Commit Graph

2376 Commits

Author SHA1 Message Date
Guy Sartorelli
1a5bb4cbec
[CVE-2023-22729] Escaped double slash is absolute URL 2023-04-26 09:49:59 +12:00
Guy Sartorelli
fd5d8217e8
[CVE-2023-22728] Check canView before printing from GridField 2023-04-26 09:45:34 +12:00
Steve Boyd
3d03a93b8f Merge branch '4.12' into 4.13 2023-04-11 10:55:17 +12:00
Dylan Wagstaff
92061a3ba6
FIX stabilise typed APIs (#10740)
Since 4.12 the use of typehints and return types has caused issues with
values fetched directly from config without validation. This has lead to
upgrade woes in a minor version (#10721) with no immediate recourse
other than manual system intervention.

To use types, we should ensure types, leaving a stable API that won't
error on a bad value - or should give a thoughtful and directive error
message if so.

Issue #10721 summary:
SessionMiddleware runs before FlushMiddleware
SessionMiddleware causes a PHP fatal error passing `null` to a `string`
parameter.
`null` comes from config, because default string value doesn't exist. We
need flush for this - but system execution never makes it that far.
2023-04-11 10:52:41 +12:00
Florian Thoma
cd946b6c80
Group visibility for SITETREE_GRANT_ACCESS permissions
Make groups visible if member has SITETREE_GRANT_ACCESS permissions, otherwise the dropdown for selecting the group is empty
2023-04-05 16:33:41 +10:00
Steve Boyd
0f40cc38ec FIX Respect searchable_fields 2023-03-23 10:57:03 +13:00
Steve Boyd
41bb35f3f3 FIX Reduce array method calls 2023-03-22 11:06:23 +13:00
zemiacsik
d60af9d16e
FIX property_exists() parameters mixup
ensure that property parameter is a string
2023-03-14 08:42:22 +01:00
zemiacsik
5b8d61b55b
FIX property_exists() parameters mixup
property_exists() has first parameter "object_or_class" and second is a property to check
2023-03-13 13:51:48 +01:00
Guy Sartorelli
a4929a171e
Merge pull request #10697 from creative-commoners/pulls/4/nicer-deprecations
ENH Improve deprecation logging
2023-03-09 14:39:51 +13:00
Guy Sartorelli
046befc4ba
ENH Improve deprecation logging 2023-03-06 13:25:44 +13:00
Guy Sartorelli
128b327c6d
API Add method to check if env var is set 2023-03-06 11:49:22 +13:00
Steve Boyd
8b148bf293 Merge branch '4.12' into 4 2023-03-02 15:37:03 +13:00
Guy Sartorelli
66561ccb49
FIX Correctly deprecation Sources.module_priority (#10711)
This config was deprecated back in #7154 and hasn't been used since
2023-03-02 11:05:35 +13:00
Maxime Rainville
403f924d22
BUG Update RelatedDataService to properly escape ClassName in Polymorphic relations (#10713) 2023-03-02 09:56:40 +13:00
Florian Thoma
6585d499f5 FIX Convert slashes in paths when getting list of classes for file/folder
This is to support the mechanism working on all operating systems where Windows may produce a mix of forward and backward slashes in some paths.
For working with the files it may not be a problem, but for exact string comparison the path delimiters need to be unified.
2023-03-01 20:32:19 +13:00
Guy Sartorelli
277e97a84f
Merge pull request #10709 from creative-commoners/pulls/4/deprecated-args
ENH Updated deprecation warning message
2023-03-01 14:19:18 +13:00
Guy Sartorelli
58ca426f11
Merge branch '4.12' into 4 2023-03-01 12:54:30 +13:00
Sabina Talipova
05674adf51 ENH Updated deprecation warning message 2023-03-01 12:39:42 +13:00
Guy Sartorelli
5295ba6c16
API Throw deprecation warnings for bad configuration (#10702) 2023-03-01 11:36:08 +13:00
Guy Sartorelli
6669d54f59
FIX Wrap deprecated config with no replacement (#10704) 2023-02-27 18:13:31 +13:00
Guy Sartorelli
652281507f
FIX Correctly identify deprecated API in withNoReplacement (#10706) 2023-02-27 15:25:27 +13:00
Guy Sartorelli
ab566b0a15
API Add new deprecation notices. (#10691)
These are removed in CMS 5.
2023-02-15 13:26:36 +13:00
Florian Thoma
54fc4ee9d2
fix directory separator in i18nTextCollector on Windows (#10681)
* fix directory separator in i18nTextCollector for Windows

* fix typo
2023-02-09 19:09:48 +13:00
Sabina Talipova
1f7adab62e
Merge pull request #10677 from creative-commoners/pulls/4/deprecate-diff
API Deprecate Diff in favour of CMS5's HtmlDiff
2023-02-08 16:36:58 +13:00
Guy Sartorelli
3a14aafc7f
API Deprecate Diff in favour of CMS5's HtmlDiff 2023-02-08 11:15:28 +13:00
Steve Boyd
4e9c74243d API Deprecate code 2023-02-07 11:56:04 +13:00
Steve Boyd
23efed1802 Merge branch '4.12' into 4 2023-02-02 16:20:00 +13:00
Thomas Portelange
3e5d99dedc
Prevent backslash in class name
since the default code is using get_called_class, you can end up with \ in the class name which is an escape character for css selectors
this update convert for example

even valCMS_ACCESS_SilverStripe\VersionedAdmin\ArchiveAdmin
to
even valCMS_ACCESS_SilverStripe-VersionedAdmin-ArchiveAdmin

ArchiveAdmin class should probably implement     private static $required_permission_codes = 'CMS_ACCESS_ArchiveAdmin '; also
2023-01-30 10:26:22 +01:00
Steve Boyd
b973c88648 API Deprecate HTML4Value 2023-01-16 15:28:23 +13:00
Mojmir Fendek
2c105cffc9
ENH: saveInto() new extension points. (#10636)
* ENH: saveInto() new extension points.
2023-01-13 09:43:22 +13:00
Florian Thoma
bb8e3b8386
fix: optional return value for paginator state
`$state->getData()->getData('GridFieldPaginator')' (line 598) returns null by default.
2023-01-02 15:32:16 +11:00
Shiva Kerdel
4a1eb0c158
ISSUE-10615: Respect SS_BASE_URL scheme in CLI environment.
Additionally set _SERVER variables for HTTPS and SSL to respect SS_BASE_URL scheme when executing builds and tasks through CLI.
This should solve base tags not being provided with the correct HTTP scheme. This is important to resolve mixed content issues and insecure requests.
2022-12-20 11:13:02 +13:00
Guy Sartorelli
0d662ba95f
Merge branch '4.12' into 4 2022-12-19 01:38:09 +00:00
Sabina Talipova
4e1b99b8c7
Merge pull request #10588 from creative-commoners/pulls/4/stop-using-depr
API Stop using deprecated API
2022-12-05 16:35:09 +13:00
Guy Sartorelli
8bb712a461
Merge branch '4.11' into 4.12-release 2022-11-30 10:54:02 +13:00
Michal Kleiner
b107622400
FIX Improve rounding logic for storing of long decimal numbers (#10593)
Co-authored-by: Michal Kleiner <michal.kleiner@cub3.com>
2022-11-29 15:07:56 +13:00
Steve Boyd
b5533e4680 API Stop using deprecated API 2022-11-28 19:16:31 +13:00
Michal Kleiner
da06a2d0cf
Merge pull request #10577 from creative-commoners/pulls/4/textcollector-class-notation 2022-11-25 10:27:59 +13:00
Will Rossiter
1354edf054
fix misleading error message with test class 2022-11-25 09:13:08 +13:00
Chris Penny
31d5aef520 Bugfix: SSViewer check object exists before calling prop or method 2022-11-24 13:18:56 +13:00
Steve Boyd
20582936d8 Merge branch '4.12' into 4 2022-11-23 16:42:25 +13:00
Steve Boyd
cb76f312a4 Merge branch '4.11' into 4.12-release 2022-11-21 13:44:23 +13:00
Steve Boyd
dc98cad48a Merge branch '4.10' into 4.11 2022-11-21 13:43:59 +13:00
Steve Boyd
fe13856769 [CVE-2022-37429] Sanitise XSS 2022-11-21 13:06:40 +13:00
Guy Sartorelli
17f1c7ceed
Merge pull request #10585 from creative-commoners/pulls/4.11/cve-2022-37430
Sanitise mixed case javascript
2022-11-21 13:03:30 +13:00
Guy Sartorelli
e5b81109de
Merge pull request #10584 from creative-commoners/pulls/4.11/cve-2022-38462
Don't allow CRLF in header values
2022-11-21 13:02:25 +13:00
Steve Boyd
4308a93cc8 [CVE-2022-38148] Validate SortColumn exists 2022-11-21 13:01:32 +13:00
Guy Sartorelli
b17b29eea1
Merge pull request #10583 from creative-commoners/pulls/4.11/cve-2022-38724-embed-shortcode
Restrict embed shortcode attributes
2022-11-21 13:01:23 +13:00
Sabina Talipova
ad116c63e6
Merge pull request #10565 from creative-commoners/pulls/4/stop-depr
API Stop using deprecated API
2022-11-16 14:26:18 +13:00
Steve Boyd
137ebcebec API Stop using deprecated API 2022-11-15 18:20:54 +13:00
Daniel Hensby
c49abf0fcc
Merge remote-tracking branch 'upstream/4.11' into 4.12 2022-11-11 13:25:54 +00:00
Guy Sartorelli
521c8179b1
ENH Correctly parse SomeClass::class syntax in textcollection 2022-11-11 11:37:53 +13:00
Lee Bradley
78b661dcf6
Prevent infinite loop when getting table name for ComponentID
If the field isn't in the first 2 classes then would just continue to loop
Fix means it will continue going to parent classes

Can be seen in the UsedOnTable in `admin` module if you have injected a new `Image` class that extends the built in one
2022-11-10 14:00:29 +00:00
Guy Sartorelli
ed63beeeee
Merge branch '4.11' into 4 2022-11-09 10:53:09 +13:00
Loz Calver
7f8f5afc91 Ensure forms/fields overridden by onBeforeRender() can override templates 2022-11-02 11:57:57 +00:00
Loz Calver
e2cb683f14 FIX: Stop FormField onBeforeRenderHolder extension result being overridden 2022-11-02 10:06:23 +00:00
Loz Calver
c925fae180 NEW: Add onBeforeRender extension hook to Form 2022-11-02 10:05:02 +00:00
Steve Boyd
9091d64652 API Deprecate Member::create_new_password() 2022-11-02 10:08:27 +13:00
Steve Boyd
b1dc861aac NEW Record deprecated config 2022-10-31 19:00:59 +13:00
Steve Boyd
a3c1cb0ddf
ENH Set PasswordEncryption on default admin 2022-10-27 13:57:27 +13:00
Guy Sartorelli
168ca00555
[CVE-2022-38724] Restrict embed shortcode attributes 2022-10-26 09:31:12 +13:00
Steve Boyd
59b980edd7 Merge branch '4.11' into 4 2022-10-21 11:46:39 +13:00
Steve Boyd
897f9906f9 FIX Handle calling Deprecation::notice() before manifests are available 2022-10-21 10:08:31 +13:00
Steve Boyd
bd2eb15c72 FIX Ensure Deprecation works with 1.x branches 2022-10-20 13:14:58 +13:00
Steve Boyd
e3a6cad8a8 FIX Allow passing objects to InjectionCreator::create()
Co-authored-by: Nate Devereux <nate@daveclark.co.nz>
2022-10-19 18:04:48 +13:00
Phillip King
c4b3d5304d Update tinymce links in comments 2022-10-14 16:11:58 +13:00
Steve Boyd
9c453abf89 API Update deprecations 2022-10-13 14:49:15 +13:00
Steve Boyd
33b6a00f49 ENH Update deprecation messages 2022-10-13 14:48:40 +13:00
Steve Boyd
e6aa183eb4 API Update deprecations for SapphireTest and FunctionalTest 2022-10-13 14:05:49 +13:00
Steve Boyd
2991901660 ENH Update deprecation messages 2022-10-13 14:05:49 +13:00
Steve Boyd
7b87926428 ENH Update deprecation messages 2022-10-13 14:05:49 +13:00
Steve Boyd
9f541b9a04 MNT Remove deprecation from private method 2022-10-13 14:05:49 +13:00
Steve Boyd
cc49036616 ENH Standardise deprecation messages 2022-10-13 14:05:49 +13:00
Steve Boyd
0852f504fb API Update deprecations for SapphireTest and FunctionalTest 2022-10-13 14:05:49 +13:00
Steve Boyd
1ee0aff1d1 FIX Prevent infinite loops in Deprecation::notice() 2022-10-13 13:37:29 +13:00
Steve Boyd
906cd0e76d
API Deprecate render() (#10527) 2022-10-07 14:44:02 +13:00
Guy Sartorelli
8419984b36
Merge pull request #10517 from creative-commoners/pulls/4/deprecate-swiftmailer
API Deprecate swiftmailer
2022-10-07 09:37:11 +13:00
Steve Boyd
96a931d24f API Deprecate swiftmailer 2022-10-06 09:52:06 +13:00
Christian Bünte
e24fb3f86c
Fix i18nTextCollector produces corrupt output / namespaces when running under PHP8.0 (#10228)
* FIX i18nTextCollector produces corrupt output / namespaces when running under PHP8.0
2022-09-29 13:40:40 +13:00
Guy Sartorelli
421864d111
Merge branch '4.11' into 4 2022-09-29 09:41:06 +13:00
Thomas Portelange
54892fa267
request may not have a session
see https://github.com/silverstripe/silverstripe-framework/pull/10512
2022-09-28 10:44:13 +02:00
Guy Sartorelli
4a598ded51
FIX Allow removing named extensions in yaml config 2022-09-27 13:15:28 +13:00
Bram de Leeuw
f78c3ee5bb
Member updateName extension hook
Allow updating the Member name from an extension
2022-09-26 16:57:39 +02:00
Steve Boyd
5111b56ac9 ENH Add PHP 8.1 safe null-coalescing operators to peg file 2022-09-15 12:59:05 +12:00
Guy Sartorelli
c4eadcd074
Merge branch '4.11' into 4 2022-09-09 16:47:49 +12:00
Guy Sartorelli
d3c28579b7
[CVE-2022-38462] Don't allow CRLF in header values 2022-09-07 11:22:07 +12:00
Guy Sartorelli
6d885ab894
FIX Normalise casing before casting fields 2022-08-25 17:36:06 +12:00
Viktor Szépe
94d1ac8d99
ENH Various changes via static analysis tooling 2022-08-24 12:14:32 +12:00
Steve Boyd
2b5420ee7d [CVE-2022-37430] Sanitise mixed case javascript 2022-08-23 15:36:48 +12:00
Guy Sartorelli
a75317343e
Merge pull request #10439 from creative-commoners/pulls/4/better-button-keep-state
ENH Update page number in the state on reaching the first or the last…
2022-08-22 13:47:47 +12:00
Sabina Talipova
c0b38fc411 ENH Update page number in the state on reaching the first or the last element in a list 2022-08-22 12:44:11 +12:00
Guy Sartorelli
10ef46a5ec
ENH Make DataObject::exists() an alias of DataObject::isInDB() (#10407) 2022-08-16 09:43:54 +12:00
Guy Sartorelli
a7461a8ffa
API Deprecate PHPUnit 5.7 compatability hacks 2022-08-10 16:21:05 +12:00
Sergey Shevchenko
4994844729 refactor: variable naming in Requirements_Backend::resolveCSSReferences() 2022-08-05 21:27:36 +12:00
Sergey Shevchenko
ebb1601d5d fix: misc suggested changes
* disable resolve_relative_css_refs by default
* variable naming
* using proper path joiner
* test comment typo
2022-08-05 15:35:26 +12:00
Sergey Shevchenko
bc9a323418 fix: more tests, improved paths detection, readability 2022-08-05 15:35:26 +12:00
Sergey Shevchenko
9854e48cfc Update Requirements_Backend.php 2022-08-05 15:35:26 +12:00
Sergey Shevchenko
a2906cd02c ENH Requirements_Backend::resolveCSSReferences(): Tests, config, doc, safety.
* Changed to ignore absolute paths altogether
* Improve tests
* Added config flag
* Changed docs
2022-08-05 15:35:26 +12:00
Sergey Shevchenko
c5e68dd2c0 ENH: resolve relative references in CSS files when combining 2022-08-05 15:35:26 +12:00