mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
00ffe72944
- Based on new (last) translation download from getlocalization.com - Removed untranslated strings. Getlocalization started including those at some point which is highly annoying, unnecessary and breaks the new transfix system, since it'll mark all of the english strings as actual translations - Avoid dots in entities. It confuses the Transifex YML parser - Removed some locales unknown to Transifex which didn't have any translations anyway - Removed "lolcat" locale, uses custom notation (en@lolcal) which SilverStripe's i18n system can't handle (needs mapping from SS naming to Zend naming) - Renamed "Te Reo/Maori" locale from "mi_NZ" to "mi" (Transifex/CLDR notation) - Namespaced all entities used in templates (deprecated usage) - Converted dots to underscores where template filenames are used for namespaces, since Transifex YML parsing handles them as separate YML keys otherwise - Removed whitespace in entity names, SilverStripe i18n can't handle it - Only allow selection of locales registered through i18n::$all_locales to avoid issues with unknown locales in Zend's CLDR database
37 lines
1.9 KiB
Markdown
37 lines
1.9 KiB
Markdown
# 3.0.6 (Not yet released)
|
|
|
|
## Overview
|
|
|
|
* Security: Require ADMIN for `?flush=1` (stop denial of service attacks)
|
|
([#1692](https://github.com/silverstripe/silverstripe-framework/issues/1692))
|
|
|
|
## Details
|
|
|
|
### Security: Require ADMIN for ?flush=1
|
|
|
|
Flushing the various manifests (class, template, config) is performed through a GET
|
|
parameter (`flush=1`). Since this action requires more server resources than normal requests,
|
|
it can facilitate [denial-of-service attacks](https://en.wikipedia.org/wiki/Denial-of-service_attack).
|
|
|
|
To prevent this, main.php now checks and only allows the flush parameter in the following cases:
|
|
|
|
* The [environment](/topics/environment-management) is in "dev mode"
|
|
* A user is logged in with ADMIN permissions
|
|
* An error occurs during startup
|
|
|
|
This applies to both `flush=1` and `flush=all` (technically we only check for the existence of any parameter value)
|
|
but only through web requests made through main.php - CLI requests, or any other request that goes through
|
|
a custom start up script will still process all flush requests as normal.
|
|
|
|
## Upgrading
|
|
|
|
* If you have created your own composite database fields, then you should amend the setValue() to allow the passing of
|
|
an object (usually DataObject) as well as an array.
|
|
* If you have provided your own startup scripts (ones that include core/Core.php) that can be accessed via a web
|
|
request, you should ensure that you limit use of the flush parameter
|
|
* Translation entity namespaces can no longer contain dots, since it conflicts with the YAML format.
|
|
* Translation entities defined in templates now use their fully qualified entity name without dots.
|
|
Before: `BackLink_Button.ss.Back`, after `BackLink_Button_ss.Back`. Please fix any custom language
|
|
files or uses of those entities in custom code.
|
|
* If using "Māori/Te Reo" (mi_NZ) as your CMS locale, please re-select it in `admin/myprofile`
|
|
to ensure correct operation (it has changed its locale identifier) |