tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-09-17 23:16:04 +02:00
Code Issues Projects Releases Wiki Activity
97e6108fa9
silverstripe-framework/docs/en/changelogs/3.0.6.md

1.4 KiB
Raw Blame History

3.0.6 (Not yet released)

Overview

  • Security: Require ADMIN for ?flush=1 (stop denial of service attacks) (#1692)

Details

Security: Require ADMIN for ?flush=1

Flushing the various manifests (class, template, config) is performed through a GET parameter (flush=1). Since this action requires more server resources than normal requests, it can facilitate denial-of-service attacks.

To prevent this, main.php now checks and only allows the flush parameter in the following cases:

  • The environment is in "dev mode"
  • A user is logged in with ADMIN permissions
  • An error occurs during startup

This applies to both flush=1 and flush=all (technically we only check for the existence of any parameter value) but only through web requests made through main.php - CLI requests, or any other request that goes through a custom start up script will still process all flush requests as normal.

Upgrading

  • If you have created your own composite database fields, then you should amend the setValue() to allow the passing of an object (usually DataObject) as well as an array.

  • If you have provided your own startup scripts (ones that include core/Core.php) that can be accessed via a web request, you should ensure that you limit use of the flush parameter