Commit Graph

4773 Commits

Author SHA1 Message Date
Simon Welsh
c504fe0beb Merge pull request #2451 from chillu/pulls/escape-2.4
Escaping 2.4
2013-09-24 12:41:00 -07:00
Ingo Schommer
f69161efef FIX Auto-escape titles in TreeDropdownField
Related to SS-2013-009. While the default "TreeTitle" was escaped
within the SiteTree->TreeTitle() getter, other properties like SiteTree->Title
weren't escaped. The new logic uses the underlying casting helpers
on the processed objects.
2013-09-24 14:28:28 +02:00
Ingo Schommer
81ccb8d78e API Escape form validation messages (SS-2013-008) 2013-09-24 14:28:11 +02:00
Ingo Schommer
02ede1e811 Added 2.4.12 changelog 2013-09-24 14:28:11 +02:00
Stig Lindqvist
ac284eeff1 Merge pull request #2421 from ss23/patch-1
Failed login message translation fallback
2013-09-15 20:44:30 -07:00
Stephen Shkardoon
4f52f25d46 Failed login message translation fallback
Without this, if you use a locale with no translation for this (e.g. en_NZ), users will never see a "failed login" message.
2013-09-16 15:33:42 +12:00
Ingo Schommer
d98c1db3a2 Retain 5.2 compatibility in DirectorTest
parse_url() doesn't support schema-less URLs in 5.2
2013-09-12 15:59:18 +02:00
Ingo Schommer
a914dee6d9 FIX Disallow permissions assign for APPLY_ROLES (SS-2013-005)
See http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/
2013-09-12 15:38:59 +02:00
Ingo Schommer
ec8e8261f2 FIX Privilege escalation through APPLY_ROLES assignment (SS-2013-005)
See http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/
2013-09-12 15:38:59 +02:00
Ingo Schommer
797951595b FIX Privilege escalation through Group hierarchy setting (SS-2013-003)
See http://www.silverstripe.org/ss-2013-003-privilege-escalation-through-group-hierarchy-setting/
2013-09-12 15:38:56 +02:00
Ingo Schommer
84a8b21936 Update 2.4.11 changelog 2013-08-07 20:27:18 +02:00
Ingo Schommer
a6a7b01afc Added 2.4 changelog 2013-08-07 15:23:46 +02:00
Ingo Schommer
83a9f35398 Removed composer dependency on CMS, workaround for composer/installers
The installer dependency gets included too late for 2.4,
so framework ends up in the wrong path. That's a bug with composer,
see See https://github.com/composer/composer/issues/1147
Until its fixed, we remove the explicit dependency which seems
to trigger this path in the dependency resolver (works for 3.x)
2013-08-07 14:51:45 +02:00
Ingo Schommer
ff9e4b3b10 composer/installers dep workaround
Moved to end of requirements, to work around a bug in composer - see https://github.com/composer/composer/issues/1147. This caused the dependencies to be installed in the wrong folder because the custom 'silverstripe-module' instructions hadn't been loaded at the time the core modules were installed via composer.
2013-08-07 14:36:26 +02:00
Ingo Schommer
fe3f58511d Merge pull request #2286 from hafriedlander/fix/flush_24
FIX Flush on memory exhaustion and when headers sent
2013-08-06 14:22:25 -07:00
Hamish Friedlander
15406dd559 FIX Constants magic_quotes needs function from Core 2013-08-05 14:58:06 +12:00
Hamish Friedlander
60a95cbe77 FIX Token redirect where in IIS a / needs adding between host & url 2013-08-05 09:14:10 +12:00
Hamish Friedlander
2f9689b8f8 FIX Flush on memory exhaustion and headers sent 2013-08-01 09:42:52 +12:00
Sam Minnee
a150989e6f FIX: Fixed escaping of date in view of archived site. 2013-07-30 18:30:51 +12:00
Sam Minnée
a787dddeab Merge pull request #2262 from hafriedlander/fix/flush_24
FIX Nice errors and allows flush on module removal
2013-07-23 16:44:36 -07:00
Hamish Friedlander
5212ab031a FIX Nice errors and allows flush on module removal 2013-07-24 09:16:42 +12:00
Sam Minnée
e993a0defe Merge pull request #2254 from hafriedlander/fix/flush_24
Split Core.php into Constants.php and Core.php and adjust main.php startup
2013-07-22 15:33:50 -07:00
Hamish Friedlander
09db9a659e FIX Only suppress fatal errors 2013-07-22 14:48:58 +12:00
Hamish Friedlander
122a9f898e Split Core.php into Constants.php and Core.php and adjust main.php startup
The recent flush filter fix had a problem that you couldnt set a custom
BASE_PATH in _ss_environment because that file didnt get included until
after checking the confirmation token. This patch pulls the part of Core.php
that defines BASE_PATH into a seperate file that can be included earlier
in the startup sequence so that ParameterConfirmationToken can access it.

Core.php includes Constants.php with a require_once call, so for startup
scripts that dont pull in Constants.php themselves (like cli-script.php)
no change is needed.
2013-07-22 14:02:37 +12:00
Sam Minnee
e782648b3a FIX: Fixed TempPath inclusion for phpunit & cli-script 2013-07-19 15:50:44 +12:00
Sam Minnée
7fe183ab20 Merge pull request #2247 from hafriedlander/fix/flush_24
FIX: Have ParameterConfirmationToken work regardless of include path
2013-07-18 20:46:47 -07:00
Hamish Friedlander
296b131171 FIX: Actually use argument in getTempFolder 2013-07-19 15:05:12 +12:00
Hamish Friedlander
ec8c4b8569 FIX: Ignore invalid tokens instead of throwing 403 2013-07-19 15:04:50 +12:00
Hamish Friedlander
d42d8d0fc2 FIX: Have ParameterConfirmationToken includes work regardless of include path 2013-07-19 14:30:59 +12:00
Sam Minnée
b774db43fb Merge pull request #2246 from hafriedlander/fix/flush_24
FIX Prevent DOS by checking for env and admin on ?flush=1 (#1692) in 2.4
2013-07-18 17:39:19 -07:00
Hamish Friedlander
8990788818 FIX Prevent DOS by checking for env and admin on ?flush=1 (#1692) 2013-07-19 12:31:37 +12:00
Hamish Friedlander
31429b7936 Move getTempFolder out of Core.php to own file 2013-07-19 11:01:20 +12:00
Ingo Schommer
5796ed225e Updated github path 2013-05-17 00:35:28 +02:00
Sean Harvey
813749e909 Fixing array to string conversion in dev/build for PHP 5.4 2013-05-12 21:28:17 +12:00
Ingo Schommer
a2394331af composer/installer dep workaround
Moved to end of requirements, to work around a bug in composer - see https://github.com/composer/composer/issues/1147. This caused the dependencies to be installed in the wrong folder because the custom 'silverstripe-module' instructions hadn't been loaded at the time the core modules were installed via composer.
2013-04-30 19:08:50 +03:00
Ingo Schommer
ff63d7ae26 Merge pull request #1821 from oddnoc/csvbulkloader-findexisting-2.4
Use the correct variable as the key into $record
2013-04-30 06:48:54 -07:00
Fred Condo
433b883c6b Use the correct variable as the key into $record
It was using $fieldName, which is the CSV field name, not the database
field name. This prevents duplicate detection from working. It now
properly uses $SQL_fieldName
2013-04-29 17:27:27 -07:00
Ingo Schommer
c26b83ebfb Less trademark-encumbered doc icons (fixed #1787)
Thanks to http://p.yusukekamiyamane.com/
2013-04-30 00:41:58 +02:00
Ingo Schommer
43d4224286 Require cms in 2.4 composer.json (which is used in travis) 2013-03-28 22:18:08 +01:00
Ingo Schommer
05d1305497 Simplified travis builds (external setup scripts) 2013-03-28 22:10:35 +01:00
Ingo Schommer
5cad7fe9e3 Merge pull request #1308 from ss23/patch-10
BUG SQL Injection in CsvBulkLoader (fixes #6227)
2013-03-19 05:03:56 -07:00
Stephen Shkardoon
143317cc86 BUG SQL Injection in CsvBulkLoader (fixes #6227)
Diff should speak for itself, looks like this will have to be implemented in all supported branches.
2013-03-20 00:45:05 +13:00
Ingo Schommer
a8a10f8a1a BUG Transaction stub methods for better cross 2.x and 3.x compat
The transactionStart() naming is 3.x, and used by some modules
which are otherwise still 2.x compatible.

Specifically, this was added to avoid branching the payment module
into separate 2.x and 3.x compatible branches.
2013-02-26 13:49:46 +01:00
Ingo Schommer
56ad1d027e Updated changelog 2013-02-18 01:03:57 +01:00
Ingo Schommer
190e0b8a47 Add ContentController->handleWidget() to $allowed_actions
Required by recent $allowed_actions security fix
2013-02-18 00:10:06 +01:00
Ingo Schommer
eecd34868f BUGFIX Keep Member.PasswordEncryption setting on empty passwords
This will prevent empty passwords to set the encryption to 'none',
which in turn will store any subsequent password changes in cleartext.
Reproduceable e.g. with ConfirmedPasswordField and setCanBeEmpty(true).
2013-02-17 23:16:25 +01:00
Ingo Schommer
3e27d27f7a Improved docs on $allowed_actions
Added section to "Controllers" and "Form" topics,
added $allowed_actions definitions to all controller examples
2013-02-17 23:16:25 +01:00
Ingo Schommer
50995fbecb BUG Undefined $allowed_actions overrides parent definitions, stricter handling of $allowed_actions on Extension
Controller (and subclasses) failed to enforce $allowed_action restrictions
on parent classes if a child class didn't have it explicitly defined.

Controllers which are extended with $allowed_actions (through an Extension)
now deny access to methods defined on the controller, unless this class also has them in its own
$allowed_actions definition.
2013-02-17 23:16:22 +01:00
Ingo Schommer
5d3ed12e20 Nginx docs for denying composer file access (fixes #8011) 2013-02-15 19:22:21 +01:00
Sean Harvey
9337902fdd Merge pull request #1181 from chillu/pulls/showtemplate-admin
API Require ADMIN for ?showtemplate=1 (2.4)
2013-02-12 15:07:13 -08:00