tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 14:05:37 +02:00
Code Issues Projects Releases Wiki Activity
bc9e384fe1
silverstripe-framework/docs/en/04_Changelogs/3.7.5.md
Maxime Rainville f2b8946407 Added 3.7.5 changelog
2020-07-14 13:39:39 +12:00

96 lines
5.5 KiB
Markdown
Raw Blame History

# 3.7.5
* [CVE-2019-19326 Web Cache Poisoning](#CVE-2019-19326)
* [CVE-2020-9311 Malicious user profile information can cause login form XSS](#CVE-2020-9311)
## CVE-2019-19326 Web Cache Poisoning {#CVE-2019-19326}
Silverstripe sites using HTTP cache headers and HTTP caching proxies (e.g. CDNs) can be susceptible to web cache poisoning through the:
* `X-Original-Url` HTTP header
* `X-HTTP-Method-Override` HTTP header
* `_method` POST variable.
In order to remedy this vulnerability, Silverstripe Framework 3.7.5 removes native support for these features. While this is technically a semantic versioning breakage, these features are inherently insecure and date back to a time when browsers didn't natively support the full range of HTTP methods. Sites who still require these features will have highly unusual requirements that are best served by a tailored solution.
### Re-enabling the support for removed features
These features are best implemented by defining a `RequestFilter`. Request Filters are similar to the more modern concept of "middleware" as defined by the PSR-15 standard and supported by Silverstripe 4.
The following example illustrate how to implement a `RequestFilter` that restore support for the `X-Original-Url` header and the `_method` POST parameter for request originating from a trusted proxy.
```php
<?php
/**
* This is meant to illustrate how to implement a RequestFilter. It assumes your
* trusted proxy will strip the insecure data from any requests. If you blindly
* copy-paste this in in your code base, you'll simply replicate the vulnerability.
*/
class InsecureRequestProcessor implements RequestFilter
{
public function preRequest(SS_HTTPRequest $request, Session $session, DataModel $model)
{
if (TRUSTED_PROXY) {
$originalUrl = $request->getHeader('X-Original-Url');
if ($originalUrl) {
$request->setUrl($originalUrl);
$_SERVER['REQUEST_URI'] = $originalUrl;
}
$methodOverride = $request->postVar('_method');
$validMethods = ['GET', 'POST', 'PUT', 'DELETE', 'HEAD'];
if ($methodOverride && in_array(strtoupper($methodOverride), $validMethods)) {
$request->setMethod($methodOverride);
}
}
return true;
}
public function postRequest(SS_HTTPRequest $request, SS_HTTPResponse $response, DataModel $model)
{
return true;
}
}
```
To learn more about re-implementing support for the disabled features:
* read [How to implement a Request Filter](/developer_guides/controllers/requestfilters) on the Silverstripe documentation
* read [how to configure trusted proxies](/developer_guides/security/secure_coding/#request-hostname-forgery) on the Silverstripe documentation
* review [api:RequestFilter] interface
To learn more about middleware:
* read the [PSR-15: HTTP Server Request Handlers](https://www.php-fig.org/psr/psr-15/) standard
* read the [Silverstripe 4 documentation about HTTP Middlewares](https://docs.silverstripe.org/en/4/developer_guides/controllers/middlewares/) standard.
[Review the CVE-2019-19326 public disclosure](https://www.silverstripe.org/download/security-releases/cve-2019-19326)
## CVE-2020-9311 Malicious user profile information can cause login form XSS {#CVE-2020-9311}
Malicious users with a valid Silverstripe login (usually CMS access) can craft profile information which can lead to XSS for other users through specially crafted login form URLs.
[Review the CVE-2020-9311 public disclosure](https://www.silverstripe.org/download/security-releases/cve-2020-9311)
<!--- Changes below this line will be automatically regenerated -->
## Change Log
### Security
* 2020-07-09 [c96e9d2fe](https://github.com/silverstripe/silverstripe-framework/commit/c96e9d2fe5e0fbea1da4059264e4da269889f55d) Add public disclosure statement to changelog (Maxime Rainville) - See [cve-2020-9311](https://www.silverstripe.org/download/security-releases/cve-2020-9311)
* 2020-05-04 [074b28cf9](https://github.com/silverstripe/silverstripe-framework/commit/074b28cf937821a0d5627d3f19836ede1d662395) Add changelog for CVE-2019-19326 (Maxime Rainville) - See [cve-2019-19326](https://www.silverstripe.org/download/security-releases/cve-2019-19326)
* 2020-04-28 [98926e4e6](https://github.com/silverstripe/silverstripe-framework/commit/98926e4e6c26d1d43bb1faf516d15bdb2739556e) Stop honouring X-HTTP-Method-Override header, X-Original-Url header and _method POST variable. Add SS_HTTPRequest::setHttpMethod(). (Maxime Rainville) - See [cve-2019-19326](https://www.silverstripe.org/download/security-releases/cve-2019-19326)
* 2020-04-23 [d3b23e702](https://github.com/silverstripe/silverstripe-framework/commit/d3b23e7024add23de1cb643a44e30d249c2b7cd6) Escape First Name when displaying re-login screen (Maxime Rainville) - See [cve-2020-9311](https://www.silverstripe.org/download/security-releases/cve-2020-9311)
### Features and Enhancements
* 2019-11-18 [54e7223d9](https://github.com/silverstripe/silverstripe-framework/commit/54e7223d981eee7f00244ad9a79187ee3f2f063a) Docs rebuild for compliance with Gatsby (#9316) (Aaron Carlino)
### Bugfixes
* 2020-04-01 [6c8dc0fd9](https://github.com/silverstripe/silverstripe-framework/commit/6c8dc0fd9957d0f497ccc3c700c0d805aff1269e) Fix deprecated php syntax (Dan Hensby)
* 2019-11-19 [42ab51230](https://github.com/silverstripe/silverstripe-framework/commit/42ab512306196d1010808adbe728f1fe179519aa) Fix broken callout tags (Aaron Carlino)
<!--- Changes above this line will be automatically regenerated -->
Reference in New Issue View Git Blame Copy Permalink