mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-09-18 15:36:30 +02:00

Ingo Schommer 0e7231ff60 API Disable discontinued Google Spellcheck in TinyMCE

Replaced by browser-based spellchecking if available (Chrome, Firefox),
with instructions on how to use PSpell as an alternative.

2013-08-03 16:16:45 +02:00

1.5 KiB

Raw Blame History

3.0.6 (Not yet released)

Overview

Security: Require ADMIN for ?flush=1 (stop denial of service attacks) (#1692)
API: Disable discontinued Google Spellcheck in TinyMCE. Replaced by browser-based spellchecking if available (Chrome, Firefox)

Details

Security: Require ADMIN for ?flush=1

Flushing the various manifests (class, template, config) is performed through a GET parameter (flush=1). Since this action requires more server resources than normal requests, it can facilitate denial-of-service attacks.

To prevent this, main.php now checks and only allows the flush parameter in the following cases:

The environment is in "dev mode"
A user is logged in with ADMIN permissions
An error occurs during startup

This applies to both flush=1 and flush=all (technically we only check for the existence of any parameter value) but only through web requests made through main.php - CLI requests, or any other request that goes through a custom start up script will still process all flush requests as normal.

Upgrading

If you have created your own composite database fields, then you should amend the setValue() to allow the passing of an object (usually DataObject) as well as an array.
If you have provided your own startup scripts (ones that include core/Core.php) that can be accessed via a web request, you should ensure that you limit use of the flush parameter

1.5 KiB Raw Blame History