Commit Graph

220 Commits

Author SHA1 Message Date
Maxime Rainville
acd7d94167 Merge branch '4.4' into 4.5 2020-02-17 13:07:26 +13:00
Serge Latyntcev
ad1b00ec7d [CVE-2019-19325] XSS through non-scalar FormField attributes
Silverstripe Forms allow malicious HTML or JavaScript to be inserted
through non-scalar FormField attributes, which allows performing XSS (Cross-Site Scripting)
on some forms built with user input (Request data). This can lead to phishing attempts
to obtain a user's credentials or other sensitive user input.
There is no known attack vector for extracting user-session information or credentials automatically,
it required a user to fall for the phishing attempt.
XSS can also be used to modify the presentation of content in malicious ways.
2020-02-17 09:58:29 +13:00
Mojmir Fendek
e2bea6b41f API Add withConfig method (#9011)
* With config functionality added.
* Update docs/en/02_Developer_Guides/04_Configuration/00_Configuration.md
2019-10-31 16:12:04 +13:00
Serge Latyntcev
33a28394d6 Merge branch '4.4' into 4 2019-10-18 15:59:28 +13:00
Serge Latyntcev
0cf5d4cbe2 Merge branch '4.3' into 4.4 2019-10-18 15:58:13 +13:00
Serge Latyntcev
46b9530d88 PSR2 linting fixes 2019-10-18 15:31:39 +13:00
Serge Latyntcev
7873efde9c Merge branch '4.4' into 4 2019-10-18 10:58:19 +13:00
Michal Kleiner
1a2dbfd3a5
Update conditional logic when checking array keys before removing methods in CustomMethods 2019-09-30 10:17:59 +13:00
Michal Kleiner
52a039f631 Check array keys existence prior to their usage when removing methods in CustomMethods 2019-09-27 14:57:15 +12:00
UndefinedOffset
571a4d9ace NEW: Added support for config condition if PHP extension is loaded 2019-07-02 14:55:36 -03:00
Aaron Carlino
c747b1f8d3 Merge branch '4.3' into 4.4 2019-06-10 17:32:07 +12:00
Aaron Carlino
f766555d61 Merge branch '4.2' into 4.3 2019-06-10 17:27:05 +12:00
Serge Latyntcev
ca56e8d78e [CVE-2019-12246] Denial of Service on flush and development URL tools 2019-06-10 17:23:56 +12:00
Ingo Schommer
8324235eda API Opt-out of in-memory caching factory
In-memory caches are typically more resource constrained (number of items and storage space).
Give cache consumers an opt-out if they are expecting to create large caches with long lifetimes.
Use case: https://github.com/silverstripe/silverstripe-assets/pull/282
2019-06-07 12:21:10 +12:00
Andre Kiste
0c6c57f1ef Add getFieldMap method to retrieve a list of all fields for any giv… (#8892)
* Add `getFieldMap` method to retrieve a list of all fields for any given class

* Add `TagsToShortcodeTask` to upgrading guide

Adding after the file migration part as this is where it makes the most sense to run it.

* `getFieldMap` accepts an array

* Move to `DataObjectSchema`

* Add `HTMLVarchar` to documentation
Minor refactoring

* Add test for checking that `subclassesfor` works without the base class
Add test `DataObjectSchema::getFieldMap` returns the correct array

* Remove cms dependency
2019-04-30 10:43:14 +12:00
Rafael Marins de Sousa
68337bd8be Including is_array validation to getEnv method. When SS website is deployed to FortRabbit .env file is read as string what causes the website to crash, due to the lack of type check at getEnv method. 2019-04-04 15:41:13 +13:00
Aaron Carlino
fc6213c293 Merge branch '4.3' into 4 2019-03-27 13:25:57 +13:00
Aaron Carlino
9eac374b13 Use strcasecmp 2019-03-27 12:40:56 +13:00
Aaron Carlino
aa491d9294 Fix tests 2019-03-20 12:33:00 +13:00
Aaron Carlino
39a29fa2f6 ENHANCEMENT: has_extension() should allow injector overrides 2019-03-20 12:33:00 +13:00
Aaron Carlino
ab5bbda88c Merge branch '4.3' into 4 2019-01-10 12:31:27 +13:00
Maxime Rainville
1e01deea39 NEW Make resources dir configurable (#8519)
* NEW Make resources dir configurable.

* Removing reference to old `resources` and updating doc #8519

* Rrtarget to 4.4 release.

* DOC Reference SS_RESOURCES_DIR in Environment doc.

* API Add a Resources method to SilverStripe\Core\Manifest\Module to read the resources-dir from composer.json

* Clean up reference to SS_RESOURCES_DIR env var

* Set default resources-dir

* Update test to use RESOURCES_DIR const in expected resource url method

* Correcting typos

Co-Authored-By: maxime-rainville <maxime@rainville.me>

* MINOR Correctubg minor typos

* DOCS Document the intricacies of exposing static assets.
2019-01-09 15:35:45 +13:00
Robbie Averill
068c240d38
Update src/Core/CustomMethods.php
Co-Authored-By: jchenevey <jchenevey@users.noreply.github.com>
2019-01-08 15:27:38 -05:00
Joe Chenevey
3730d84d18
Update CustomMethods.php
Switch to an early `continue` rather than wrapping contents of `foreach` in an `if` and indenting.
2019-01-08 15:24:21 -05:00
Joe Chenevey
afceccb9a6
CustomMethods->removeMethodsFrom Warnings
Check to ensure `self::$extra_methods[$class][$method]` exists before trying to retrieve its value. Silences warnings generated by updating a controller's failover.
2019-01-08 15:14:23 -05:00
Sam Minnee
0c17ffc944 FIX: Manifest should ignore vendor folders within packages contained in vendor
Without this change vendor/silverstripe/framework/vendor/silverstripe/config
will be pick up by the manifest, which is inappropriate.

Although this doesn’t happen often, it can occur if you have run
“composer install” within vendor/silverstripe/framework, which can be
done either accidentally or (in my case) as part of running the
framework tests isolated from the rest of your project (which is closer
to the execution model on Travis)

Note that the presence of the ‘nestedvendor.txt’ file tests that this
works without any explicit changes to the PHP of the tests, since it’s
merely confirming that such a file is *not* picked up.
2018-11-30 13:52:25 +13:00
Robbie Averill
1f1c344272 Merge branch '4.3' into 4
# Conflicts:
 #	tests/php/Forms/ConfirmedPasswordFieldTest.php
2018-11-26 12:15:17 +01:00
Robbie Averill
41dc9229bf FIX Reverting ExtensionTestState and Extensible extra methods modifications to prevent PHP 5.6 segfault (#8581)
* API Revert addition of Extensible::flush_extra_methods_cache() and change to ExtensionTestState

This reverts the changes from #8465 and #8505 that relate to ExtensionTestState and the
tracking of extra methods between unit tests. The existing test from #8465 testing
overloaded Extensions after extra_methods are populated has been updated to show that you
must re-add the extension to flush the extra_methods cache if you need this behaviour.

* Revert change to InjectorTest::testExtendedExtensions

* Revert "Add failing test to show that overloaded extensions are broken in Extensible"

This reverts commit 55e79ffdfd.

* DOCS Add docs for extending extensions, and upgrade guide note to 4.3 to avoid using PHP config to do so
2018-11-26 12:00:02 +13:00
Robbie Averill
3b1e91eb59 Merge branch '4.2' into 4.3 2018-11-15 13:41:23 +02:00
Robbie Averill
ef0f9dff8a Merge branch '4.1' into 4.2 2018-11-15 13:41:00 +02:00
Robbie Averill
c6e3a398c7 Merge branch '4.0' into 4.1 2018-11-15 13:40:08 +02:00
Loz Calver
b5bae137bd FIX: Redirect loop with multiple confirmation tokens present (fixes #8607) 2018-11-15 10:59:42 +00:00
Robbie Averill
24d6527845 Merge branch '4.3' into 4 2018-11-09 11:39:27 +02:00
Robbie Averill
10f502f0c7 Merge branch '4.2' into 4.3 2018-11-09 11:39:05 +02:00
Robbie Averill
5b7723df7f Merge branch '4.1' into 4.2
# Conflicts:
 #	lang/fi.yml
 #	lang/nl.yml
2018-11-09 11:38:04 +02:00
Robbie Averill
df4d2bd838 Merge branch '4.0' into 4.1
# Conflicts:
 #	lang/da.yml
 #	lang/eo.yml
 #	lang/fi.yml
 #	lang/it.yml
 #	lang/nl.yml
 #	lang/sv.yml
2018-11-09 11:36:34 +02:00
Werner M. Krauß
bc0f17fb09 Cleanup Convert
* remove unneeded parenthesis and double quotes
* simplify flow / remove unneeded else
2018-11-07 17:45:01 +01:00
Werner M. Krauß
3f321f935a Convert::memstring2bytes should return integer value
bytes are by nature an integer

fixes #8572
2018-11-07 17:01:36 +01:00
Aaron Carlino
76936d863d Merge branch '4.3' into 4 2018-11-07 23:20:44 +13:00
Loz Calver
11fe5b3adf Implement ConfirmationTokenChain to handle multiple tokens at once 2018-11-07 11:33:24 +13:00
Loz Calver
8d7c2dafab [SS-2018-019] Add confirmation token to dev/build 2018-11-07 11:33:24 +13:00
Loz Calver
02ad0f44aa Implement ConfirmationTokenChain to handle multiple tokens at once 2018-11-07 11:32:55 +13:00
Loz Calver
af000bea9b [SS-2018-019] Add confirmation token to dev/build 2018-11-07 11:32:55 +13:00
Loz Calver
5563537cc8 Implement ConfirmationTokenChain to handle multiple tokens at once 2018-11-07 11:31:33 +13:00
Loz Calver
0610f76da0 [SS-2018-019] Add confirmation token to dev/build 2018-11-07 11:31:33 +13:00
Loz Calver
0877442c64 Implement ConfirmationTokenChain to handle multiple tokens at once 2018-11-07 11:24:51 +13:00
Loz Calver
3dbb10625c [SS-2018-019] Add confirmation token to dev/build 2018-11-07 11:24:51 +13:00
Robbie Averill
64c2938c96 Merge branch '4.3' into 4 2018-11-06 11:05:22 +01:00
Robbie Averill
3c58ae009e Merge branch '4.2' into 4.3 2018-11-06 11:05:08 +01:00
Robbie Averill
22c7fa2bc9 Merge branch '4.1' into 4.2 2018-11-06 11:04:43 +01:00