Commit Graph

205 Commits

Author SHA1 Message Date
Sam Minnée
ecf8f273c0 Merge pull request #2201 from hafriedlander/fix/session
Fixes to session, primarily around cookie_secure
2013-07-06 18:59:07 -07:00
Hamish Friedlander
d629d9422f FIX Session::$cookie_secure so Sessions still work via HTTP
Session::$cookie_secure adds the secure property to the session Set-Cookie
command, so that the browser wouldnt send it to the server over an unencrypted
link. However the server would still send the cookie to the browser
unencrypted. Also Sessions would stop working properly in HTTP,
but SilverStripe needs them for several things, such as form validation

This patch effectively causes HTTP and HTTPS requests to each have
their own session when cookie_secure is true. The two sessions are
independant from each other, so information set in the session via
HTTPS is safe from attacks on the session via HTTP, but parts
of the site that use HTTP and the session will still work
2013-07-07 09:12:10 +12:00
Hamish Friedlander
2886f6ee14 FIX Session was started every time, even if no data set
Session tracks the user agent in the session, to add some detection of
stolen session IDs. However this was causing a session to always be
created, even if this request didnt store any data in the session.
2013-07-07 09:12:10 +12:00
Hamish Friedlander
c6b4d993cc FIX Director::forceSSL and forceWWW not setting Vary header
If you have a Varnish box in front of a SilverStripe install, and
you call forceSSL, the Vary header wouldnt get sent. As a result
Varnish would respond with the same redirect reponse after the
redirect, leading to an infinite loop
2013-07-06 15:24:01 +12:00
Sean Harvey
7349682d44 Merge pull request #2145 from tractorcow/3.1-controller-redirect
Controller::redirect now returns the resulting SS_HTTPResponse
2013-06-24 14:16:18 -07:00
Ingo Schommer
fb784af738 API Enforce $allowed_actions in RequestHandler->checkAccessAction()
See discussion at https://groups.google.com/forum/?fromgroups#!topic/silverstripe-dev/Dodomh9QZjk

Fixes an access issue where all public methods on FormField were allowed,
and not checked for $allowed_actions. Before this patch you could e.g.
call FormField->Value() on the first field by using action_Value.

Removes the following assertion because it only worked due to RequestHandlingTest_AllowedControllerExtension
*not* having $allowed_extensions declared: "Actions on magic methods are only accessible if explicitly allowed on the controller."
2013-06-24 14:50:40 +02:00
Damian Mooyman
7340da03a7 Controller::redirect now returns the resulting SS_HTTPResponse, allowing the function to better support chaining 2013-06-24 13:39:05 +12:00
Mateusz Uzdowski
53a2dbd207 Add a note on the unit of the Session.timeout. 2013-06-21 10:56:00 +12:00
Kirk Mayo
dff5447cbc BUG: Fix for Cookie expiry timeout being passed as a large number on 64 bit machines 2013-06-20 12:30:48 +12:00
Sam Minnee
526b40414a FIX: Ensure that actions inferred from templates with the "_action" suffix also respect allowed_actions.
FIX: Ensure SSViewer::hasTemplate() is aware of themes.

To do this, RequestHandler::definingClassForAction() has been created, splitting out the code that looks up the class that defines a given action into its own method.  This is then overridden in Controller to look at templates.
2013-06-19 20:11:50 +12:00
Ingo Schommer
4ef83a2895 Using Cookie class in Session::destroy()
It allows us to suppress "headers sent" errors, which is particularly
important in phpunit test runs.
2013-06-18 23:06:22 +02:00
Sam Minnee
a6bd8f8f43 Ensure Cookie::get() will immediately return results.
Without this change, a call to Cookie::get() immediately after Cookie::set()
won't return the value provided.  This creates some unintuitive edge-cases,
although to date it looks like they have been worked around.

The patch doesn't have a test because our testing framework doesn't deal
with cookies well.
2013-06-07 11:27:15 +12:00
Sam Minnee
f2c918dc45 FIX: Make session timeout inactive-time only.
By default, the Session.timeout configuration option specifies the total
session time, regardless of the amount of activity.  This change means
that the timeout specifies how long without any further dynamic requests
before the session cookie expires.

The way it does this is to re-set the session cookie expiry with a
subsequent Set-Cookie command each time a request that necessitates
a session is called.

Strictly speaking, it's a change in session timeout semantics, but I think
it's a good one, because total-session-time-regardless-of-activity is a
stupid timeout to include, and has more to do with the mechanics of the
internet than with application security requirements.
2013-05-31 16:26:04 +12:00
Stephen Shkardoon
d6c2c2e07f Fixes #1892 - Stop session hijacking with UA check 2013-05-25 19:29:08 +12:00
Sam Minnée
83be513f91 Merge pull request #1816 from silverstripe-rebelalliance/bug/emptyrules
FIX Allow Director::$rules like //$Action
2013-05-24 20:38:43 -07:00
Mateusz Uzdowski
2f7fd967b2 BUG Clean up the logOut and session destructon routines. 2013-05-23 13:27:41 +12:00
Will Rossiter
ddcfcf7bed Update @package, @subpackage labels
Cleanup of framework's use of @package and @subpackage labels and additional of labels for classes missing packages.

Moved all GridField related components to the one name.

Countless spelling fixes, grammar for other comments.

Link ClassName references in file headers.
2013-05-21 22:24:41 +12:00
Jeremy Shipman
b1ba8bd05b FIX: Updated protocol check to become more stringent. 2013-05-20 12:46:44 +12:00
Jeremy Shipman
d21fd1f0bb FIX: Don't rewrite urls to be absolute, if they are a URI with a protocol.
This is determined in this fix by the existence of a colon ':', to show the uri has a protocol.
2013-05-20 11:59:04 +12:00
g4b0
6d7b938b7a Bugfix: Added private static $defaultFormat in order to choose default via config. Permit WCAG validation of XHTML. 2013-05-13 11:34:35 +02:00
Will Rossiter
1325d736a0 API: Add Director::is_https() 2013-05-10 22:31:38 +12:00
Will Rossiter
07b9bd8527 PHPDoc + coding conventions 2013-05-10 21:59:20 +12:00
Fred Condo
f5c6285240 Anchor regex in Director#is_absolute_url()
- Anchor the regex to the beginning of the string
- Change the regex delimiter to reduce the amount of \ clutter
2013-05-03 16:07:25 -07:00
Hamish Friedlander
0ae3050e9e FIX Allow Director::$rules like //$Action
In 3.0, doing $Action => SomeController would redirect all action requests
to that default controller. In 3.1, you need to do //$Action => SomeController
but it didnt work - those initial slashes broke matching
2013-04-29 16:13:37 +12:00
Damian Mooyman
b6fc1d314e BUG HTTP will now correctly pass over mailto: links when converting relative links to absolute (e.g. in Emails) 2013-04-18 14:25:51 +12:00
Loz Calver
58de19e01f Fix: RequestHandler not managing 404/403 errors correctly (fixes #1696) 2013-04-09 15:43:50 +01:00
Ingo Schommer
7121fc3f85 FIX Config isolation in Director::test() 2013-04-07 23:59:10 +02:00
Andrew Short
1fc780ce2b API: Return a 404 error when no director rule is matched 2013-04-06 18:19:03 +11:00
Sean Harvey
6eda25a090 NEW Allow specifying the secure domain to Director::forceSSL() 2013-04-03 17:47:36 +13:00
Ingo Schommer
07d99a5136 FIX Fallback for Session.cookie_path
Regression introduced by Config API static changes.
Effectively meant that you can no longer log in to the CMS
since the cookie path is set for each URL individually...
2013-03-25 23:03:34 +01:00
Ingo Schommer
3334eafcb1 API Marked statics private, use Config API instead (#8317)
See "Static configuration properties are now immutable, you must use Config API." in the 3.1 change log for details.
2013-03-24 17:20:53 +01:00
Ingo Schommer
183396a8ab Disable RequestHandler->handleAction() deprecation until we have fixed LeftAndMain usage 2013-03-24 17:20:36 +01:00
Ingo Schommer
0a13d29e4a Merge pull request #1214 from silverstripe-rebelalliance/feature/request_handling
FIX handleAction methods should be protected now
2013-03-20 13:52:45 +01:00
Hamish Friedlander
743a186c32 API Make SSViewer#process return HTMLText not string
This means that you dont have to worry about casting it
as HTMLText again when using the result in a template or other context

However in some situations code might be assuming it can
check with is_string, in which case you now need to use instanceof HTMLText
2013-03-14 12:49:03 +13:00
g4b0
d32cd5be16 Added some more XHTML replacement and relative unit test. Content_type comfigurable. 2013-03-12 16:06:59 +01:00
Ingo Schommer
2419d1aa46 XHTML formatting <hr> (fixes #8297) 2013-03-08 10:42:32 +01:00
Ingo Schommer
b8e5ebb9e3 Merge pull request #1242 from dhensby/request-patch
API Adding setURL to HTTPRequest object
2013-03-07 11:18:04 -08:00
g4b0
13b7386a2f BUGFIX: Removed XHTML XML declaration requirement 2013-03-07 11:35:24 +01:00
Daniel Hensby
9258485aeb API Adding setURL to HTTPRequest object
The current RootURLController needs to be able to change the url of a
request, so I've added it.
2013-02-28 08:50:53 +00:00
Ingo Schommer
39789529d7 Merge remote-tracking branch 'origin/3.0' into 3.1
Conflicts:
	tests/control/HTTPResponseTest.php
	tests/travis/before_script
2013-02-27 10:27:22 +01:00
Ingo Schommer
e6fffb9ef9 API Remove content-length setting in HTTPResponse
It's not reliable. Started in c69381c33, but only partially reverted.
2013-02-27 10:07:54 +01:00
Ingo Schommer
bea1b9002d Merge remote-tracking branch 'origin/3.0' into 3.1
Conflicts:
	control/HTTP.php
2013-02-26 13:28:35 +01:00
Sam Minnee
b2dfa77056 FIX: Ensure that Director::test() doesn't return a string 2013-02-25 16:27:44 +13:00
Hamish Friedlander
a193666df1 FIX handleAction methods should be protected now 2013-02-20 11:47:29 +13:00
Ingo Schommer
0c6ac1960e Fixed whitespace usage 2013-02-18 15:43:52 +01:00
Ingo Schommer
92458d9f43 Fixed line lengths 2013-02-18 14:41:49 +01:00
Ingo Schommer
a86e4ee00c Merge remote-tracking branch 'origin/3.0' into 3.1
Conflicts:
	tests/injector/InjectorTest.php
	tests/travis/before_script
2013-02-18 14:15:42 +01:00
Hamish Friedlander
9ecea763c3 Merge pull request #1186 from nyeholt/injector_configged_create
FIX issue with Injector::create not passing args
2013-02-17 18:38:24 -08:00
Hamish Friedlander
4b54383d68 API change request handling to be more orthogonal
RequestHandler#handleAction now exists. It takes the request, and
the action to call on itself. All calls from handleRequest to call an action
will go through this method

Controller#handleAction has had it's signature changed to
match new RequestHandler#handleAction

RequestHandler#findAction has been added, which extracts the
"match URL to rules to find action" portion of RequestHandler#handleRequest
into a separate, overrideable function

GridField#handleAction has beeen renamed to handleAlterAction and
CMSBatchActionHandler#handleAction has been renamed to handleBatchAction to
avoid name clash with new RequestHandler#handleAction

Reason for change: The exact behaviour of request handling depended heavily
on whether you inherited from RequestHandler or Controller, and whether the
rule extracted it's action directly (like "foo/$ID" => 'foo') or dynamically
(like "$Action/$ID" => "handleAction"). This cleans up behaviour so
all calls follow the same path through handleRequest and handleAction, and
the additional behaviour that Controller adds is clear.
2013-02-18 14:56:04 +13:00
Hamish Friedlander
5fd55a50f2 API Tighten up allowed_actions
allowed_actions is now only allowed to reference public methods defined
on the same Controller as the allowed_actions static, and
the wildcard "*" has been deprecated
2013-02-18 14:53:33 +13:00