e27470 Add more unit tests for DebugViewFriendlyErrorFormatter, tidy up Director::is_ajax() return 2018-10-20 14:27:57 +02:00
Robbie Averill
ee24413c30 Merge branch '4.2' into 4 2018-10-03 15:28:05 +02:00
Robbie Averill
4d14e9b6b1
Merge pull request #8421 from creative-commoners/pulls/4.3/psr-5-deprecations
Update deprecation PHPDocs to be PSR-5 compliant
2018-09-28 14:18:54 +02:00