Commit Graph

18624 Commits

Author SHA1 Message Date
Damian Mooyman
8c0ced311f Merge pull request #6998 from AntonyThorpe/StrictFormMethodCheck
Updated Form.php & 04_Form_Security.md  - strictFormMethodCheck to true
2017-06-06 23:06:11 +12:00
Damian Mooyman
057bfdae79 Merge pull request #6991 from jacobbuck/feature/3.6/extend-file-get-url
NEW Add 'updateURL' extension hook to File::getURL()
2017-06-06 21:28:16 +12:00
Antony Thorpe
6348f2e3e8 Updated Form.php & 04_Form_Security.md
Changed the `strictFormMethodCheck` protected property from false to true to step out on the front foot with this security setting.  In the documentation under the title [Cross-Site Request Forgery](https://github.com/silverstripe/silverstripe-framework/blob/master/docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md#cross-site-request-forgery-csrf) it states, "it is also recommended to limit form submissions to the intended HTTP verb (mostly GET or POST) through [api:Form::setStrictFormMethodCheck()]."  The same advice is noted in [Form Security](c2292a4cc1/docs/en/02_Developer_Guides/03_Forms/04_Form_Security.md (strict-form-submission)).

Why not make this the default behaviour?  Is there a scenario where this would cause a problem?  Have manually tested in the CMS (alpha7) and is working fine.

Note: Original commit that establised the API Form::setStrictFormMethodCheck is 14c59be8.
2017-06-06 21:10:49 +12:00
Damian Mooyman
ba44c4c30d Merge pull request #6988 from open-sausages/pulls/4.0/print-with-gotink
Fixes printing from crashing
2017-06-06 18:33:11 +12:00
Damian Mooyman
058ba813e6 Merge pull request #6986 from open-sausages/pulls/3.0/but-its-so-tinymce
Fix tinymce image selection issue in newer versions of Chrome
2017-06-06 17:24:31 +12:00
Saophalkun Ponlu
e267d29b9a BUG Consistent return values for first and last methods 2017-06-06 17:22:55 +12:00
Jacob
92b7341200 Call $this->extend('updateURL', $url); befor returning $url 2017-06-06 13:38:11 +12:00
Christopher Joe
d12c986dd5
Fixes printing from crashing 2017-06-06 13:31:37 +12:00
Damian Mooyman
9b965ed5fa
Add in missing changelog notes 2017-06-06 11:08:05 +12:00
Christopher Joe
5f5bfa5e70 Fix create temp folder if it does not exist 2017-06-06 09:58:51 +12:00
Jacob Buck
2305255699 Add updateURL extension hook to File::getURL 2017-06-05 15:17:37 +12:00
Loz Calver
035a9b049e Merge pull request #6990 from dhensby/pulls/3.6/constructor-fixes
FIX Upgrade old style constructors that were missed
2017-06-02 12:47:21 +01:00
Daniel Hensby
a52ed03b49
FIX Upgrade old style constructors that were missed 2017-06-02 12:22:33 +01:00
Christopher Joe
4b9d5dceb8 Fix tinymce image selection issue in newer versions of Chrome 2017-06-02 15:06:16 +12:00
Ingo Schommer
b137e91998 Internal security process docs 2017-06-02 11:30:12 +12:00
Daniel Hensby
9a0e01d4a0
NEW DB Driver defaults to PDO 2017-06-01 11:00:35 +01:00
Daniel Hensby
bf8d4252e3 Merge pull request #6983 from JustinTBrown/patch-1
Update to 00_CSV_Import.md
2017-05-31 19:17:33 +01:00
Justin Brown
ac08e16720 Update to 00_CSV_Import.md
Adding further explanation for using a custom CsvBulkLoader in ModelAdmin instead of the default one. I think some people might be able to guess at this, but others (like me) might benefit from making things a bit more explicit. This a follow up from my [question on StackOverflow](https://stackoverflow.com/questions/44271755/adding-custom-csvbulkuploader-to-modeladmin-in-silverstripe).
2017-05-31 09:05:05 -06:00
Chris Joe
44f27645bd Merge pull request #6981 from edlinklater/patch-1
Docs: Correct Stevie's name on committers page
2017-05-31 13:40:31 +12:00
Ed Linklater
f007fca51f Docs: Correct Stevie's name on committers page 2017-05-31 12:27:06 +12:00
Daniel Hensby
21d2e5cad1
Merge branch '3.6' into 3 2017-05-31 00:12:14 +01:00
Daniel Hensby
becb769167
Merge branch '3.5' into 3.6 2017-05-31 00:11:48 +01:00
Daniel Hensby
653c891f38
Merge tag '3.6.0' into 3.6
Release 3.6.0
2017-05-31 00:11:47 +01:00
Daniel Hensby
294df1320f
Merge branch '3.4' into 3.5 2017-05-31 00:11:18 +01:00
Daniel Hensby
ff0bbce326
Merge tag '3.5.4' into 3.5
Release 3.5.4
2017-05-31 00:11:18 +01:00
Daniel Hensby
cf8f781238
Merge tag '3.4.6' into 3.4
Release 3.4.6
2017-05-31 00:10:48 +01:00
Daniel Hensby
143c4a63cf
Added 3.6.0 changelog 2017-05-30 22:11:03 +00:00
Daniel Hensby
90c2a7de11 Merge pull request #6979 from dhensby/pulls/bracket-test-only
FIX Bracket should implement TestOnly
2017-05-30 23:10:16 +01:00
Daniel Hensby
2f7f761a9c
Added 3.5.4 changelog 2017-05-30 22:03:17 +00:00
Daniel Hensby
deca99a5fe
Added 3.4.6 changelog 2017-05-30 21:58:52 +00:00
Daniel Hensby
13ee3148d9
FIX Bracket should implement TestOnly 2017-05-30 22:44:24 +01:00
Daniel Hensby
11de4abe0a Merge pull request #6977 from andrewandante/FIX/move_dotenv_higher
move TRUSTED_PROXY below .env loader
2017-05-30 12:41:09 +01:00
Andrew Aitken-Fincham
8f44b8f0ba move trusted_proxy_ips below .env loader 2017-05-30 12:18:47 +01:00
Damian Mooyman
b27ef810d4 Merge pull request #6974 from colintucker/fix-csv-bulk-loader
Fixes a bug with split file names during CSV import
2017-05-30 16:18:06 +12:00
Chris Joe
8efaa180a4 Merge pull request #6969 from open-sausages/pulls/4.0/insert-page-link
API Remove legacy HTMLEditor classes
2017-05-30 11:42:08 +12:00
Damian Mooyman
e7d87add9f API Remove legacy HTMLEditor classes 2017-05-30 11:01:28 +12:00
Damian Mooyman
36e3a43bdb Merge pull request #6976 from nfauchelle/patch-5
Update 05_Dataobject_Relationship_Management.md
2017-05-30 10:05:27 +12:00
Damian Mooyman
f2fbabec17 Merge pull request #6975 from nfauchelle/patch-4
Fix $class variable from being clobbered
2017-05-30 10:04:29 +12:00
Nick
318b0248b7 Update 05_Dataobject_Relationship_Management.md
Correct a naffed up code block and a typo
2017-05-29 20:54:50 +12:00
Nick
acb74a8577 Fix $class variable from being clobbered
The $class variable gets overwritten in the function.

This causes error messages to be less helpful. For example if you setup a has_many but forget the has_one on the other side the error will look something like

`[Emergency] Uncaught Exception: No has_one found on class 'SomeObject', the has_many relation from 'SilverStripe\View\ViewableData' to 'SomeObject' requires a has_one on 'SomeObject'`

fixing this gives a more useful error, like

`[Emergency] Uncaught Exception: No has_one found on class 'SomeObject', the has_many relation from 'Page' to 'SomeObject' requires a has_one on 'SomeObject'`
2017-05-29 20:31:09 +12:00
Colin Tucker
db59e51c4a Fixes a bug with split file names during CSV import 2017-05-29 16:08:23 +10:00
Damian Mooyman
a017422817 Merge pull request #6972 from creative-commoners/pulls/3.5/plural-modeladmin-name
FIX Use plural name for ModelAdmin tab name
2017-05-29 15:05:24 +12:00
Robbie Averill
b4368196d1 FIX Use plural name for ModelAdmin tab name 2017-05-29 14:02:58 +12:00
Daniel Hensby
659053a256
Added 3.6.0-rc1 changelog 2017-05-29 00:36:04 +00:00
Daniel Hensby
cda7e8dc39
Merge remote-tracking branch 'security/3.5.4' into 3.6.0 2017-05-29 01:29:05 +01:00
Daniel Hensby
9a38bedd18
Added 3.5.4-rc1 changelog 2017-05-29 00:08:27 +00:00
Daniel Hensby
24166700e8
Merge remote-tracking branch 'security/3.4.6' into 3.5.4 2017-05-29 01:02:35 +01:00
Daniel Hensby
b5ad4bdcc6
Added 3.4.6-rc2 changelog 2017-05-28 23:49:04 +00:00
Daniel Hensby
2b72c0f73b Merge pull request #42 from silverstripe-security/patch/3.4/ss-2017-004
[SS-2017-004] FIX DataDifferencer doesnt correctly cast data
2017-05-29 00:41:59 +01:00
Daniel Hensby
16a74bc8a9
FIX DataDifferencer needs to expliclty cast HTMLText values 2017-05-29 00:10:32 +01:00