mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
90 lines
10 KiB
Markdown
90 lines
10 KiB
Markdown
# 4.3.6
|
|
|
|
Embedding files with shortcodes (`FileShortcodeProvider`) no longer provides a session grant
|
|
by default. This is because it has the potential to escalate file access
|
|
to users who otherwise should not have viewing permissions for the file.
|
|
|
|
There is a minor performance trade-off for disabling these grants. If you have a page with a lot of
|
|
images that are in a draft state or have custom viewing permissions, it adds an extra database
|
|
query for each embedded image. With session grants enabled, the first permission check persists
|
|
the grant into the session, meaning there is no need to query the database on every single file.
|
|
|
|
Unless you have a lot of shortcode images embedded with protected or draft status on a single page,
|
|
this setting is best left to its default value of `false`.
|
|
|
|
To revert to the old behaviour:
|
|
|
|
```
|
|
SilverStripe\Assets\Shortcodes\FileShortcodeProvider:
|
|
allow_session_grant: true
|
|
```
|
|
|
|
## If you were using the versionedfiles on your 3.x site
|
|
|
|
This release includes a security fix for users who migrated from a 3.x site that used
|
|
the [versionedfiles](https://github.com/symbiote/silverstripe-versionedfiles) module.
|
|
The file migration would have left the `_versions` folders in your public filesystem
|
|
as artefacts, leaving all the unpublished versions of your old files publicly accessible
|
|
under a guessable URL.
|
|
|
|
To work around this, you can use the `VersionedFilesMigrationTask`:
|
|
|
|
`$ vendor/bin/sake dev/tasks/migrate-versionedfiles strategy=[delete|protect]`
|
|
|
|
If you choose the `delete` strategy (default), the task will delete all `_versions`
|
|
files for you. Be sure to take a snapshot of your `public/assets` folder before
|
|
doing so. If you choose the `protect` strategy, the task will drop an `.htaccess` file
|
|
in your old `_versions` directories. **This method only works if you are using Apache
|
|
to serve your static files**. If you are using another server such as Nginx, these files
|
|
will remain publicly exposed. It is recommended you use the `delete` strategy if you are
|
|
not using Apache.
|
|
|
|
## Change Log
|
|
|
|
### Security
|
|
|
|
* 2019-09-23 [5af205993](https://github.com/silverstripe/silverstripe-framework/commit/5af205993d24b4bafc00dea94efc2c31305bca83) Fix access escalation for CMS users with limited access through permission cache pollution (Serge Latyntcev) - See [cve-2019-12617](https://www.silverstripe.org/download/security-releases/cve-2019-12617)
|
|
* 2019-09-16 [569237c0f](https://github.com/silverstripe/silverstripe-framework/commit/569237c0f4d16ac6f927aeb0ed8c9b8787490080) Session fixation in "change password" form (Serge Latyntcev) - See [cve-2019-12203](https://www.silverstripe.org/download/security-releases/cve-2019-12203)
|
|
* 2019-08-20 [f98a59de](https://github.com/silverstripe/silverstripe-cms/commit/f98a59deb58d3c9c739f5b32de16472f6ef4a69c) install.php warning does not account for public dir (Aaron Carlino) - See [cve-2019-12204](https://www.silverstripe.org/download/security-releases/cve-2019-12204)
|
|
* 2019-08-17 [fddf889](https://github.com/silverstripe/silverstripe-assets/commit/fddf889917c4e58d32a3e6f476bddaf3fa595e41) Broken access control on files due to session grant (Aaron Carlino) - See [cve-2019-14273](https://www.silverstripe.org/download/security-releases/cve-2019-14273)
|
|
* 2019-05-21 [73e0cc6](https://github.com/silverstripe/silverstripe-assets/commit/73e0cc69dc499c24aa706af9eddd8a2db2ac93e0) Fix incorrect access control vulnerability with unwritten files in protected folders (Robbie Averill) - See [cve-2019-12245](https://www.silverstripe.org/download/security-releases/cve-2019-12245)
|
|
|
|
### Features and Enhancements
|
|
|
|
* 2019-09-18 [1308911](https://github.com/silverstripe/silverstripe-assets/commit/13089110e7b3feea2196198fd3beda21244ceb20) Add task to remove/protect _versions folders (Aaron Carlino)
|
|
* 2019-06-16 [06beff7](https://github.com/silverstripe/silverstripe-admin/commit/06beff71a45bca0f42c88ea931f142d8bc10d008) Allow export of injected GraphQL AST alongside HOC (#889) (Aaron Carlino)
|
|
|
|
### Bugfixes
|
|
|
|
* 2019-09-23 [aa7c05742](https://github.com/silverstripe/silverstripe-framework/commit/aa7c05742242f8e2ec77f97b52839e0365ec7e1a) Don't force-add view button to readonly GridField (fixes #… (#9254) (Guy Marriott)
|
|
* 2019-09-23 [190b2f284](https://github.com/silverstripe/silverstripe-framework/commit/190b2f28429cd870c791f689def055061665ee58) run member CMS validator when editing via groups (fixes #9… (#9255) (Guy Marriott)
|
|
* 2019-09-23 [efdb9cc71](https://github.com/silverstripe/silverstripe-framework/commit/efdb9cc718517c09800a47bb53374bff787b54fa) run member CMS validator when editing via groups (fixes #9184) (Loz Calver)
|
|
* 2019-09-23 [d85ff3bc4](https://github.com/silverstripe/silverstripe-framework/commit/d85ff3bc4463d47edd6b662b34569162e3861a88) Don't force-add view button to readonly GridField (fixes #9249) (Loz Calver)
|
|
* 2019-09-23 [fc536fa](https://github.com/silverstripe/silverstripe-assets/commit/fc536faf2413683549d6b8e77400dc85e37b3a30) Update Apache .htaccess for new access directives (Dylan Wagstaff)
|
|
* 2019-09-20 [ea363fc](https://github.com/silverstripe/silverstripe-asset-admin/commit/ea363fcabd9af8d7607bac9b431171b6b94583f1) Correctly process all non-insert form actions normally in the media dialog (#1005) (Damian Mooyman)
|
|
* 2019-09-10 [591b88a9b](https://github.com/silverstripe/silverstripe-framework/commit/591b88a9bc05b40a7ce3604283b9b7cb684f88cc) Allow infinite loop when calling DataObject::writeComponent() recursively (Maxime Rainville)
|
|
* 2019-09-03 [b0a6973](https://github.com/silverstripe/silverstripe-asset-admin/commit/b0a6973052e73652a9092e7ed9d5dd5d89e5dd42) Remove Default DropzoneJS Timeout of 30s (#985) (Joe Harvey)
|
|
* 2019-08-29 [77ba8391c](https://github.com/silverstripe/silverstripe-framework/commit/77ba8391c40278930873301d50ee3c1168da4cef) Byte Order Marks (BOM) are now stripped when importing CSV files (Robbie Averill)
|
|
* 2019-08-28 [73f43c6f4](https://github.com/silverstripe/silverstripe-framework/commit/73f43c6f428dc92ee2c9a5f932c63ed8a04c8230) Remove placeholder text on new group form (Maxime Rainville)
|
|
* 2019-08-26 [314a906](https://github.com/silverstripe/silverstripe-admin/commit/314a9068e5a3a1a71dfc99021d6acec9b0ab5b77) Fix the jstree styles so that the selected states are more visible (bergice)
|
|
* 2019-08-23 [5845ac6](https://github.com/silverstripe/silverstripe-admin/commit/5845ac685851f8841af8d96ef6313a2cff153ba4) Prevent breadcrumb item styles from bleeding into non-react (Maxime Rainville)
|
|
* 2019-08-23 [94d6c80](https://github.com/silverstripe/silverstripe-admin/commit/94d6c80780430acb4e9d8786a5080a800f777792) enter to submit form not working on `Add new page` (bergice)
|
|
* 2019-08-14 [9889015](https://github.com/silverstripe/silverstripe-admin/commit/9889015eccd05c099e3d8b3d3ce52f179b5b9933) Display breadcrumb element from left to right (#925) (Guy Marriott)
|
|
* 2019-08-13 [1c548cb](https://github.com/silverstripe/silverstripe-admin/commit/1c548cb599563997687cd1062ff2a0985c43197e) jstree state when saving a page by retaining the open/closed state and selected node state. (bergice)
|
|
* 2019-08-09 [a2e98dc](https://github.com/silverstripe/silverstripe-admin/commit/a2e98dcf71353951055cb0f2da286a0455a66ebe) Display breadcrumb element from left to right (Maxime Rainville)
|
|
* 2019-08-09 [3d989a6ea](https://github.com/silverstripe/silverstripe-framework/commit/3d989a6eae979f2671889376179dfdc7085658ac) Use content generated by DataColumns component for print and csv export (Guy Marriott)
|
|
* 2019-07-29 [5c794dfcd](https://github.com/silverstripe/silverstripe-framework/commit/5c794dfcdd42b319325c867f4a807429ad93a553) Prevent setting session value when no session exists yet (Robbie Averill)
|
|
* 2019-07-25 [40cd66852](https://github.com/silverstripe/silverstripe-framework/commit/40cd66852e8d3a5d56c56b9d279cb89a98e3c16d) Fixed issue where multiple relationship sort order columns would be lost in favor of only the last relationship column in the sort order (UndefinedOffset)
|
|
* 2019-07-17 [ef25468](https://github.com/silverstripe/silverstripe-admin/commit/ef2546889ff35c2a6cf74aa956d818cae72898e0) Inline toolbar placement now works in HTMLEditorFields with less than 6 rows (Robbie Averill)
|
|
* 2019-07-12 [fcd7a1e63](https://github.com/silverstripe/silverstripe-framework/commit/fcd7a1e63e7013a9f36100a05bf723ed68382d8a) core memory limit test (Serge Latyntcev)
|
|
* 2019-06-27 [183371b](https://github.com/silverstripe/silverstripe-admin/commit/183371b28a9a1496f2a39284eb0d7d667d4b49bb) Update CSS for sitetree new page columns to use new classna… (#899) (Guy Marriott)
|
|
* 2019-06-27 [b9dcf070](https://github.com/silverstripe/silverstripe-cms/commit/b9dcf070406644f14ab9ae0eb9c22d0f3d1d10cd) Change sitetree new page column class naming to avoid conf… (#2449) (Guy Marriott)
|
|
* 2019-06-26 [b01dc580e](https://github.com/silverstripe/silverstripe-framework/commit/b01dc580e1f9b62c7b8a3a62157ad10930a80342) Protect against undefined index when using nullifyEmpty opt… (#9090) (Guy Marriott)
|
|
* 2019-06-25 [c76d3a5db](https://github.com/silverstripe/silverstripe-framework/commit/c76d3a5db10f9a56a31684354fcd89c1a88de8d4) Protect against undefined index when using nullifyEmpty option (Robbie Averill)
|
|
* 2019-06-19 [260c89fd5](https://github.com/silverstripe/silverstripe-framework/commit/260c89fd54e1c1ed68e5597ccc4592473a53e983) Fix of delimiter not used bug (Mario Sommereder)
|
|
* 2019-06-19 [4df7c21](https://github.com/silverstripe/silverstripe-admin/commit/4df7c21f3fa0ee96cc62876abe9be20720bbc0dc) Update CSS for sitetree new page columns to use new classname, fix item placement within (Mikaela Young)
|
|
* 2019-06-19 [73f4e8c8](https://github.com/silverstripe/silverstripe-cms/commit/73f4e8c8605ea28a2283a1ef96723188c0266706) Change sitetree new page column class naming to avoid conflicts with bootstrap (Mikaela Young)
|
|
* 2019-06-13 [562a8a5](https://github.com/silverstripe/silverstripe-assets/commit/562a8a523b9a50a5a7d4e40c4b4c799a66869ec8) Add FolderNameFilter class: folder names no longer allow dots, and are replaced with dashes (Robbie Averill)
|
|
* 2019-06-05 [bcc55e2](https://github.com/silverstripe/silverstripe-admin/commit/bcc55e212384cdc36728224730dbf6db320acb10) Update modal designs to match design pattern library (Guy Marriott)
|
|
* 2019-04-12 [7592db91](https://github.com/silverstripe/silverstripe-cms/commit/7592db918f269db2fd5c33d9c1259df86f15e12b) VirtualPage missing methods from target page (fixes #2408) (Loz Calver)
|