1859 Commits

Author SHA1 Message Date
Christopher Pitt
bdef4fc7a5 Fixed XSS vulnerability relating to rewrite_hash 2015-03-30 10:59:39 +13:00
Ingo Schommer
1661213e5b FIX Opt-out pf form message escaping (fixes #2796)
This fixes a limitation introduced through http://www.silverstripe.org/ss-2013-008-xss-in-numericfield-validation/.
Form messages used to accept HTML, now they’re escaped by default, effectively removing the ability
to pass in HTML and take care of escaping manually.

We pass through HTML to message in core through the CTF system, so this needs to be fixed.
It’s an alternative fix to https://github.com/silverstripe/silverstripe-framework/pull/2803.
2014-08-22 16:59:34 +12:00
Hamish Friedlander
ad27cd5ec9 FIX Folder Title not being exactly the same as Name field
Backport to 3.0 of PR #3086
2014-05-05 14:39:45 +12:00
Hamish Friedlander
f2c4a629a7 FIX: ConfirmedPasswordField used to expose existing hash 2014-04-17 11:57:57 +12:00
Damian Mooyman
15c6b67c29 Docs / Tests for Director::absoluteURL 2014-04-08 09:16:48 +12:00
Damian Mooyman
4415a75d93 BUG Fix issue with versioned dataobjects being cached between stages 2014-03-27 13:17:29 +13:00
Damian Mooyman
6d5d3d8cb7 Rewrote usages of error suppression operator 2014-03-05 14:22:19 +13:00
Sam Minnee
a1c3cf1cf4 Removed use of assertCount() from this test as it causes infinite loops on Travis. 2014-02-14 16:39:36 +13:00
Damian Mooyman
f67b549b77 BUG Fixed cross-platform issues with test cases and file utilities 2013-10-04 13:54:33 +13:00
Ingo Schommer
06b5f142b6 Increased CacheTest time delay, avoid flickering tests
Setting a cache lifetime of half a second seems to be
unreliable on Travis when just waiting a second,
so let's wait a bit longer.
2013-10-02 12:13:22 +02:00
Ingo Schommer
a68e0ba365 Check for jQuery in Behat tests
Identified as one potential cause for flickering tests
on our own Selenium box.
2013-09-30 23:36:46 +02:00
Ingo Schommer
05757efceb FIX Privilege escalation through APPLY_ROLES assignment (SS-2013-005)
See http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/
2013-09-12 15:42:43 +02:00
Ingo Schommer
720c149aee FIX Privilege escalation through Group hierarchy setting (SS-2013-003)
See http://www.silverstripe.org/ss-2013-003-privilege-escalation-through-group-hierarchy-setting/
2013-09-12 15:42:42 +02:00
Ingo Schommer
54edc0ddac Fix Behat window switching in chrome
Workaround only, see https://groups.google.com/forum/#!topic/behat/QNhOuGHKEWI
2013-08-22 12:49:38 +02:00
Simon Welsh
c66cc952d2 Correct line length and indentation 2013-08-21 21:27:16 +12:00
Simon Welsh
4cb98f1afd Only have Scrutinizer check PHP files 2013-08-21 21:02:12 +12:00
Hamish Friedlander
4a7aef0e25 FIX Double slashes in ParameterConfirmationToken 2013-08-19 11:35:34 +12:00
Ingo Schommer
00ffe72944 Translations: Switch to Transifex format
- Based on new (last) translation download from getlocalization.com
- Removed untranslated strings. Getlocalization started including those at some point
which is highly annoying, unnecessary and breaks the new transfix system,
since it'll mark all of the english strings as actual translations
- Avoid dots in entities. It confuses the Transifex YML parser
- Removed some locales unknown to Transifex which didn't have any translations anyway
- Removed "lolcat" locale, uses custom notation (en@lolcal)
  which SilverStripe's i18n system can't handle
  (needs mapping from SS naming to Zend naming)
- Renamed "Te Reo/Maori" locale from "mi_NZ" to "mi" (Transifex/CLDR notation)
- Namespaced all entities used in templates (deprecated usage)
- Converted dots to underscores where template filenames are used for namespaces,
since Transifex YML parsing handles them as separate YML keys otherwise
- Removed whitespace in entity names, SilverStripe i18n can't handle it
- Only allow selection of locales registered through i18n::$all_locales to avoid
  issues with unknown locales in Zend's CLDR database
2013-08-07 00:25:16 +02:00
Hamish Friedlander
342058742c FIX Flush on memory exhaustion and headers sent 2013-08-02 09:41:16 +12:00
Hamish Friedlander
a1ea905ca8 FIX Nice errors and allows flush on module removal 2013-07-24 09:57:01 +12:00
Hamish Friedlander
1298d4a5bd FIX Prevent DOS by checking for env and admin on ?flush=1 (#1692) 2013-07-19 12:24:32 +12:00
Ingo Schommer
920edf88e7 Test allowedExtensions in UploadField, return correct HTTP status 2013-07-12 13:16:34 +02:00
Damian Mooyman
11f4b2c620 API HTTP::urlRewriter with (string)$code deprecated in 3.1. Fixed regressions and CSS urls.
urlRewriter will expect a callable as a second parameter,
but will work with the current api and simply raise a deprecation error.

HTTP::absoluteURLs now correctly rewrites urls into absolute urls. Resolves introduced in c56a80d6ce

HTTP::absoluteURLs now handles additional cases where urls were not translated.

Test cases for HTTP::absoluteURLs added for both css and attribute links.

Cleaned up replacement expression and improved documentation.
2013-07-05 09:08:58 +12:00
Ingo Schommer
067a94bd93 Postgres compat in MemberCsvBulkLoaderTest and GroupTest 2013-07-04 22:46:23 +02:00
Ingo Schommer
cf20923fd6 Postgres compat in SQLQueryTest 2013-07-04 22:28:13 +02:00
Ingo Schommer
71a5615213 Test $allowed_actions on controllers with template name=action conventions 2013-06-10 12:33:30 +02:00
Ingo Schommer
d3a4161a94 Behat: Backport improved dropdown step handler 2013-06-05 14:59:01 +02:00
Ingo Schommer
1d01347fd3 Behat: Use explicit fixtures 2013-06-05 14:32:42 +02:00
Ingo Schommer
f8b1c08c67 Behat: Copy fixture identifier to "Name" or "Title" by default
This makes fixture setup less verbose, particularly for behat
tests (e.g. with "Given a page 'About Us'")
2013-06-05 14:32:42 +02:00
Ingo Schommer
bb92e494d7 Behat fixture refactoring (shared factory instance) 2013-06-05 14:32:42 +02:00
Ingo Schommer
a9ed6b34cb Behat: Support for TreeDropdownField 2013-06-05 14:32:42 +02:00
Ingo Schommer
a39adb46db Behat: New fixture notation in "manage files" tests 2013-06-05 14:32:41 +02:00
Simon Welsh
b9d5f27194 Add code-sniffs other than line length to scrutinizer 2013-05-23 10:39:01 +12:00
Sam Minnee
b401d39aec NEW: Move temp data into a user-specific subfolder, to stop temp-permission bugs from occurring.
Anyone who has run "sudo -u www-data ./framework/sake dev/build" knows that SilverStripe's temp
folder permissions can be very brittle.  This patch resolves this by making the temp folder
user-specific.

To minimise directory pollution it first creates a chmod 777 parent folder with the same name
as the current folder.  It then creates a subfolder of this with the same name as the current
user.

The positive impact of this change is that sake can be used without fear of messing up file
permissions.  This means, among other things, that we can put a Composer post-update-cmd into
the installer to run dev/build.  Progress!

The negative impact is that you will get two caches if you run sake as a different user.  However,
that is much better than the current situation - which is a bunch of bugs - and if you're concerned
about that, you still have the option of running sake as www-data.
2013-05-15 12:54:55 +02:00
Sam Minnee
9ba26a04c4 Added test for lazy-loading edge-case in Money field. 2013-04-22 11:50:57 +12:00
Ingo Schommer
933fbf8ea4 l10n key to make "yes" and "no" translatable (see #1749) 2013-04-12 01:11:24 +02:00
Sam Minnée
a6929f11b2 Merge pull request #1185 from chillu/pulls/augment-lazy-versioned
Versioned lazy loading fixes (backport from 3.1)
2013-04-08 16:04:50 -07:00
Ingo Schommer
0242686a7a Requirements acces to files with query strings (fixes #7735)
Originally authored by florian.thoma, tests added
by Ingo Schommer. Also removed query params from
file paths before calling mtime() on it.

See https://github.com/silverstripe/sapphire/pull/1023
2013-04-03 16:39:59 +02:00
Ingo Schommer
31f5e00a56 Simplified travis builds (external setup scripts) 2013-03-28 22:24:03 +01:00
Ingo Schommer
dd6f33ab37 FIX Respect tree node limits, fix search result node display
- Renamed $minNodeCount to more accurate $nodeCountThreshold
- The $minNodeCount attribute wasn't properly respected
during actual querying, so SilverStripe would always traverse
the entire tree (and load all objects into memory),
before then marking nodes as "unexpanded", which prevents
them from actually being rendered.
- Fixes nodes on search results to be expanded by default
- Fixes nodes on search results to correctly ajax-expand
2013-03-19 00:05:14 +01:00
Ingo Schommer
e6fffb9ef9 API Remove content-length setting in HTTPResponse
It's not reliable. Started in c69381c33, but only partially reverted.
2013-02-27 10:07:54 +01:00
Ingo Schommer
7c0240cec1 Merge pull request #1238 from ajshort/travis-composer-3.0
Travis Composer Integration (3.0.x)

Conflicts:
	tests/travis/before_script
2013-02-27 10:02:07 +01:00
ajshort
34d524c09f Integrate composer in the Travis build process
Creates a package definition from the framework version being built,
and uses composer to install it into an installer project, as well
as the required modules for testing.
2013-02-27 00:38:40 +11:00
Ingo Schommer
9e2e050f20 Hardcode travis branch on dependencies, otherwise breaks pull request builds
Pull requests are always on a branch, and this branch
typically is not present on the installer.

This changes means we need to be careful when merging into 3.1
and master, but that's a necessary evil.
2013-02-18 14:13:07 +01:00
Hamish Friedlander
9ecea763c3 Merge pull request #1186 from nyeholt/injector_configged_create
FIX issue with Injector::create not passing args
2013-02-17 18:38:24 -08:00
Ingo Schommer
30096ee730 BUGFIX Keep Member.PasswordEncryption setting on empty passwords
This will prevent empty passwords to set the encryption to 'none',
which in turn will store any subsequent password changes in cleartext.
Reproduceable e.g. with ConfirmedPasswordField and setCanBeEmpty(true).
2013-02-17 23:30:41 +01:00
Ingo Schommer
f06ba70fc9 BUG Undefined $allowed_actions overrides parent definitions, stricter handling of $allowed_actions on Extension
Controller (and subclasses) failed to enforce $allowed_action restrictions
on parent classes if a child class didn't have it explicitly defined.

Controllers which are extended with $allowed_actions (through an Extension)
now deny access to methods defined on the controller, unless this class also has them in its own
$allowed_actions definition.
2013-02-17 23:30:36 +01:00
Marcus Nyeholt
428cbe4b03 FIX issue with Injector::create not passing args
If creating an object using Injector::create() and constructor arguments
are passed through, in some cases where the object being created had a yml
configuration set for it, the passed in constructor arguments weren't being
passed through to the instantiation of the object.
2013-02-15 10:24:47 +11:00
Julian Seidenberg
10199f908a API Data corruption on Versioned due to lazy loading
Lazy loading no longer loads fields from the versions table when querying. This could lead to incorrect data being displayed if the data on the object and the version it pointed to did not match.

API methods to allow setting of the context of the query that generated the DataObject on that object (used by the lazy loading mechanism to correctly query the Stage, Live, or Versions tables)

See https://github.com/silverstripe/sapphire/pull/1178 for context.
2013-02-14 14:28:42 +01:00
jean
e2bf9649f3 FIX 7934 When lazy loading fields respect version of the record 2013-02-14 14:27:44 +01:00