mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
720c149aee
See http://www.silverstripe.org/ss-2013-003-privilege-escalation-through-group-hierarchy-setting/
2.1 KiB
2.1 KiB
3.0.6 (Not yet released)
Overview
- Security: Require ADMIN for
?flush=1
(stop denial of service attacks) (#1692)
Details
Security: Require ADMIN for ?flush=1 (SS-2013-001)
Flushing the various manifests (class, template, config) is performed through a GET
parameter (flush=1
). Since this action requires more server resources than normal requests,
it can facilitate denial-of-service attacks.
To prevent this, main.php now checks and only allows the flush parameter in the following cases:
- The environment is in "dev mode"
- A user is logged in with ADMIN permissions
- An error occurs during startup
This applies to both flush=1
and flush=all
(technically we only check for the existence of any parameter value)
but only through web requests made through main.php - CLI requests, or any other request that goes through
a custom start up script will still process all flush requests as normal.
Security: Privilege escalation through Group hierarchy setting (SS-2013-003)
See announcement
Upgrading
- If you have created your own composite database fields, then you should amend the setValue() to allow the passing of an object (usually DataObject) as well as an array.
- If you have provided your own startup scripts (ones that include core/Core.php) that can be accessed via a web request, you should ensure that you limit use of the flush parameter
- Translation entity namespaces can no longer contain dots, since it conflicts with the YAML format.
- Translation entities defined in templates now use their fully qualified entity name without dots.
Before:
BackLink_Button.ss.Back
, afterBackLink_Button_ss.Back
. Please fix any custom language files or uses of those entities in custom code. - If using "Māori/Te Reo" (mi_NZ) as your CMS locale, please re-select it in
admin/myprofile
to ensure correct operation (it has changed its locale identifier)