Serge Latyntcev
ad1b00ec7d
[CVE-2019-19325] XSS through non-scalar FormField attributes
...
Silverstripe Forms allow malicious HTML or JavaScript to be inserted
through non-scalar FormField attributes, which allows performing XSS (Cross-Site Scripting)
on some forms built with user input (Request data). This can lead to phishing attempts
to obtain a user's credentials or other sensitive user input.
There is no known attack vector for extracting user-session information or credentials automatically,
it required a user to fall for the phishing attempt.
XSS can also be used to modify the presentation of content in malicious ways.
2020-02-17 09:58:29 +13:00
Serge Latyntcev
8219491705
Merge branch '4.3' into 4.4
2019-11-20 11:08:35 +13:00
Damian Mooyman
e76601e5c8
BUG FormAction title property cannot be set if useButtonTag is false
2019-10-29 17:21:45 +13:00
Serge Latyntcev
0cf5d4cbe2
Merge branch '4.3' into 4.4
2019-10-18 15:58:13 +13:00
Serge Latyntcev
46b9530d88
PSR2 linting fixes
2019-10-18 15:31:39 +13:00
Serge Latyntcev
dcbe6d0310
Merge branch '4.3' into 4.4
2019-10-18 10:57:35 +13:00
Damian Mooyman
d7752b7945
Run PSR2 Lint cleaner
2019-10-04 13:26:31 +13:00
Serge Latyntcev
7db524bd90
FIX DebugViewFrendlyErrorFormatter handle of admin_email
2019-10-04 10:26:54 +13:00
Garion Herman
0d27f32cc9
FIX Add 'legal empty attributes' to allow empty alt values on imgs
...
In some situations, a caption is used in place of a value in the alt
attribute, and in others an image may be cosmetic and not in need of an
alt attribute value (though the alt attribute must still be rendered in
this case).
2019-09-24 11:44:12 +12:00
Robbie Averill
3cfc21c405
Merge pull request #9241 from open-sausages/pulls/4.4.3/fix-file-permission
...
Fix administrators not being able to see files that are restricted to groups
2019-09-23 11:13:26 -07:00
bergice
6a1c6ecec6
Fix administrators not being able to see files that are restricted to groups
...
Resolves https://github.com/silverstripe/silverstripe-asset-admin/issues/777
2019-09-23 16:44:28 +12:00
Robbie Averill
592ab6abc1
Merge branch '4.3' into 4.4
2019-09-13 18:11:34 -07:00
Maxime Rainville
591b88a9bc
BUG Allow infinite loop when calling DataObject::writeComponent() recursively
2019-09-10 14:15:28 +12:00
Maxime Rainville
24015c7767
Merge branch '4.3' into 4.4
2019-09-04 09:42:09 +12:00
Robbie Averill
77ba8391c4
FIX Byte Order Marks (BOM) are now stripped when importing CSV files
2019-08-29 14:54:57 +12:00
Robbie Averill
11a7d6ccb4
Rename test to be clearer about its intent
...
Co-Authored-By: Guy Marriott <guy@scopey.co.nz>
2019-08-16 09:49:36 +12:00
Robbie Averill
bae7e32680
FIX Member::changePassword() no longer applies password validation rules to the hashed value
2019-08-16 09:06:07 +12:00
Robbie Averill
f354e2018d
FIX Set minimum test scores and password length for Members while running fixtured DataObject tests
2019-08-15 15:23:11 +12:00
Robbie Averill
4b44272367
Merge branch '4.3' into 4.4
2019-08-14 09:30:53 +12:00
Robbie Averill
d63e4b520c
Merge branch '4.2' into 4.3
2019-08-14 09:30:41 +12:00
UndefinedOffset
c1ffc4edfb
Added unit tests for multiple relationship sorting
2019-07-29 10:45:10 -03:00
Serge Latyntcev
d667d64f13
Merge branch '4.3' into 4.4
2019-07-15 09:18:17 +12:00
Serge Latyntcev
fcd7a1e63e
FIX core memory limit test
2019-07-12 16:30:25 +12:00
Serge Latyntsev
7ef13e7ef6
FIX Confirmation components to respect SS_BASE_URL ( #9074 )
2019-07-05 16:05:41 +12:00
Sam Minnee
96e7914f23
FIX: Fix MySQLQuery::seek() and Query::rewind() to fix repeated iteration
...
API: Query::seek() and Query::rewind() no longer return a value.
Although breaking an API inside a patch release may seem odd, this in
fact is correcting a long-standing bug in our implementation of
Iterator::rewind(), so I think it’s appropriate.
https://github.com/silverstripe/silverstripe-framework/issues/9097
2019-07-03 09:20:05 +12:00
Aaron Carlino
c747b1f8d3
Merge branch '4.3' into 4.4
2019-06-10 17:32:07 +12:00
Aaron Carlino
f766555d61
Merge branch '4.2' into 4.3
2019-06-10 17:27:05 +12:00
Serge Latyntcev
ca56e8d78e
[CVE-2019-12246] Denial of Service on flush and development URL tools
2019-06-10 17:23:56 +12:00
Robbie Averill
14673ffd0a
Merge branch '4.3' into 4.4
2019-05-30 09:35:26 +12:00
Robbie Averill
188698dcee
Merge branch '4.2' into 4.3
2019-05-30 09:35:17 +12:00
Robbie Averill
3e2fc6aa0b
Automated phpcbf linting
2019-05-30 09:34:34 +12:00
Aaron Carlino
3f1479edbb
BUGFIX: DataQuery overwriting _SortColumn selects ( #8974 )
...
* BUGFIX: DataQuery overwriting _SortColumn selects
* FIX DataQuery _SortColumn handling
2019-05-15 11:42:10 +12:00
Maxime Rainville
8ee50d2ba7
API Remove DataObjectSchema::getFieldMap() ( #8960 )
...
Introduced as a less public API in https://github.com/silverstripe/silverstripe-assets/pull/227
2019-05-06 12:33:23 +12:00
Guy Marriott
82c8225502
Merge branch '4.3' into 4.4
2019-05-03 09:45:25 +12:00
Serge Latyntcev
3d777cfb8a
Backward compatible behaviour for SQLConditionalExpression::getJoins
2019-05-02 15:39:36 +12:00
Andre Kiste
0c6c57f1ef
Add getFieldMap
method to retrieve a list of all fields for any giv… ( #8892 )
...
* Add `getFieldMap` method to retrieve a list of all fields for any given class
* Add `TagsToShortcodeTask` to upgrading guide
Adding after the file migration part as this is where it makes the most sense to run it.
* `getFieldMap` accepts an array
* Move to `DataObjectSchema`
* Add `HTMLVarchar` to documentation
Minor refactoring
* Add test for checking that `subclassesfor` works without the base class
Add test `DataObjectSchema::getFieldMap` returns the correct array
* Remove cms dependency
2019-04-30 10:43:14 +12:00
Aaron Carlino
c63eecc3e1
Merge branch '4.3' into 4
2019-04-18 11:57:36 +12:00
Sam Minnée
155a9bb1f9
Merge pull request #8934 from creative-commoners/pulls/4.4/pdostgresql-boolean-consistency
...
FIX Postgres booleans should return as int for consistency
2019-04-17 15:43:35 +12:00
Guy Marriott
da1af3d8b0
FIX Postgres booleans should return as int for consistency
2019-04-17 15:15:17 +12:00
Guy Marriott
cc1fdf603b
Resolve incorrect empty string assertion in tests
2019-04-17 13:29:54 +12:00
Guy Marriott
9d6b5048a6
FIX Table aliases are retained on base tables in queries built using SQLConditionalExpression ( #8918 )
...
* Adding failing test for base table aliases using SQLSelect
* FIX Retain table aliases applied to the base table on queries
* FIX Move the trimmed alias outside of the condition so we can use it within the condition
2019-04-16 15:40:09 +12:00
Ralph Slooten
66c372ce28
Include baseURL with relative setGetVar() links ( #8834 )
...
* Return baseURL with setGetVar
* Adjust testSetGetVar tests for base url
2019-04-15 14:50:46 +12:00
Robbie Averill
8a06682e31
Merge branch '4.3' into 4
...
# Conflicts:
# src/ORM/Connect/DBSchemaManager.php
2019-04-11 11:24:17 +12:00
Sam Minnee
d295888838
MINOR: Improve type testing
2019-04-05 15:11:21 +13:00
Sam Minnee
2625cea5e3
MINOR: Add a test that 0 is falser on int, decimal, currency
...
Validates that https://github.com/silverstripe/silverstripe-framework/issues/3473 has been fixed
The bug was fixed in #8448
2019-04-05 15:11:21 +13:00
Sam Minnee
4f4153c834
MINOR: Test test to validate that multiple GreaterThan filters in a filterAny work.
...
Confirms https://github.com/silverstripe/silverstripe-framework/issues/3995 isn’t a bug.
2019-04-05 15:05:42 +13:00
Robbie Averill
123d483213
MemberTest and SecurityTest now set the default authenticator to use
2019-04-05 11:26:29 +13:00
Guy Marriott
a9d57f5bfb
Merge pull request #8241 from creative-commoners/pulls/4.3/separate-logging
...
Separate core error logging from standard LoggerInterface
2019-04-05 08:49:09 +13:00
Aaron Carlino
fc6213c293
Merge branch '4.3' into 4
2019-03-27 13:25:57 +13:00
Johannes Hammersen
e1190e33d2
Fix PDOConnector GeneratedID return type
2019-03-21 09:26:14 +01:00