tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 12:05:37 +00:00
Code Issues Projects Releases Wiki Activity
silverstripe-framework/docs/en/changelogs/2.4.11.md
Ingo Schommer 84a8b21936 Update 2.4.11 changelog
2013-08-07 20:27:18 +02:00

2.6 KiB
Raw Blame History

2.4.11 (2013-08-08)

Overview

  • Security: Require ADMIN for ?flush=1 (stop denial of service attacks) (#1692)
  • Security: SQL injection in Versioned.php

Details

Security: Require ADMIN for ?flush=1 and ?flush=all

Flushing the various manifests (class, template, config) is performed through a GET parameter (flush=1). Since this action requires more server resources than normal requests, it can facilitate denial-of-service attacks.

To prevent this, main.php now checks and only allows the flush parameter in the following cases:

  • The environment is in "dev mode"
  • A user is logged in with ADMIN permissions
  • An error occurs during startup

This applies to both flush=1 and flush=allbut only through web requests made through main.php - CLI requests, or any other request that goes through a custom start up script will still process all flush requests as normal.

Thanks to Christopher Tombleson for reporting.

Security: SQL injection in Versioned.php

The archiveDate parameter wasn't correctly escaping user input through URL parameters (download patch)

Thanks to Dean Jerkovich of NCC Group for reporting.

Changelog

Bugfixes

  • 2013-08-05 [15406dd] Constants magic_quotes needs function from Core (Hamish Friedlander)
  • 2013-08-05 [60a95cb] Token redirect where in IIS a / needs adding between host & url (Hamish Friedlander)
  • 2013-08-01 [2f9689b] Flush on memory exhaustion and headers sent (Hamish Friedlander)
  • 2013-07-30 [a150989] Fixed escaping of date in view of archived site. (Sam Minnee)
  • 2013-07-24 [5212ab0] Nice errors and allows flush on module removal (Hamish Friedlander)
  • 2013-07-22 [09db9a6] Only suppress fatal errors (Hamish Friedlander)
  • 2013-07-19 [e782648] Fixed TempPath inclusion for phpunit & cli-script (Sam Minnee)
  • 2013-07-19 [296b131] Actually use argument in getTempFolder (Hamish Friedlander)
  • 2013-07-19 [ec8c4b8] Ignore invalid tokens instead of throwing 403 (Hamish Friedlander)
  • 2013-07-19 [d42d8d0] Have ParameterConfirmationToken includes work regardless of include path (Hamish Friedlander)
  • 2013-07-19 [8990788] Prevent DOS by checking for env and admin on ?flush=1 (#1692) (Hamish Friedlander)
  • 2013-03-20 [143317c] SQL Injection in CsvBulkLoader (fixes #6227) (Stephen Shkardoon)
  • 2013-02-26 [a8a10f8] Transaction stub methods for better cross 2.x and 3.x compat (Ingo Schommer)