mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
e9d88dd8ee
Rebased on 3.1
9.0 KiB
9.0 KiB
3.0.6-rc1 (2013-08-08)
Overview
- Security: Require ADMIN for
?flush=1
(stop denial of service attacks) (#1692)
Details
Security: Require ADMIN for ?flush=1
Flushing the various manifests (class, template, config) is performed through a GET
parameter (flush=1
). Since this action requires more server resources than normal requests,
it can facilitate denial-of-service attacks.
To prevent this, main.php now checks and only allows the flush parameter in the following cases:
- The environment is in "dev mode"
- A user is logged in with ADMIN permissions
- An error occurs during startup
This applies to both flush=1
and flush=all
(technically we only check for the existence of any parameter value)
but only through web requests made through main.php - CLI requests, or any other request that goes through
a custom start up script will still process all flush requests as normal.
Thanks to Christopher Tombleson for reporting.
Upgrading
- If you have created your own composite database fields, then you should amend the setValue() to allow the passing of an object (usually DataObject) as well as an array.
- If you have provided your own startup scripts (ones that include core/Core.php) that can be accessed via a web request, you should ensure that you limit use of the flush parameter
- Translation entity namespaces can no longer contain dots, since it conflicts with the YAML format.
- Translation entities defined in templates now use their fully qualified entity name without dots.
Before:
BackLink_Button.ss.Back
, afterBackLink_Button_ss.Back
. Please fix any custom language files or uses of those entities in custom code. - If using "Māori/Te Reo" (mi_NZ) as your CMS locale, please re-select it in
admin/myprofile
to ensure correct operation (it has changed its locale identifier)
Changelog
API Changes
- 2013-03-08 b81f39a Handle uncaught ValidationException on CMS controller execution (Ingo Schommer)
- 2013-02-27 e6fffb9 Remove content-length setting in HTTPResponse (Ingo Schommer)
- 2013-02-27 600d9cf Make Object::config use late static binding (Hamish Friedlander)
- 2013-02-12 10199f9 Data corruption on Versioned due to lazy loading (Julian Seidenberg)
- 2013-01-24 11f4b2c HTTP::urlRewriter with (string)$code deprecated in 3.1. Fixed regressions and CSS urls. (Damian Mooyman)
Features and Enhancements
- 2013-04-21 eb583c5 Added DataObject::getQueriedDatabaseFields() as faster alternative to toMap() API: CompositeDBField::setValue() may be passed an object as its second argument, in addition to array. (Sam Minnee)
- 2013-03-18 b401d39 Move temp data into a user-specific subfolder, to stop temp-permission bugs from occurring. (Sam Minnee)
- 2013-02-22 de641dd updated the reference index on doc.silverstripe.com 3.0 - There were lots of broken and missing links (Jeremy Bridson)
Bugfixes
- 2013-08-05 5f9387c Constants magic_quotes handling needs function from Core (Hamish Friedlander)
- 2013-08-05 041466f Token redirect where in IIS a / needs adding between host & url (Hamish Friedlander)
- 2013-08-02 a685a8d Include flushtoken when install redirects to successfullyinstalled (Hamish Friedlander)
- 2013-08-01 3420587 Flush on memory exhaustion and headers sent (Hamish Friedlander)
- 2013-07-23 a1ea905 Nice errors and allows flush on module removal (Hamish Friedlander)
- 2013-07-22 84011aa Only suppress fatal errors (Hamish Friedlander)
- 2013-07-19 a312cd0 Ignore invalid tokens instead of throwing 403 (Hamish Friedlander)
- 2013-07-19 036c36a Have ParameterConfirmationToken work regardless of include path (Hamish Friedlander)
- 2013-07-18 1298d4a Prevent DOS by checking for env and admin on ?flush=1 (#1692) (Hamish Friedlander)
- 2013-07-15 999fd39 preg_replace_callback in emailer was broken (Stephen Shkardoon)
- 2013-06-13 3b40711 Resize infinite loops in IE8 (fixes #575) (Ingo Schommer)
- 2013-05-27 c7f1412 #651 Broken redirection after creating new folder in assets (Mike Parkhill)
- 2013-05-23 c85c495 GridFieldFilterHeader works without non-filterable cols (Ingo Schommer)
- 2013-05-08 00b8ffd File class typo (Tony Air)
- 2013-04-26 b211f22 JSONDataFormatter wrong relation identifiers (fixes #1795) (Ingo Schommer)
- 2013-04-20 41c0f80 Only block root vendor folder (colymba)
- 2013-04-01 df4d742 Saving of custom meta tags (fixes #8288) (Joseph Madden)
- 2013-03-29 3aced11 GridFieldFilterHeader only filters on last filter (Stig Lindqvist)
- 2013-03-27 19a8545 update deprecated 'live' jquery to 'on' (Naomi Guyer)
- 2013-03-25 0ebd525 Unset "underneath page" title when switching to "top" in "add page" (Ingo Schommer)
- 2013-03-25 3f2b6a5 Don't silently unset ParentID in "add page" dialog (Ingo Schommer)
- 2013-03-25 0a283ea Unset internal metadata on TreeDropdownField setValue() (Ingo Schommer)
- 2013-03-20 2787d36 "Insert Link" and other TinyMCE loading bugs (fixes #8327) (Ingo Schommer)
- 2013-03-20 143317c SQL Injection in CsvBulkLoader (fixes #6227) (Stephen Shkardoon)
- 2013-03-19 9ac104b $_COOKIES is not un-magic_quotes'd (Stephen Shkardoon)
- 2013-03-18 5c933b4 SilverStripeNavigator shows wrong message. (uniun)
- 2013-03-12 dd6f33a Respect tree node limits, fix search result node display (Ingo Schommer)
- 2013-02-26 a8a10f8 Transaction stub methods for better cross 2.x and 3.x compat (Ingo Schommer)
- 2013-02-17 c7b0666 Escape page titles in CommentAdmin table listing (Ingo Schommer)
- 2013-02-15 428cbe4 issue with Injector::create not passing args (Marcus Nyeholt)
- 2013-01-30 b24a0a5 Remove extraneous </div> breaking IE8 image embedding (os#8218) (Mateusz Uzdowski)
- 2013-01-15 50995fb Undefined
$allowed_actions
overrides parent definitions, stricter handling of $allowed_actions on Extension (Ingo Schommer) - 2013-01-06 eecd348 Keep Member.PasswordEncryption setting on empty passwords (Ingo Schommer)
- 2012-10-26 d8b106e TestRunner was not cleaning up DB on failure (Craig Weber)
- 2012-10-10 e2bf964 7934 When lazy loading fields respect version of the record (jean)
- 2012-10-05 1ffbb8f Exclude framework/dev from text collection (fixes #4754) (Ingo Schommer)
- 2012-09-10 17bd873 7853 Flush the content of drop down fields when closing html editor linker (links and images) (jean)