Commit Graph

2074 Commits

Author SHA1 Message Date
Ingo Schommer
fe3f58511d Merge pull request #2286 from hafriedlander/fix/flush_24
FIX Flush on memory exhaustion and when headers sent
2013-08-06 14:22:25 -07:00
Hamish Friedlander
15406dd559 FIX Constants magic_quotes needs function from Core 2013-08-05 14:58:06 +12:00
Hamish Friedlander
60a95cbe77 FIX Token redirect where in IIS a / needs adding between host & url 2013-08-05 09:14:10 +12:00
Hamish Friedlander
2f9689b8f8 FIX Flush on memory exhaustion and headers sent 2013-08-01 09:42:52 +12:00
Sam Minnee
a150989e6f FIX: Fixed escaping of date in view of archived site. 2013-07-30 18:30:51 +12:00
Hamish Friedlander
5212ab031a FIX Nice errors and allows flush on module removal 2013-07-24 09:16:42 +12:00
Hamish Friedlander
09db9a659e FIX Only suppress fatal errors 2013-07-22 14:48:58 +12:00
Hamish Friedlander
122a9f898e Split Core.php into Constants.php and Core.php and adjust main.php startup
The recent flush filter fix had a problem that you couldnt set a custom
BASE_PATH in _ss_environment because that file didnt get included until
after checking the confirmation token. This patch pulls the part of Core.php
that defines BASE_PATH into a seperate file that can be included earlier
in the startup sequence so that ParameterConfirmationToken can access it.

Core.php includes Constants.php with a require_once call, so for startup
scripts that dont pull in Constants.php themselves (like cli-script.php)
no change is needed.
2013-07-22 14:02:37 +12:00
Sam Minnee
e782648b3a FIX: Fixed TempPath inclusion for phpunit & cli-script 2013-07-19 15:50:44 +12:00
Hamish Friedlander
296b131171 FIX: Actually use argument in getTempFolder 2013-07-19 15:05:12 +12:00
Hamish Friedlander
ec8c4b8569 FIX: Ignore invalid tokens instead of throwing 403 2013-07-19 15:04:50 +12:00
Hamish Friedlander
d42d8d0fc2 FIX: Have ParameterConfirmationToken includes work regardless of include path 2013-07-19 14:30:59 +12:00
Hamish Friedlander
8990788818 FIX Prevent DOS by checking for env and admin on ?flush=1 (#1692) 2013-07-19 12:31:37 +12:00
Hamish Friedlander
31429b7936 Move getTempFolder out of Core.php to own file 2013-07-19 11:01:20 +12:00
Sean Harvey
813749e909 Fixing array to string conversion in dev/build for PHP 5.4 2013-05-12 21:28:17 +12:00
Ingo Schommer
a8a10f8a1a BUG Transaction stub methods for better cross 2.x and 3.x compat
The transactionStart() naming is 3.x, and used by some modules
which are otherwise still 2.x compatible.

Specifically, this was added to avoid branching the payment module
into separate 2.x and 3.x compatible branches.
2013-02-26 13:49:46 +01:00
Ingo Schommer
190e0b8a47 Add ContentController->handleWidget() to $allowed_actions
Required by recent $allowed_actions security fix
2013-02-18 00:10:06 +01:00
Ingo Schommer
50995fbecb BUG Undefined $allowed_actions overrides parent definitions, stricter handling of $allowed_actions on Extension
Controller (and subclasses) failed to enforce $allowed_action restrictions
on parent classes if a child class didn't have it explicitly defined.

Controllers which are extended with $allowed_actions (through an Extension)
now deny access to methods defined on the controller, unless this class also has them in its own
$allowed_actions definition.
2013-02-17 23:16:22 +01:00
Ingo Schommer
45c68d6821 API Require ADMIN for ?showtemplate=1 2013-02-12 23:21:13 +01:00
Simon Welsh
f49f1ff5df API Rename Transliterator to SS_Transliterator to remove conflict with Intl extension 2012-11-29 08:21:05 +13:00
Simon Welsh
4ff8cff262 Minor PHP5.4 fixes
Explictly excludes E_STRICT from live error level and handle arrays in a backtrace
output, rather than trying to convert to string.
2012-10-16 23:37:30 +13:00
Ingo Schommer
46064f8f88 SECURITY More solid relative/site URL checks (related to "BackURL" redirection)
Return true for Director::is_absolute_url() checks if they're prefixed with two or more slashes (as browsers interpret this as a valid URL)

More solid URL checks in Director::is_site_url(), using a conservative parse_url() hostname comparison rather than Director::makeRelative(), which is not designed for security purposes
2012-10-16 10:17:07 +02:00
stozze
8ec6312f3f BUG Fix to prevent unintended results from getComponentsQuery(...)
Wrapped $filter inside parentheses to prevent unintended results if $filter contains "OR".
2012-09-14 18:25:29 +03:00
Adam Skrzypulec
766987105d MINOR fixed array to string conversion to avoid PHP 5.4 warnings 2012-08-15 11:40:40 -05:00
Andrew O'Neil
9bf3ae9a19 SECURITY: Ensure javascript content type is sent in form responses. If content type is html, and the javascript contains script tags within the content, this content will be executed. 2012-05-03 17:08:08 +02:00
Sam Minnee
921bf9a439 ENHANCEMENT: Ensure that forceSSL and protocol detection respects the X-Forwarded-Protocol header. 2012-02-03 09:39:10 +13:00
Ingo Schommer
0085876495 BUGFIX Casting return values on text helper methods in StringField, Text, Varchar 2012-01-31 16:28:47 +01:00
Ingo Schommer
252e187015 SECURITY Escape links for SilverStripeNavigatorItem 2012-01-31 15:55:30 +01:00
Ingo Schommer
5fe7091dff SECURITY Sanitize messages passed to generated JS calls in FormResponse::status_message(), e.g. to avoid XSS on 'Successfully published <page title>' messages 2012-01-31 15:54:59 +01:00
Ingo Schommer
96bee47ab8 MINO Switching 'rewriteHashlinks' sanitization from Convert::raw2att() to strip_tags() to make the resulting PHP more portable when mode is set to 'php' 2011-10-18 10:54:30 +02:00
Ingo Schommer
16c32359c6 BUGFIX Escaping base URLs for anchor links rewritten by SSViewer::process() with the 'rewriteHashlinks' option enabled (which is a framework default, and necessary because of the use of a <base> tag). Also added escaping for base URLs rendered through the 'php' variation of 'rewriteHashlinks' 2011-10-18 10:18:29 +02:00
Ingo Schommer
6d6fdd24d9 ENHANCEMENT Added SSViewer::getOption() as a logical counterpart to SSViewer::setOption() 2011-10-17 18:00:30 +02:00
Sean Harvey
7805e3e6d9 BUGFIX i18n::include_by_locale() assumes a themes directory always exists and causes error if that's not the case. Some projects don't require any themes, like pure applications. 2011-09-28 15:27:51 +13:00
Ingo Schommer
83ad8d48a9 ENHANCEMENT Added File.ShowInSearch flag to mirror the existing SiteTree.ShowInSearch flag - e.g. useful to limit visibility of user-uploaded files. Enforced in MySQLDatabase->searchEngine(). 2011-09-15 16:13:02 +02:00
Ingo Schommer
73cca09960 BUGFIX Consistently using Convert::raw2sql() instead of DB::getConn()->addslashes() or PHP's deprecated addslashes() for database escaping 2011-09-15 14:43:34 +02:00
simonwelsh
0f91fb865b Changes error reporting level to explicitly exclude E_DREPRECATED and E_STRICT, rather than xor. 2011-08-26 16:12:57 +12:00
simonwelsh
9ffa903d50 Adds missing semicolon for PHP5.4 support. 2011-08-26 16:11:06 +12:00
Ingo Schommer
1704e42d51 MINOR Return empty string from SQLQuery->sql() if SELECT is the default value, and no FROM is set (moved logic from DB-specific implementations) 2011-05-20 08:42:31 +12:00
Ingo Schommer
58b44287d3 MINOR Fixed en_US spelling (fixes #6316, thanks sonetseo)
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@115461 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:20:07 +13:00
Sean Harvey
47cae8f81f BUGFIX Incorrect call to weekday function in Date class (thanks webbower!)
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@115443 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:20:07 +13:00
Sean Harvey
c336545cd7 BUGFIX Checking for existence of draft and live records in SilverStripeNavigatorItem_ArchiveLink->getHTML() (from r115130)
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@115442 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:20:07 +13:00
Sean Harvey
3e8cc481f0 BUGFIX #6291 Remove rollback action from CMSMain allowed_actions and rely on form action_rollback instead which is safer
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@115440 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:20:06 +13:00
Sean Harvey
b81cae875a BUGFIX Fixed edge case bug where SilverStripeNavigatorItem would fail if a page was not published, and the navigator archive link was generated
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@115437 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:20:06 +13:00
Ingo Schommer
2962fb8d13 BUGFIX Checking for existence of FormAction in Form->httpSubmission() to avoid bypassing $allowed_actions definitions in controllers containing this form
BUGFIX Checking for $allowed_actions in Form class, through Form->httpSubmission() (from r115182)

git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@115188 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:20:06 +13:00
Sean Harvey
521a76b880 BUGFIX #6219 Director::direct() validation fails for doubly nested file fields (thanks ajshort!) (from r114921)
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@114922 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:20:06 +13:00
Sean Harvey
f41b5179f6 ENHANCEMENT Allow setting secure session cookies when using SSL. Recent change r114567 made this impossible. (thanks simon_w!) (from r114900)
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@114901 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:20:06 +13:00
Ingo Schommer
c639916afb BUGFIX Removed switch in MySQLDatabase->query() to directly echo queries with 'showqueries' parameter when request is called via ajax (from r114782)
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@114783 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:20:06 +13:00
Ingo Schommer
3d2552a453 MINOR Partially reverted r114744
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@114745 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:20:05 +13:00
Ingo Schommer
7280a64d6b MINOR Reduced VARCHAR length from 1024 to 40 bytes, which fits the sha1 hashes created by RandomGenerator. 1024 bytes caused problems with index lengths on MySQL (from r114743)
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@114744 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:20:05 +13:00
Ingo Schommer
f4cc316c8a ENHANCEMENT 'bypassStaticCache' cookie set in Versioned is limited to httpOnly flag (no access by JS) to improve clientside security (from r114568)
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@114572 467b73ca-7a2a-4603-9d3b-597d59a354a9
2011-02-02 14:20:04 +13:00