silverstripe-framework/docs/en/04_Changelogs/4.3.5.md
2019-09-24 16:04:22 +12:00

2.1 KiB

4.3.5

Embedding files with shortcodes (FileShortcodeProvider) no longer provides a session grant by default. This is because it has the potential to escalate file access to users who otherwise should not have viewing permissions for the file.

There is a minor performance trade-off for disabling these grants. If you have a page with a lot of images that are in a draft state or have custom viewing permissions, it adds an extra database query for each embedded image. With session grants enabled, the first permission check persists the grant into the session, meaning there is no need to query the database on every single file.

Unless you have a lot of shortcode images embedded with protected or draft status on a single page, this setting is best left to its default value of false.

To revert to the old behaviour:

SilverStripe\Assets\Shortcodes\FileShortcodeProvider:
  allow_session_grant: true

If you were using the versionedfiles on your 3.x site

This release includes a security fix for users who migrated from a 3.x site that used the versionedfiles module. The file migration would have left the _versions folders in your public filesystem as artefacts, leaving all the unpublished versions of your old files publicly accessible under a guessable URL.

To work around this, you can use the VersionedFilesMigrationTask:

$ vendor/bin/sake dev/tasks/migrate-versionedfiles strategy=[delete|protect]

If you choose the delete strategy (default), the task will delete all _versions files for you. Be sure to take a snapshot of your public/assets folder before doing so. If you choose the protect strategy, the task will drop an .htaccess file in your old _versions directories. This method only works if you are using Apache to serve your static files. If you are using another server such as Nginx, these files will remain publicly exposed. It is recommended you use the delete strategy if you are not using Apache.