Commit Graph

831 Commits

Author SHA1 Message Date
Serge Latyntcev
ad1b00ec7d [CVE-2019-19325] XSS through non-scalar FormField attributes
Silverstripe Forms allow malicious HTML or JavaScript to be inserted
through non-scalar FormField attributes, which allows performing XSS (Cross-Site Scripting)
on some forms built with user input (Request data). This can lead to phishing attempts
to obtain a user's credentials or other sensitive user input.
There is no known attack vector for extracting user-session information or credentials automatically,
it required a user to fall for the phishing attempt.
XSS can also be used to modify the presentation of content in malicious ways.
2020-02-17 09:58:29 +13:00
Robbie Averill
3b96c51688 Merge branch '4.3' into 4.4 2019-08-02 11:24:45 +12:00
Robbie Averill
2d2b0b82f0 DOCS Fix incorrect rendering of note on list item
[ci skip]
2019-07-25 12:03:12 +02:00
Serge Latyntsev
2e33456e46 Mention versioned snapshots in the versions documentation (#9057)
* Mention versioned snapshots in the versions documentation

* Add screenshot
2019-06-16 23:52:30 +12:00
Aaron Carlino
c747b1f8d3 Merge branch '4.3' into 4.4 2019-06-10 17:32:07 +12:00
Aaron Carlino
f766555d61 Merge branch '4.2' into 4.3 2019-06-10 17:27:05 +12:00
Serge Latyntcev
ca56e8d78e [CVE-2019-12246] Denial of Service on flush and development URL tools 2019-06-10 17:23:56 +12:00
Ingo Schommer
30496144b9 DOCS More detail on queuedjobs file migrations 2019-06-05 15:10:09 +12:00
Maxime Rainville
5b6d0946f4 API Add extension points to MigrateFileTask (#8994)
* API Add extension points to MigrateFileTask

* Apply suggestions from code review

Co-Authored-By: Guy Marriott <guy@scopey.co.nz>
2019-05-28 09:24:01 +12:00
Ingo Schommer
1f78e8ae80 NEW Clean up secureassets module artefacts (#8948)
See https://github.com/silverstripe/silverstripe-assets/issues/231
2019-05-02 21:05:19 +12:00
Andre Kiste
48db515fbd NEW Fix folder permissions (#8950)
* Add `FixFilePermissionsHelper` subtask
* Changed name to folder permissions, added more loggin
2019-05-02 16:28:57 +12:00
Ingo Schommer
0696045e59 NEW Legacy thumbnail migration task (#8924)
* NEW Legacy thumbnail migration task

See https://github.com/silverstripe/silverstripe-assets/issues/235
Makes a start at https://github.com/silverstripe/silverstripe-assets/issues/219 as well

* API Removed migrate_legacy_file support

For the vast majority of sites, you really don't want to run your file migration as part of dev build.
The step is involved enough to warrant it's own task.
I don't think this is an API change, since the setting won't have affect
for anyone who has already enabled it - they would've already done the one-off migration.

See https://github.com/silverstripeltd/open-sourcerers/issues/91
and https://github.com/silverstripe/silverstripe-assets/issues/235
2019-05-02 09:33:53 +12:00
Adrian Humphreys
e648fd31f9 Docs: Update Dynamic_Default_Fields.md (#8941) 2019-04-30 09:00:09 +12:00
Garion Herman
5c4367f46b Use environment variables in example SMTP config
Currently the email documentation provides an example of how to use the SMTP adapter in SwiftMailer, but this example hardcodes the password in the config file which is a security issue. It is possible to reference environment variables instead, so we should document and encourage this.
2019-04-30 08:59:54 +12:00
Adrian Humphreys
212a99c904 Add info around namespacing with controllers 2019-04-30 08:59:29 +12:00
Ingo Schommer
da91f44c00 DOCS File migration changes for 4.4.0 (#8910)
* DOCS File migration changes for 4.4.0

See https://github.com/silverstripe/silverstripe-versioned/issues/177

* Update docs/en/02_Developer_Guides/14_Files/03_File_Security.md

Co-Authored-By: chillu <ingo@silverstripe.com>

* Corrected statements on archived/versioned files

* Corrected statement on filesystem paths of protected vs. public

* Update docs/en/02_Developer_Guides/14_Files/03_File_Security.md

Co-Authored-By: chillu <ingo@silverstripe.com>

* Clarify redirect behaviour
2019-04-30 08:59:25 +12:00
Erlend Mongstad
80b097eb68
Added missing Permission class to example
Following the example will give the following error;

```[Emergency] Uncaught Error: Class {my namespace}\Permission not found```

Added the missing class
2019-04-17 02:36:13 +02:00
Robbie Averill
6b07b2c47c Update docs/en/02_Developer_Guides/01_Templates/How_Tos/03_Disable_Anchor_Links.md
Fix code styling

Co-Authored-By: DorsetDigital <DorsetDigital@users.noreply.github.com>
2019-04-16 22:32:55 +01:00
DorsetDigital
321ef827b8
Update 03_Disable_Anchor_Links.md
Update example code for disabling anchors on a per-instance basis.  The previous code was unclear and statically called a non-static method on SSViewer  (presumably this was SS3 code)
2019-04-16 21:22:27 +01:00
Robbie Averill
8a06682e31 Merge branch '4.3' into 4
# Conflicts:
 #	src/ORM/Connect/DBSchemaManager.php
2019-04-11 11:24:17 +12:00
Ingo Schommer
fcdc146996 DOCS Limitations of publishall
Fixes https://github.com/silverstripe/silverstripe-cms/issues/2406
2019-04-10 10:42:49 +12:00
Al
9a43952385
Fix formatting
Last code block was not closed
2019-04-10 08:22:51 +12:00
Guy Marriott
a9d57f5bfb
Merge pull request #8241 from creative-commoners/pulls/4.3/separate-logging
Separate core error logging from standard LoggerInterface
2019-04-05 08:49:09 +13:00
Hayden Shaw
30775aa428
DOCS HistoryViewerField updates
* Add missing rollback operation in scaffolding example
* Update block_id references to id  to allow query to read query to run successfully in conjunction with HistoryViewerField
2019-04-02 16:59:52 +13:00
Anton Smith
167881cc38 Update path 2019-04-02 12:46:19 +13:00
Andre Kiste
f3535972e4 DOC Add more clear instructions on handling upgrade conflicts (#8836)
* Add more clear instructions on handling upgrade conflicts

* More module upgrading info

* Make it make sense

* Tweak sentence
2019-03-26 16:20:53 +13:00
DorsetDigital
abe76e9b29
Update 02_RSSFeed.md
Change file name to PageController to match code.
Change example code to use parameter in `Link()` method rather than using concatenation
2019-03-23 13:22:37 +00:00
Joe Chenevey
af34fab461
Update 00_CSV_Import.md
Fix reference in `$model_importers` to use `Player::class` for namespaced model reference.
2019-03-18 10:55:41 -04:00
Ingo Schommer
71c32fea20 DOCS Clarify legacy_filenames=true tradeoffs 2019-02-28 08:56:53 +13:00
Ingo Schommer
1f08ed3765 DOCS Note about replaced files on keep_archived_files flag 2019-02-28 08:27:29 +13:00
Ingo Schommer
b4b2f576f0 DOCS Clarify file migration and mention known bug 2019-02-26 09:44:32 +13:00
Scott Hutchinson
57184c245c
DOCS Update HTTP Cache headers docs to include note about testing in dev mode [ci skip] 2019-02-22 10:16:11 +13:00
Robbie Averill
3e90fdf42f Merge branch '4.3' into 4 2019-02-19 08:41:05 +07:00
Robbie Averill
ed74549c4f Merge branch '4.2' into 4.3 2019-02-19 08:39:59 +07:00
Maxime Rainville
5a4a36a79e
Merge pull request #8791 from open-sausages/pulls/4/file-migration-estimates
Add file migration system requirements
2019-02-18 11:56:19 +13:00
Maxime Rainville
5c5d8639c6
DOCS Encourage peopel to contact the CWP/SSP helpdesk if they need to run the migration from the CLI 2019-02-14 15:38:00 +13:00
Maxime Rainville
62e3a2f582
"Approximate" makes it clearer the expected memory usage may vary
Co-Authored-By: bergice <bergice@users.noreply.github.com>
2019-02-13 15:01:04 +01:00
Maxime Rainville
2e84e9a18f
Round up expected memory usage
Co-Authored-By: bergice <bergice@users.noreply.github.com>
2019-02-13 15:00:08 +01:00
Robbie Averill
95b44d840d DOCS Add example for disabling emails in dev mode via configuration
[ci skip]
2019-02-13 15:37:55 +07:00
bergice
a245d0c98f Add file migration system requirements.
See https://github.com/silverstripeltd/open-sourcerers/issues/45 for more information on how these estimates were obtained.
2019-02-09 05:19:25 +01:00
Jonathon Menz
0cbc02add1 DOCS Added 'Modifying Meta Tags' entry 2019-02-01 09:33:20 -08:00
Andre Kiste
2378d75bc1
Merge pull request #8746 from open-sausages/pulls/4/doc-file-migration-for-big-files
DOCS Add more info about migrations huge number files
2019-01-30 09:26:00 +13:00
wernerkrauss
2d257ae3df explain resource url usage for add_i18n_javascript (#8761)
see #8748
2019-01-29 09:00:04 +02:00
Andre Kiste
6f180574a5
Update 05_File_Migration.md
Fixed typos.
2019-01-29 18:58:58 +13:00
Maxime Rainville
c4bf06f600 NEW Add new execmetric debug URL parameter to print out exection time and peak memory usage 2019-01-29 17:28:28 +13:00
Loz Calver
568be8e29b FIX: Misconfiguration for versioned cache segmentation (fixes #8754) 2019-01-25 09:33:21 +00:00
DorsetDigital
17b55fea5e Update 03_Form_Templates.md - form template locations (#8751)
Update guidance on form template location.  They don't necessarily have to be placed in /app/templates and will work in the theme directory too.    The current text also seems to suggest that they can be placed in the core directory - something which I don't believe should be advised,
2019-01-24 14:55:52 +02:00
DorsetDigital
8ae9c7c07c
Update 03_Form_Templates.md
Add default location of default form template to help people who wish to copy it.
2019-01-24 10:27:38 +00:00
Maxime Rainville
6ad780e217 DOCS Add more info about migrations huge number files 2019-01-23 19:29:03 +13:00
Robbie Averill
50c074964d
Merge pull request #8730 from sachajudd/docs/page-icons
DOCS Add how to customise page icons in the site tree
2019-01-16 10:00:08 +01:00