8.0 KiB
4.4.7
Security patches
This release contains security patches. Some of those patches might require some updates to your project.
- CVE-2020-9309 Script execution on protected files
- CVE-2019-19326 Web Cache Poisoning
- CVE-2020-6164 Information disclosure on /interactive URL path
CVE-2020-9309 Script execution on protected files
Silverstripe can be susceptible to script execution from malicious upload contents under allowed file extensions (for example HTML code in a TXT file). When these files are stored as protected or draft files, the MIME detection can cause browsers to execute the file contents.
Risk factors
If your project already includes the silverstripe/mimevalidator
module, it's already protected. CWP projects are already protected.
If your project includes the silverstripe/userforms
module or allows anonymous users to upload files, it's at a higher risk because malicious users can create files without requiring a CMS access.
Actions you need to take
If your project already includes the silverstripe/mimevalidator
module, you do not need to do anything. To check if the silverstripe/mimevalidator
module is installed in your project, run this command from your project root.
composer show silverstripe/mimevalidator
If you get an error, the module is not installed.
Upgrading to silverstripe/recipe-cms
4.4.7 will NOT automatically install silverstripe/mimevalidator
. You need to manually install the module silverstripe/mimevalidator
. To add silverstripe/mimevalidator
to your project, run this command.
composer require silverstripe/mimevalidator
After installing the mimevalidator
module, you need to enable it by adding this code snippet to your YML configuration.
SilverStripe\Core\Injector\Injector:
SilverStripe\Assets\Upload_Validator:
class: SilverStripe\MimeValidator\MimeUploadValidator
If your project overrides the defaults allowed file types, it's important that you take the time to review your configuration and adjust it as need be to work with silverstripe/mimevalidator
.
Read the Allowed file types documentation for more details on controlling the type of files that can be stored in your Silverstrip CMS Project.
Special consideration when upgrading Userforms
The silverstripe/userforms
module now also includes silverstripe/mimevalidator
in its dependencies. Upgrading to the following versions of userforms will automatically install silverstripe/mimevalidator
:
- 5.4.3 or later
- 5.5.3 or later
- 5.6.0 or later (requires CMS 4.6.0)
Userforms that include a file upload field will automatically use theMimeUploadValidator
. Beware that this will NOT change the default upload validator for other file upload fields in the CMS. You'll need to update your YML configuration for the MimeUploadValidator
to be used everywhere.
CVE-2019-19326 Web Cache Poisoning
Silverstripe sites using HTTP cache headers and HTTP caching proxies (e.g. CDNs) can be susceptible to web cache poisoning through the:
X-Original-Url
HTTP headerX-HTTP-Method-Override
HTTP header_method
POST variable.
In order to remedy this vulnerability, Silverstripe Framework 4.4.7 removes native support for these features. While this is technically a semantic versioning breakage, these features are inherently insecure and date back to a time when browsers didn't natively support the full range of HTTP methods. Sites who still require these features will have highly unusual requirements that are best served by a tailored solution.
Re-enabling the support for removed features
These features are best implemented by defining a Middleware
.
The following example illustrates how to implement an HTTPMiddleware
that restores support for the X-Original-Url
header and the _method
POST parameter for requests originating from a trusted proxy.
<?php
use SilverStripe\Control\Middleware\HTTPMiddleware;
use SilverStripe\Control\HTTPRequest;
/**
* This is meant to illustrate how to implement an HTTPMiddleware. If you blindly
* copy-paste this in in your code base, you'll simply replicate the vulnerability.
*/
class InsecureHeaderMiddleware implements HTTPMiddleware
{
public function process(HTTPRequest $request, callable $delegate)
{
// Normally, you would validate that the request is coming from a trusted source at this point.
// View SilverStripe\Control\Middleware\TrustedProxyMiddleware for an example.
$trustedProxy = true;
if ($trustedProxy) {
$originalUrl = $request->getHeader('X-Original-Url');
if ($originalUrl) {
$_SERVER['REQUEST_URI'] = $originalUrl;
$request->setUrl($originalUrl);
}
$methodOverride = $request->postVar('_method');
$validMethods = ['GET', 'POST', 'PUT', 'DELETE', 'HEAD'];
if ($methodOverride && in_array(strtoupper($methodOverride), $validMethods)) {
$request->setHttpMethod($methodOverride);
}
}
return $delegate($request);
}
}
To learn more about re-implementing support for the disabled features:
- read how to configure trusted proxies on the Silverstripe documentation.
- read the documentation about HTTP Middlewares.
CVE-2020-6164 Information disclosure on /interactive URL path
A specific URL path configured by default through the silverstripe/framework module can be used to disclose the fact that a domain is hosting a Silverstripe application. There is no disclosure of the specific version. The functionality on this URL path is limited to execution in a CLI context, and is not known to present a vulnerability through web-based access. As a side-effect, this preconfigured path also blocks the creation of other resources on this path (e.g. a page).
Change Log
Security
- 2020-05-13 91d30db88 Remove/deprecate unused controllers that can potentially give away some information about the underlying project. (Maxime Rainville) - See cve-2020-6164
- 2020-05-11 107706c12 Stop honouring X-HTTP-Method-Override header, X-Original-Url header and _method POST variable. Add SS_HTTPRequest::setHttpMethod() (Maxime Rainville) - See cve-2019-19326
Bugfixes
- 2020-06-01 3df2222 Prevent react-selectable from interfering with pagination (Maxime Rainville)
- 2020-05-05 2cc037b Fix merge conflict in Travis configuration (Robbie Averill)
- 2020-02-24 bba0f2f72 Fixed issue where TimeField_Readonly would only show "(not set)" instead of the value (UndefinedOffset)
- 2020-02-18 e0de15f Fix broken test when FulltextSearchable is enabled (Maxime Rainville)
- 2019-09-02 6d8a4bc Make AbsoluteLink work with manipulated images (fixes #322) (Loz Calver)