tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 14:05:37 +02:00
Code Issues Projects Releases Wiki Activity
ede381326b
silverstripe-framework/docs/en/changelogs/3.0.4.md
Ingo Schommer ede381326b BUG Secure composer files from web access (fixes #8011) 
Already applied to root .htaccess, but required for dynamically
generated file from installer as well. Also added upgrade instructions.
2013-02-17 22:33:04 +01:00

2.5 KiB
Raw Blame History

3.0.4

Overview

  • Security: Information leakage through web access on YAML configuration files
  • Security: Information leakage through web access on composer files
  • Security: Require ADMIN permissions for ?showtemplate=1
  • Changed dev/tests/setdb and dev/tests/startsession from session to cookie storage.

Details

Security: Prevent web access to YAML and composer files

Severity: Moderate

Description: YAML files are used to configure the SilverStripe application since its 3.0 release. These files can contain sensitive values such as database and API credentials. By default, the installer still stores database credentials in _config.php files which are safe from web access. So this only concerns configuration values added in your own project, or a third party module.

Resolution: Update your .htaccess file (for Apache), or your web.config file (for IIS) with the new files from the project root, and reapply any customizations you've made. Follow the general upgrade instructions. The nginx installation instructions have also been updated to reflect those changes.

Security: Information exposure through web access on composer files

Severity: Low

Description: Composer is a dependency management tool which can optionally be used to install SilverStripe. The composer.json and composer.lock files are required for its operation, so they are included in the standard release since 3.0.2. These files contain information on the installed versions of core and thirdparty modules, which could be used to target specific versions of SilverStripe.

Resolution: Update your .htaccess file (for Apache), or your web.config file (for IIS) with the new files from the project root, and reapply any customizations you've made. Follow the general upgrade instructions. The nginx installation instructions have also been updated to reflect those changes.

Security: Require ADMIN permissions for ?showtemplate=1

Severity: Low

Description: Avoids information leakage of compiled template data, which might expose some of the internal template logic.

Upgrading

  • If you are using dev/tests/setdb and dev/tests/startsession, you'll need to configure a secure token in order to encrypt the cookie value: Simply run sake dev/generatesecuretoken and add the resulting code to your mysite/_config.php. Note that this functionality now requires the PHP mcrypt extension.