mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 12:05:37 +00:00
50 lines
2.6 KiB
Markdown
50 lines
2.6 KiB
Markdown
# 2.4.11 (2013-08-08)
|
|
|
|
## Overview
|
|
|
|
* Security: Require ADMIN for `?flush=1` (stop denial of service attacks)
|
|
([#1692](https://github.com/silverstripe/silverstripe-framework/issues/1692))
|
|
* Security: SQL injection in Versioned.php
|
|
|
|
## Details
|
|
|
|
### Security: Require ADMIN for ?flush=1 and ?flush=all
|
|
|
|
Flushing the various manifests (class, template, config) is performed through a GET
|
|
parameter (`flush=1`). Since this action requires more server resources than normal requests,
|
|
it can facilitate [denial-of-service attacks](https://en.wikipedia.org/wiki/Denial-of-service_attack).
|
|
|
|
To prevent this, main.php now checks and only allows the flush parameter in the following cases:
|
|
|
|
* The [environment](/topics/environment-management) is in "dev mode"
|
|
* A user is logged in with ADMIN permissions
|
|
* An error occurs during startup
|
|
|
|
This applies to both `flush=1` and `flush=all`but only through web requests made through main.php - CLI requests,
|
|
or any other request that goes through a custom start up script will still process all flush requests as normal.
|
|
|
|
Thanks to Christopher Tombleson for reporting.
|
|
|
|
### Security: SQL injection in Versioned.php
|
|
|
|
The `archiveDate` parameter wasn't correctly escaping user input through URL parameters ([download patch](https://github.com/silverstripe/silverstripe-framework/commit/a150989e6fb8b0ad41d9ad2af54948de33c721f0.patch))
|
|
|
|
Thanks to Dean Jerkovich of NCC Group for reporting.
|
|
|
|
## Changelog
|
|
|
|
### Bugfixes
|
|
|
|
* 2013-08-05 [15406dd] Constants magic_quotes needs function from Core (Hamish Friedlander)
|
|
* 2013-08-05 [60a95cb] Token redirect where in IIS a / needs adding between host & url (Hamish Friedlander)
|
|
* 2013-08-01 [2f9689b] Flush on memory exhaustion and headers sent (Hamish Friedlander)
|
|
* 2013-07-30 [a150989] Fixed escaping of date in view of archived site. (Sam Minnee)
|
|
* 2013-07-24 [5212ab0] Nice errors and allows flush on module removal (Hamish Friedlander)
|
|
* 2013-07-22 [09db9a6] Only suppress fatal errors (Hamish Friedlander)
|
|
* 2013-07-19 [e782648] Fixed TempPath inclusion for phpunit & cli-script (Sam Minnee)
|
|
* 2013-07-19 [296b131] Actually use argument in getTempFolder (Hamish Friedlander)
|
|
* 2013-07-19 [ec8c4b8] Ignore invalid tokens instead of throwing 403 (Hamish Friedlander)
|
|
* 2013-07-19 [d42d8d0] Have ParameterConfirmationToken includes work regardless of include path (Hamish Friedlander)
|
|
* 2013-07-19 [8990788] Prevent DOS by checking for env and admin on ?flush=1 (#1692) (Hamish Friedlander)
|
|
* 2013-03-20 [143317c] SQL Injection in CsvBulkLoader (fixes #6227) (Stephen Shkardoon)
|
|
* 2013-02-26 [a8a10f8] Transaction stub methods for better cross 2.x and 3.x compat (Ingo Schommer) |