Commit Graph

704 Commits

Author SHA1 Message Date
Serge Latyntcev
ad1b00ec7d [CVE-2019-19325] XSS through non-scalar FormField attributes
Silverstripe Forms allow malicious HTML or JavaScript to be inserted
through non-scalar FormField attributes, which allows performing XSS (Cross-Site Scripting)
on some forms built with user input (Request data). This can lead to phishing attempts
to obtain a user's credentials or other sensitive user input.
There is no known attack vector for extracting user-session information or credentials automatically,
it required a user to fall for the phishing attempt.
XSS can also be used to modify the presentation of content in malicious ways.
2020-02-17 09:58:29 +13:00
Serge Latyntcev
8219491705 Merge branch '4.3' into 4.4 2019-11-20 11:08:35 +13:00
Damian Mooyman
e76601e5c8
BUG FormAction title property cannot be set if useButtonTag is false 2019-10-29 17:21:45 +13:00
Serge Latyntcev
0cf5d4cbe2 Merge branch '4.3' into 4.4 2019-10-18 15:58:13 +13:00
Serge Latyntcev
46b9530d88 PSR2 linting fixes 2019-10-18 15:31:39 +13:00
Serge Latyntcev
dcbe6d0310 Merge branch '4.3' into 4.4 2019-10-18 10:57:35 +13:00
Damian Mooyman
d7752b7945
Run PSR2 Lint cleaner 2019-10-04 13:26:31 +13:00
Serge Latyntcev
7db524bd90 FIX DebugViewFrendlyErrorFormatter handle of admin_email 2019-10-04 10:26:54 +13:00
Garion Herman
0d27f32cc9 FIX Add 'legal empty attributes' to allow empty alt values on imgs
In some situations, a caption is used in place of a value in the alt
attribute, and in others an image may be cosmetic and not in need of an
alt attribute value (though the alt attribute must still be rendered in
this case).
2019-09-24 11:44:12 +12:00
Robbie Averill
3cfc21c405
Merge pull request #9241 from open-sausages/pulls/4.4.3/fix-file-permission
Fix administrators not being able to see files that are restricted to groups
2019-09-23 11:13:26 -07:00
bergice
6a1c6ecec6 Fix administrators not being able to see files that are restricted to groups
Resolves https://github.com/silverstripe/silverstripe-asset-admin/issues/777
2019-09-23 16:44:28 +12:00
Robbie Averill
592ab6abc1 Merge branch '4.3' into 4.4 2019-09-13 18:11:34 -07:00
Maxime Rainville
591b88a9bc BUG Allow infinite loop when calling DataObject::writeComponent() recursively 2019-09-10 14:15:28 +12:00
Maxime Rainville
24015c7767 Merge branch '4.3' into 4.4 2019-09-04 09:42:09 +12:00
Robbie Averill
77ba8391c4 FIX Byte Order Marks (BOM) are now stripped when importing CSV files 2019-08-29 14:54:57 +12:00
Robbie Averill
11a7d6ccb4
Rename test to be clearer about its intent
Co-Authored-By: Guy Marriott <guy@scopey.co.nz>
2019-08-16 09:49:36 +12:00
Robbie Averill
bae7e32680 FIX Member::changePassword() no longer applies password validation rules to the hashed value 2019-08-16 09:06:07 +12:00
Robbie Averill
f354e2018d FIX Set minimum test scores and password length for Members while running fixtured DataObject tests 2019-08-15 15:23:11 +12:00
Robbie Averill
4b44272367 Merge branch '4.3' into 4.4 2019-08-14 09:30:53 +12:00
Robbie Averill
d63e4b520c Merge branch '4.2' into 4.3 2019-08-14 09:30:41 +12:00
UndefinedOffset
c1ffc4edfb Added unit tests for multiple relationship sorting 2019-07-29 10:45:10 -03:00
Serge Latyntcev
d667d64f13 Merge branch '4.3' into 4.4 2019-07-15 09:18:17 +12:00
Serge Latyntcev
fcd7a1e63e FIX core memory limit test 2019-07-12 16:30:25 +12:00
Serge Latyntsev
7ef13e7ef6 FIX Confirmation components to respect SS_BASE_URL (#9074) 2019-07-05 16:05:41 +12:00
Sam Minnee
96e7914f23 FIX: Fix MySQLQuery::seek() and Query::rewind() to fix repeated iteration
API: Query::seek() and Query::rewind() no longer return a value.

Although breaking an API inside a patch release may seem odd, this in
fact is correcting a long-standing bug in our implementation of 
Iterator::rewind(), so I think it’s appropriate.

https://github.com/silverstripe/silverstripe-framework/issues/9097
2019-07-03 09:20:05 +12:00
Aaron Carlino
c747b1f8d3 Merge branch '4.3' into 4.4 2019-06-10 17:32:07 +12:00
Aaron Carlino
f766555d61 Merge branch '4.2' into 4.3 2019-06-10 17:27:05 +12:00
Serge Latyntcev
ca56e8d78e [CVE-2019-12246] Denial of Service on flush and development URL tools 2019-06-10 17:23:56 +12:00
Robbie Averill
14673ffd0a Merge branch '4.3' into 4.4 2019-05-30 09:35:26 +12:00
Robbie Averill
188698dcee Merge branch '4.2' into 4.3 2019-05-30 09:35:17 +12:00
Robbie Averill
3e2fc6aa0b Automated phpcbf linting 2019-05-30 09:34:34 +12:00
Aaron Carlino
3f1479edbb
BUGFIX: DataQuery overwriting _SortColumn selects (#8974)
* BUGFIX: DataQuery overwriting _SortColumn selects

* FIX DataQuery _SortColumn handling
2019-05-15 11:42:10 +12:00
Maxime Rainville
8ee50d2ba7 API Remove DataObjectSchema::getFieldMap() (#8960)
Introduced as a less public API in https://github.com/silverstripe/silverstripe-assets/pull/227
2019-05-06 12:33:23 +12:00
Guy Marriott
82c8225502
Merge branch '4.3' into 4.4 2019-05-03 09:45:25 +12:00
Serge Latyntcev
3d777cfb8a Backward compatible behaviour for SQLConditionalExpression::getJoins 2019-05-02 15:39:36 +12:00
Andre Kiste
0c6c57f1ef Add getFieldMap method to retrieve a list of all fields for any giv… (#8892)
* Add `getFieldMap` method to retrieve a list of all fields for any given class

* Add `TagsToShortcodeTask` to upgrading guide

Adding after the file migration part as this is where it makes the most sense to run it.

* `getFieldMap` accepts an array

* Move to `DataObjectSchema`

* Add `HTMLVarchar` to documentation
Minor refactoring

* Add test for checking that `subclassesfor` works without the base class
Add test `DataObjectSchema::getFieldMap` returns the correct array

* Remove cms dependency
2019-04-30 10:43:14 +12:00
Aaron Carlino
c63eecc3e1 Merge branch '4.3' into 4 2019-04-18 11:57:36 +12:00
Sam Minnée
155a9bb1f9
Merge pull request #8934 from creative-commoners/pulls/4.4/pdostgresql-boolean-consistency
FIX Postgres booleans should return as int for consistency
2019-04-17 15:43:35 +12:00
Guy Marriott
da1af3d8b0
FIX Postgres booleans should return as int for consistency 2019-04-17 15:15:17 +12:00
Guy Marriott
cc1fdf603b
Resolve incorrect empty string assertion in tests 2019-04-17 13:29:54 +12:00
Guy Marriott
9d6b5048a6 FIX Table aliases are retained on base tables in queries built using SQLConditionalExpression (#8918)
* Adding failing test for base table aliases using SQLSelect

* FIX Retain table aliases applied to the base table on queries

* FIX Move the trimmed alias outside of the condition so we can use it within the condition
2019-04-16 15:40:09 +12:00
Ralph Slooten
66c372ce28 Include baseURL with relative setGetVar() links (#8834)
* Return baseURL with setGetVar

* Adjust testSetGetVar tests for base url
2019-04-15 14:50:46 +12:00
Robbie Averill
8a06682e31 Merge branch '4.3' into 4
# Conflicts:
 #	src/ORM/Connect/DBSchemaManager.php
2019-04-11 11:24:17 +12:00
Sam Minnee
d295888838 MINOR: Improve type testing 2019-04-05 15:11:21 +13:00
Sam Minnee
2625cea5e3 MINOR: Add a test that 0 is falser on int, decimal, currency
Validates that https://github.com/silverstripe/silverstripe-framework/issues/3473 has been fixed

The bug was fixed in #8448
2019-04-05 15:11:21 +13:00
Sam Minnee
4f4153c834 MINOR: Test test to validate that multiple GreaterThan filters in a filterAny work.
Confirms https://github.com/silverstripe/silverstripe-framework/issues/3995 isn’t a bug.
2019-04-05 15:05:42 +13:00
Robbie Averill
123d483213 MemberTest and SecurityTest now set the default authenticator to use 2019-04-05 11:26:29 +13:00
Guy Marriott
a9d57f5bfb
Merge pull request #8241 from creative-commoners/pulls/4.3/separate-logging
Separate core error logging from standard LoggerInterface
2019-04-05 08:49:09 +13:00
Aaron Carlino
fc6213c293 Merge branch '4.3' into 4 2019-03-27 13:25:57 +13:00
Johannes Hammersen
e1190e33d2 Fix PDOConnector GeneratedID return type 2019-03-21 09:26:14 +01:00