mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
43 lines
2.1 KiB
Markdown
43 lines
2.1 KiB
Markdown
# 4.3.5
|
|
|
|
Embedding files with shortcodes (`FileShortcodeProvider`) no longer provides a session grant
|
|
by default. This is because it has the potential to escalate file access
|
|
to users who otherwise should not have viewing permissions for the file.
|
|
|
|
There is a minor performance trade-off for disabling these grants. If you have a page with a lot of
|
|
images that are in a draft state or have custom viewing permissions, it adds an extra database
|
|
query for each embedded image. With session grants enabled, the first permission check persists
|
|
the grant into the session, meaning there is no need to query the database on every single file.
|
|
|
|
Unless you have a lot of shortcode images embedded with protected or draft status on a single page,
|
|
this setting is best left to its default value of `false`.
|
|
|
|
To revert to the old behaviour:
|
|
|
|
```
|
|
SilverStripe\Assets\Shortcodes\FileShortcodeProvider:
|
|
allow_session_grant: true
|
|
```
|
|
|
|
## If you were using the versionedfiles on your 3.x site
|
|
|
|
This release includes a security fix for users who migrated from a 3.x site that used
|
|
the [versionedfiles](https://github.com/symbiote/silverstripe-versionedfiles) module.
|
|
The file migration would have left the `_versions` folders in your public filesystem
|
|
as artefacts, leaving all the unpublished versions of your old files publicly accessible
|
|
under a guessable URL.
|
|
|
|
To work around this, you can use the `VersionedFilesMigrationTask`:
|
|
|
|
`$ vendor/bin/sake dev/tasks/migrate-versionedfiles strategy=[delete|protect]`
|
|
|
|
If you choose the `delete` strategy (default), the task will delete all `_versions`
|
|
files for you. Be sure to take a snapshot of your `public/assets` folder before
|
|
doing so. If you choose the `protect` strategy, the task will drop an `.htaccess` file
|
|
in your old `_versions` directories. **This method only works if you are using Apache
|
|
to serve your static files**. If you are using another server such as Nginx, these files
|
|
will remain publicly exposed. It is recommended you use the `delete` strategy if you are
|
|
not using Apache.
|
|
|
|
<!--- Changes below this line will be automatically regenerated -->
|