silverstripe-framework/docs/en/04_Changelogs/3.0.6.md

3.0.6

Overview

• Security: Require ADMIN for ?flush=1 (stop denial of service attacks) (#1692)
• API: Disable discontinued Google Spellcheck in TinyMCE. Replaced by browser-based spellchecking if available (Chrome, Firefox)

Details

Security: Require ADMIN for ?flush=1 (SS-2013-001)

See announcement

Security: Privilege escalation through Group hierarchy setting (SS-2013-003)

See announcement

Security: Privilege escalation through Group and Member CSV upload (SS-2013-004)

See announcement

Security: Privilege escalation through APPLY_ROLES assignment (SS-2013-005)

See announcement

Security: Information disclosure in Versioned.php (SS-2013-006)

See announcement

Security: Privilege escalation through Group hierarchy setting (SS-2013-003)

See announcement

Security: Privilege escalation through Group and Member CSV upload (SS-2013-004)

See announcement

Security: Privilege escalation through APPLY_ROLES assignment (SS-2013-005)

See announcement

Upgrading

• If you have created your own composite database fields, then you should amend the setValue() to allow the passing of an object (usually DataObject) as well as an array.
• If you have provided your own startup scripts (ones that include core/Core.php) that can be accessed via a web request, you should ensure that you limit use of the flush parameter
• Translation entity namespaces can no longer contain dots, since it conflicts with the YAML format.
• Translation entities defined in templates now use their fully qualified entity name without dots. Before: BackLink_Button.ss.Back, after BackLink_Button_ss.Back. Please fix any custom language files or uses of those entities in custom code.
• If using "Māori/Te Reo" (mi_NZ) as your CMS locale, please re-select it in admin/myprofile to ensure correct operation (it has changed its locale identifier)