Commit Graph

3008 Commits

Author SHA1 Message Date
Serge Latyntcev
ad1b00ec7d [CVE-2019-19325] XSS through non-scalar FormField attributes
Silverstripe Forms allow malicious HTML or JavaScript to be inserted
through non-scalar FormField attributes, which allows performing XSS (Cross-Site Scripting)
on some forms built with user input (Request data). This can lead to phishing attempts
to obtain a user's credentials or other sensitive user input.
There is no known attack vector for extracting user-session information or credentials automatically,
it required a user to fall for the phishing attempt.
XSS can also be used to modify the presentation of content in malicious ways.
2020-02-17 09:58:29 +13:00
Serge Latyntcev
50a1aa4c4d Merge branch '4.3' into 4.4 2019-09-24 17:28:31 +12:00
Serge Latyntcev
26a4fb38ba Added 4.3.6 changelog 2019-09-24 17:20:48 +12:00
Aaron Carlino
79a89e751d Added 4.4.4 changelog 2019-09-24 17:05:26 +12:00
Aaron Carlino
c1047fac32 DOCS: Add docs for versioned files migration 2019-09-24 16:04:22 +12:00
Aaron Carlino
28057e3a71 DOCS: Add FileShortcodeProvider change to changelog 2019-09-24 16:03:48 +12:00
Aaron Carlino
1f92b21a04 DOCS: Add FileShortcodeProvider change to changelog 2019-09-24 16:03:48 +12:00
Aaron Carlino
8ee5e621fd DOCS: Add docs for versioned files migration 2019-09-24 16:00:51 +12:00
Aaron Carlino
99ab3c6421 DOCS: Add FileShortcodeProvider change to changelog 2019-09-24 16:00:51 +12:00
Guy Marriott
a6614d8a77
Added 4.4.3 changelog 2019-08-19 15:01:22 +12:00
Aaron Carlino
8cfd3f07ba Added 4.4.2 changelog 2019-08-12 16:08:07 +12:00
Robbie Averill
4936d265a2
DOCS Remove statement about a strict error when overloading PDOQuery constructor
Constructors are not bound by method signature match rules in PHP
2019-08-09 09:16:31 +12:00
Robbie Averill
3b96c51688 Merge branch '4.3' into 4.4 2019-08-02 11:24:45 +12:00
Robbie Averill
2d2b0b82f0 DOCS Fix incorrect rendering of note on list item
[ci skip]
2019-07-25 12:03:12 +02:00
Robbie Averill
40f06fafa9 Merge branch '4.3' into 4.4 2019-07-19 10:45:44 +02:00
Robbie Averill
c7b15eaef5 Merge branch '4.2' into 4.3 2019-07-19 10:45:29 +02:00
Serge Latyntcev
d667d64f13 Merge branch '4.3' into 4.4 2019-07-15 09:18:17 +12:00
Serge Latyntsev
2e33456e46 Mention versioned snapshots in the versions documentation (#9057)
* Mention versioned snapshots in the versions documentation

* Add screenshot
2019-06-16 23:52:30 +12:00
Guy Marriott
0294029f92
DOCS Remove confusing API change from changelog
This change was removing a method that was added in 4.4.0 also - this makes it not a breaking change for SemVer
2019-06-13 10:46:48 +12:00
Maxime Rainville
62cdc43e78 DOC Add missing reference to TagToShortcodeTask. 2019-06-11 15:17:25 +12:00
Aaron Carlino
3c92501dc5 DOCS: Add React 16 information 2019-06-11 10:46:21 +12:00
Guy Marriott
dad80f5acd DOCS Adding information about better buttons to the release changelog (#9049) 2019-06-11 08:28:04 +12:00
Aaron Carlino
054dbd6ae5 Added 4.3.4 changelog 2019-06-10 22:49:06 +12:00
Aaron Carlino
960a7bb5ae Added 4.2.5 changelog 2019-06-10 22:48:57 +12:00
Aaron Carlino
c5d3f82576 Added 4.4.1 changelog 2019-06-10 17:37:24 +12:00
Aaron Carlino
c747b1f8d3 Merge branch '4.3' into 4.4 2019-06-10 17:32:07 +12:00
Aaron Carlino
f766555d61 Merge branch '4.2' into 4.3 2019-06-10 17:27:05 +12:00
Serge Latyntcev
ca56e8d78e [CVE-2019-12246] Denial of Service on flush and development URL tools 2019-06-10 17:23:56 +12:00
Ingo Schommer
30496144b9 DOCS More detail on queuedjobs file migrations 2019-06-05 15:10:09 +12:00
Maxime Rainville
5b6d0946f4 API Add extension points to MigrateFileTask (#8994)
* API Add extension points to MigrateFileTask

* Apply suggestions from code review

Co-Authored-By: Guy Marriott <guy@scopey.co.nz>
2019-05-28 09:24:01 +12:00
Aaron Carlino
4a0f62fafd Added 4.4.0-rc1 changelog 2019-05-06 15:01:01 +12:00
Ingo Schommer
1f78e8ae80 NEW Clean up secureassets module artefacts (#8948)
See https://github.com/silverstripe/silverstripe-assets/issues/231
2019-05-02 21:05:19 +12:00
Andre Kiste
48db515fbd NEW Fix folder permissions (#8950)
* Add `FixFilePermissionsHelper` subtask
* Changed name to folder permissions, added more loggin
2019-05-02 16:28:57 +12:00
Ingo Schommer
0696045e59 NEW Legacy thumbnail migration task (#8924)
* NEW Legacy thumbnail migration task

See https://github.com/silverstripe/silverstripe-assets/issues/235
Makes a start at https://github.com/silverstripe/silverstripe-assets/issues/219 as well

* API Removed migrate_legacy_file support

For the vast majority of sites, you really don't want to run your file migration as part of dev build.
The step is involved enough to warrant it's own task.
I don't think this is an API change, since the setting won't have affect
for anyone who has already enabled it - they would've already done the one-off migration.

See https://github.com/silverstripeltd/open-sourcerers/issues/91
and https://github.com/silverstripe/silverstripe-assets/issues/235
2019-05-02 09:33:53 +12:00
Andre Kiste
0c6c57f1ef Add getFieldMap method to retrieve a list of all fields for any giv… (#8892)
* Add `getFieldMap` method to retrieve a list of all fields for any given class

* Add `TagsToShortcodeTask` to upgrading guide

Adding after the file migration part as this is where it makes the most sense to run it.

* `getFieldMap` accepts an array

* Move to `DataObjectSchema`

* Add `HTMLVarchar` to documentation
Minor refactoring

* Add test for checking that `subclassesfor` works without the base class
Add test `DataObjectSchema::getFieldMap` returns the correct array

* Remove cms dependency
2019-04-30 10:43:14 +12:00
Adrian Humphreys
e648fd31f9 Docs: Update Dynamic_Default_Fields.md (#8941) 2019-04-30 09:00:09 +12:00
Garion Herman
5c4367f46b Use environment variables in example SMTP config
Currently the email documentation provides an example of how to use the SMTP adapter in SwiftMailer, but this example hardcodes the password in the config file which is a security issue. It is possible to reference environment variables instead, so we should document and encourage this.
2019-04-30 08:59:54 +12:00
Adrian Humphreys
212a99c904 Add info around namespacing with controllers 2019-04-30 08:59:29 +12:00
Ingo Schommer
da91f44c00 DOCS File migration changes for 4.4.0 (#8910)
* DOCS File migration changes for 4.4.0

See https://github.com/silverstripe/silverstripe-versioned/issues/177

* Update docs/en/02_Developer_Guides/14_Files/03_File_Security.md

Co-Authored-By: chillu <ingo@silverstripe.com>

* Corrected statements on archived/versioned files

* Corrected statement on filesystem paths of protected vs. public

* Update docs/en/02_Developer_Guides/14_Files/03_File_Security.md

Co-Authored-By: chillu <ingo@silverstripe.com>

* Clarify redirect behaviour
2019-04-30 08:59:25 +12:00
Matt Peel
a61cb1de99 Fix reference to webconfig.php, an invalid file
The upgrading docs reference webconfig.php, which is incorrect and has never existed. I presume the docs mean to reference web.config, which is the IIS configuration file.

I've also fixed a couple of minor spelling mistakes and mentioned Apache for htaccess and IIS for web.config so people know what they're for.

[ci skip]
2019-04-30 08:55:03 +12:00
Maxime Rainville
e95dde8f1e DOC Update change log to reference updated migration task (#8945)
* DOC Update change log to reference updated migration task

* Update docs/en/04_Changelogs/4.4.0.md
2019-04-30 08:50:33 +12:00
Erlend Mongstad
80b097eb68
Added missing Permission class to example
Following the example will give the following error;

```[Emergency] Uncaught Error: Class {my namespace}\Permission not found```

Added the missing class
2019-04-17 02:36:13 +02:00
Robbie Averill
6b07b2c47c Update docs/en/02_Developer_Guides/01_Templates/How_Tos/03_Disable_Anchor_Links.md
Fix code styling

Co-Authored-By: DorsetDigital <DorsetDigital@users.noreply.github.com>
2019-04-16 22:32:55 +01:00
DorsetDigital
321ef827b8
Update 03_Disable_Anchor_Links.md
Update example code for disabling anchors on a per-instance basis.  The previous code was unclear and statically called a non-static method on SSViewer  (presumably this was SS3 code)
2019-04-16 21:22:27 +01:00
Christopher Darling
fcef36b7fa
DOCS composer autoload examples should be psr-4
currently 'psr4'
2019-04-15 06:55:01 +01:00
Robbie Averill
8a06682e31 Merge branch '4.3' into 4
# Conflicts:
 #	src/ORM/Connect/DBSchemaManager.php
2019-04-11 11:24:17 +12:00
Ingo Schommer
fcdc146996 DOCS Limitations of publishall
Fixes https://github.com/silverstripe/silverstripe-cms/issues/2406
2019-04-10 10:42:49 +12:00
Al
9a43952385
Fix formatting
Last code block was not closed
2019-04-10 08:22:51 +12:00
Ingo Schommer
d04ef04999 DOCS Upgrading guide known issues and self-update 2019-04-09 08:24:15 +12:00
Guy Marriott
a9d57f5bfb
Merge pull request #8241 from creative-commoners/pulls/4.3/separate-logging
Separate core error logging from standard LoggerInterface
2019-04-05 08:49:09 +13:00