Commit Graph

97 Commits

Author SHA1 Message Date
Maxime Rainville
acd7d94167 Merge branch '4.4' into 4.5 2020-02-17 13:07:26 +13:00
Serge Latyntcev
ad1b00ec7d [CVE-2019-19325] XSS through non-scalar FormField attributes
Silverstripe Forms allow malicious HTML or JavaScript to be inserted
through non-scalar FormField attributes, which allows performing XSS (Cross-Site Scripting)
on some forms built with user input (Request data). This can lead to phishing attempts
to obtain a user's credentials or other sensitive user input.
There is no known attack vector for extracting user-session information or credentials automatically,
it required a user to fall for the phishing attempt.
XSS can also be used to modify the presentation of content in malicious ways.
2020-02-17 09:58:29 +13:00
Maxime Rainville
d7f5ed3e65 DOC Substituce old apache syntax for Require 2019-09-25 16:59:48 +12:00
Matt Peel
7083f016c1
Update secure coding standards
As of SS4.0.0 and the introduction of TrustedProxyMiddleware, the default now if no trusted proxies are defined is that nothing is a trusted proxy, whereas in SS3 a missing declaration was treated as everything being allowed.
2019-09-10 12:55:24 +12:00
Robbie Averill
3224c9971b Merge branch '4.4' into 4 2019-08-02 11:24:54 +12:00
Robbie Averill
3b96c51688 Merge branch '4.3' into 4.4 2019-08-02 11:24:45 +12:00
Robbie Averill
2d2b0b82f0 DOCS Fix incorrect rendering of note on list item
[ci skip]
2019-07-25 12:03:12 +02:00
Ingo Schommer
4d93e48b10
DOCS Add silverstripe/login-forms (#9112)
See https://github.com/silverstripe/recipe-cms/issues/26.
Dependant on https://github.com/silverstripe/silverstripe-installer/pull/257.
2019-07-16 10:11:37 +12:00
Erlend Mongstad
80b097eb68
Added missing Permission class to example
Following the example will give the following error;

```[Emergency] Uncaught Error: Class {my namespace}\Permission not found```

Added the missing class
2019-04-17 02:36:13 +02:00
Robbie Averill
af8d268cc7 DOCS Update documentation for password validation rule configuration 2018-11-13 10:55:26 +02:00
Ingo Schommer
114b0a5ea7
NEW Option for secure "remember me" cookie
Fixes #8234
2018-07-30 16:41:49 +01:00
Ingo Schommer
259aa06010 DOCS More resilient example domain
myapp.com is owned, example.com is specifically reserved for documentation use cases:
https://en.wikipedia.org/wiki/Example.com

[ci skip]
2018-06-26 10:13:36 +12:00
Ingo Schommer
2e1e8e07b9 DOCS Consistent app/ folder and composer use
- Stronger wording around "use composer"
- Consistent domain and email address naming
- Removed example for publishing non-composer modules (those shouldn't be encouraged)
- Removed instructions for installing modules from archives

[ci skip]
2018-06-25 10:40:19 +12:00
Damian Mooyman
3ea98cdb13
Migrate documentation from 3.x 2018-06-13 14:50:02 +12:00
Robbie Averill
c3e5ab2258
Merge pull request #65 from silverstripe-security/pulls/4.2/ss-2018-009
[SS-2018-009] Allow forced redirects to HTTPS for responses with basic authentication
2018-05-28 18:57:38 +12:00
Ingo Schommer
9097a95de2 Cookie lifetime docs 2018-05-21 11:36:53 +12:00
Ingo Schommer
5445a0d3fc Corrected login data usage docs 2018-05-21 11:36:45 +12:00
Ingo Schommer
78fe189c6d
Merge pull request #8003 from open-sausages/pulls/4/docs-personal-data
Docs for personal data usage in core
2018-05-17 17:11:56 +12:00
Kairat Jenishev
b4ba3cbd1f
DOCS Fix broken links and headers 2018-05-03 16:42:52 +01:00
Robbie Averill
1505a89a63 Update to include note about auto redirect to HTTPS for basic auth 2018-04-24 16:42:52 +12:00
Ingo Schommer
1b882e802e Docs for personal data usage in core
See https://github.com/silverstripe/silverstripe-framework/issues/7791
2018-04-13 13:23:05 +12:00
Damian Mooyman
625f7b4eee
Merge remote-tracking branch 'origin/4.0' into 4.1 2018-03-13 14:26:18 +13:00
cpenny
fdbf4c2134 Updated docs for Rate Limiting. 2018-03-09 08:15:11 +13:00
Gorrie Coe
3ae8838285
Added Name to example 2017-12-12 14:40:34 +13:00
Gorrie Coe
849038a60b
Added after priority to replace default authenticator. 2017-12-12 12:52:52 +13:00
Damian Mooyman
cdfb413395
Code block whitespace / formatting cleanup 2017-10-27 15:38:27 +13:00
Aaron Carlino
e7274b0ee4 Add namespaces 2017-10-27 12:45:26 +13:00
Daniel Hensby
c077abf353
DOCS new rate limiting docs 2017-09-27 17:40:04 +01:00
Simon Erkelens
774d44a574 Authentication documentation rewrite 2017-08-28 16:28:30 +12:00
Aaron Carlino
50c8a02bff remove tabs 2017-08-07 15:11:17 +12:00
Aaron Carlino
e4935123d8 Remove a few more references 2017-08-07 14:01:38 +12:00
Aaron Carlino
6c0629f025 Remove more deprecated APIs 2017-08-07 14:01:38 +12:00
Aaron Carlino
e4fba5a7b1 add use statements 2017-08-07 14:01:38 +12:00
Aaron Carlino
84feab5a68 Yeah psr2 functions 2017-08-07 14:01:38 +12:00
Aaron Carlino
4c7a068b28 classes psr2 2017-08-07 14:01:38 +12:00
Aaron Carlino
2414eaeafd Yay, clean arrays 2017-08-07 14:01:38 +12:00
Aaron Carlino
eb1695c03d Replace all legacy ::: syntax with GFMD tags 2017-08-07 14:01:38 +12:00
Saophalkun Ponlu
63ba092765 FIX Add namespaces in markdown docs (#7088)
* FIX Add namespaces in markdown docs

* FIX Convert doc [link] to [link-text](link-uri)
2017-07-03 13:22:12 +12:00
Sam Minnee
ccc86306b6 NEW: Add TrustedProxyMiddleware
API: SS_TRUSTED_PROXY_HOST_HEADER replace with middleware config
API: SS_TRUSTED_PROXY_PROTOCOL_HEADER replace with middleware config
API: SS_TRUSTED_PROXY_IP_HEADER replace with middleware config
API: Front-End-Https = “on” header no longer supported

This middleware replaces the TRUSTED_PROXY setting and shifts its
configuration out of the env vars and bootstrap and into the Director
flow.
2017-06-27 13:32:39 +12:00
Simon Erkelens
2b26cafcff Separate out the log-out handling.
Repairing tests and regressions
Consistently use `Security::getCurrentUser()` and `Security::setCurrentUser()`
Fix for the logout handler to properly logout, some minor wording updates
Remove the login hashes for the member when logging out.
BasicAuth to use `HTTPRequest`
2017-06-07 21:11:58 +12:00
Simon Gow
5f82997690 Secure Coding - Security Headers, Force HTTPS and Cookies
- Amending best practices for secure coding to enforce HTTPS
- Add security headers to enforce HTTPS
- Ensure secure cookies are used.
- Added links for testing, changed documentation as part of peer review.
- Arrange headers to work with HTTP interface.
- fixed Cache-Control case
- Added reference to Secure Sessions.
- Replaced Cardinality with unique
- Fixed innacurate reference to decendant.
- Consistent spelling
- Databases over DBMSs
2017-04-13 13:59:02 +12:00
Daniel Hensby
6e096f6172
DOCS Updated environment management docs to use .env file 2017-01-31 21:28:51 +00:00
Damian Mooyman
7d67c5b9bd
API Allow users to act-as another 2017-01-16 09:04:20 +13:00
Robbie Averill
c620063608 DOCS Update docs to reference PageController without an underscore, implement some PSR-2 2017-01-11 09:59:28 +13:00
Damian Mooyman
bfd9cb1aca Rename SS_ prefixed classes (#5974) 2016-09-09 18:43:05 +12:00
Ingo Schommer
c96e031367 Moved coding conventions docs into contributing folder
Also created a contributing/coding_conventions landing page separately from the PHP ones, since we now need to account for JS and CSS conventions as well
2016-06-13 08:30:44 +12:00
Damian Mooyman
d52db0ba34 Merge 3 into master
# Conflicts:
#	.travis.yml
#	admin/css/ie7.css
#	admin/css/ie7.css.map
#	admin/css/ie8.css.map
#	admin/css/screen.css
#	admin/css/screen.css.map
#	admin/javascript/LeftAndMain.js
#	admin/scss/_style.scss
#	admin/scss/_uitheme.scss
#	control/HTTPRequest.php
#	core/Object.php
#	css/AssetUploadField.css
#	css/AssetUploadField.css.map
#	css/ConfirmedPasswordField.css.map
#	css/Form.css.map
#	css/GridField.css.map
#	css/TreeDropdownField.css.map
#	css/UploadField.css
#	css/UploadField.css.map
#	css/debug.css.map
#	dev/Debug.php
#	docs/en/00_Getting_Started/00_Server_Requirements.md
#	docs/en/02_Developer_Guides/06_Testing/00_Unit_Testing.md
#	docs/en/02_Developer_Guides/06_Testing/index.md
#	docs/en/02_Developer_Guides/14_Files/02_Images.md
#	docs/en/02_Developer_Guides/15_Customising_the_Admin_Interface/How_Tos/Extend_CMS_Interface.md
#	filesystem/File.php
#	filesystem/Folder.php
#	filesystem/GD.php
#	filesystem/Upload.php
#	forms/ToggleField.php
#	forms/Validator.php
#	javascript/lang/en_GB.js
#	javascript/lang/fr.js
#	javascript/lang/src/en.js
#	javascript/lang/src/fr.js
#	model/Image.php
#	model/UnsavedRelationList.php
#	model/Versioned.php
#	model/connect/MySQLDatabase.php
#	model/fieldtypes/DBField.php
#	model/fieldtypes/Enum.php
#	scss/AssetUploadField.scss
#	scss/UploadField.scss
#	templates/email/ChangePasswordEmail.ss
#	templates/forms/DropdownField.ss
#	tests/behat/features/bootstrap/SilverStripe/Framework/Test/Behaviour/CmsFormsContext.php
#	tests/behat/features/bootstrap/SilverStripe/Framework/Test/Behaviour/CmsUiContext.php
#	tests/forms/EnumFieldTest.php
#	tests/security/MemberTest.php
#	tests/security/MemberTest.yml
#	tests/security/SecurityTest.php
2016-04-29 17:50:55 +12:00
Daniel Hensby
745faebd81
Merge 3.2 into 3.3
Conflicts:
	.travis.yml
2016-04-26 00:17:09 +01:00
Damian Mooyman
b8e7f9a934 Standardise spelling of "customise"
Fixes #3988
2016-03-30 13:17:28 +13:00
Ingo Schommer
f36b110db3 Merge remote-tracking branch 'origin/3.3' 2016-03-04 17:06:04 +13:00