# 2.4.4-rc1 ## Changelog ### Features and Enhancements * [rev:114572] 'bypassStaticCache' cookie set in Versioned is limited to httpOnly flag (no access by JS) to improve clientside security (from r114568) * [rev:114571] Session::start() forces PHPSESSID cookies to be httpOnly (no access by JS) to improve clientside security (from r114567) * [rev:114499] Added !RandomGenerator for more secure CRSF tokens etc. (from r114497) * [rev:114467] PHP requirements in installer now check for date.timezone correctly being set for PHP 5.3.0+. This option is *required* to be set starting with 5.3.0 and will cause an error during installation if not * [rev:114083] Added SS_HTTPResponse->setStatusDescription() as equivalent to setStatusCode(). Added documentation. * [rev:113963] Split temp directory check and writability into two checks * [rev:113961] #6206 Installer additional checks for module existence by checking _config.php exists, in addition to the directory * [rev:113919] Allowing i18nTextCollector to discover entities in templates stored in themes/ directory (thanks nlou) (from r113918) * [rev:113871] Update Asset's left and right panels with filders and files after 'Look for new files' was triggered (open #5543) ### API Changes * [rev:114474] Using i18n::validate_locale() in various Translatable methods to ensure the locale exists (as defined through i18n::$allowed_locales) (from r114470) ### Bugfixes * [rev:114783] Removed switch in !MySQLDatabase->query() to directly echo queries with 'showqueries' parameter when request is called via ajax (from r114782) * [rev:114774] Disallow web access to sapphire/silverstripe_version to avoid information leakage (from r114773) * [rev:114771] Disallow web access to cms/silverstripe_version to avoid information leakage (from r114770) * [rev:114760] Avoid potential referer leaking in Security->changepassword() form by storing Member->!AutoLoginHash in session instead of 'h' GET parameter (from r114758) * [rev:114719] Fallback text for "Password" in !ConfirmedPasswordField when no translation found * [rev:114683] Populates the page with fake data in order to pass subsequent unit tests * [rev:114654] Test if form is the right class (if a class decorates the content controller, this test would break ie sphinx) * [rev:114516] Escaping $locale values in Translatable->augmentSQL() in addition to the i18n::validate_locale() input validation (from r114515) * [rev:114512] Limiting usage of mcrypt_create_iv() in !RandomGenerator->generateEntropy() to *nix platforms to avoid fatal errors (specically in IIS) (from r114510) * [rev:114507] Using !RandomGenerator class in Member->logIn(), Member->autoLogin() and Member->generateAutologinHash() for better randomization of tokens. Increased VARCHAR length of '!RememberLoginToken' and '!AutoLoginHash' fields to 1024 characters to support longer token strings. (from r114504) * [rev:114506] Using !RandomGenerator class in !PasswordEncryptor->salt() (from r114503) * [rev:114500] Using !RandomGenerator class in !SecurityToken->generate() for more random tokens * [rev:114473] Check for valid locale in i18n::set_locale()/set_default_locale()/include_locale_file()/include_by_locale() (as defined in i18n::$allowed_locales). Implicitly sanitizes the data for usage in controllers. (from r114469) * [rev:114445] Don't allow HTML formatting in !RequestHandler->httpError() by sending "Content-Type: text/plain" response headers. (from r114444) * [rev:114208] Including template /lang folders in i18n::include_by_locale() (implementation started in r113919) * [rev:114195] Added !SecurityToken to !PageCommentInterface->!DeleteAllLink() (fixes #6223, thanks Pigeon) * [rev:114083] Strip newlines and carriage returns from SS_HTTPResponse->getStatusDescription() (fixes #6222, thanks mattclegg) (from r114082) * [rev:114081] Removed double quoting of $where parameter in Translatable::get_existing_content_languages() (fixes #6203, thanks cloph) (from r114080) * [rev:114036] Fixed case where !AssetAdmin would throw an error if $links was not an object in !AssetAdmin::getCustomFieldsFor() * [rev:113976] #6201 Use of set_include_path() did not always include sapphire paths in some environments * [rev:113962] Installer now checks temporary directory is writable, in addition to it being available. * [rev:113809] #6197 simon_w: Fixed Internal Server Error when accessing assets on Apache without mod_php. * [rev:113692] Avoid reloading CMS form twice after certain saving actions (fixes #5451, thanks muzdowski) ### Minor changes * [rev:114751] Setting Content-Type to text/plain in various error responses for !RestfulServer (from r114750) * [rev:114749] Reverting Member "!AutoLoginHash", "!RememberLoginToken" and "Salt" to their original VARCHAR length to avoid problems with invalidated hashes due to shorter field length (from r114748) * [rev:114745] Partially reverted r114744 * [rev:114744] Reduced VARCHAR length from 1024 to 40 bytes, which fits the sha1 hashes created by !RandomGenerator. 1024 bytes caused problems with index lengths on MySQL (from r114743) * [rev:114720] Code formatting change in !ConfirmedPasswordField::__construct() * [rev:114454] Added exception handling if !ClassName is null in search results * [rev:114334] Checking for class_exists() before !SapphireTest::is_running_tests() to avoid including the whole testing framework, and triggering PHPUnit to run a performance-intensive directory traversal for coverage file blacklists (from r114332) * [rev:114079] Reverted r108515 * [rev:114078] Documentation for Aggregate caching (from r114077) * [rev:114062] fixed visual glitch in CMS access tab for IE * [rev:114036] Defined $backlinks as an array before adding entries to it * [rev:114016] Fixed php tag in !SecurityTokenTest, should be "