From 81045f46c2393c21270089cfac0aa25bf89d1282 Mon Sep 17 00:00:00 2001 From: Damian Mooyman Date: Mon, 5 Feb 2018 17:15:37 +1300 Subject: [PATCH 1/3] Update development dependencies --- composer.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/composer.json b/composer.json index 3edefbc..acdbb14 100644 --- a/composer.json +++ b/composer.json @@ -5,7 +5,7 @@ "require": { "php": ">=5.6.0", "silverstripe/recipe-plugin": "^1", - "silverstripe/recipe-cms": "1.0.x-dev", + "silverstripe/recipe-cms": "1.0.3@stable", "silverstripe-themes/simple": "~3.2.0" }, "require-dev": { @@ -24,4 +24,4 @@ }, "prefer-stable": true, "minimum-stability": "dev" -} +} \ No newline at end of file From f9c03fa623dc7237005901efd863256b7d356db7 Mon Sep 17 00:00:00 2001 From: Damian Mooyman Date: Tue, 24 Apr 2018 11:32:05 +1200 Subject: [PATCH 2/3] [ss-2018-012] Prevent php code execution in assets folder --- assets/.htaccess | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/assets/.htaccess b/assets/.htaccess index eebdb1d..fc7b16e 100644 --- a/assets/.htaccess +++ b/assets/.htaccess @@ -4,6 +4,15 @@ # See AssetAdapter::renderTemplate() for reference. # +# We disable PHP via several methods +# Replace the handler with the default plaintext handler +AddHandler default-handler php phtml php3 php4 php5 inc + + + # Turn the PHP engine off + php_flag engine off + + SetEnv HTTP_MOD_REWRITE On @@ -11,16 +20,12 @@ RewriteEngine On - # Disable PHP handler - RewriteCond %{REQUEST_URI} .(?i:php|phtml|php3|php4|php5|inc)$ - RewriteRule .* - [F] - # Allow error pages RewriteCond %{REQUEST_FILENAME} -f RewriteRule error[^\\/]*\.html$ - [L] # Block invalid file extensions - RewriteCond %{REQUEST_URI} !\.(?i:ace|arc|arj|asf|au|avi|bmp|bz2|cab|cda|css|csv|dmg|doc|docx|dotx|dotm|flv|gif|gpx|gz|hqx|ico|jar|jpeg|jpg|js|kml|m4a|m4v|mid|midi|mkv|mov|mp3|mp4|mpa|mpeg|mpg|ogg|ogv|pages|pcx|pdf|png|pps|ppt|pptx|potx|potm|ra|ram|rm|rtf|sit|sitx|tar|tgz|tif|tiff|txt|wav|webm|wma|wmv|xls|xlsx|xltx|xltm|zip|zipx)$ + RewriteCond %{REQUEST_URI} !^[^.]*\.(?i:ace|arc|arj|asf|au|avi|bmp|bz2|cab|cda|css|csv|dmg|doc|docx|dotx|dotm|flv|gif|gpx|gz|hqx|ico|jar|jpeg|jpg|js|kml|m4a|m4v|mid|midi|mkv|mov|mp3|mp4|mpa|mpeg|mpg|ogg|ogv|pages|pcx|pdf|png|pps|ppt|pptx|potx|potm|ra|ram|rm|rtf|sit|sitx|tar|tgz|tif|tiff|txt|wav|webm|wma|wmv|xls|xlsx|xltx|xltm|zip|zipx)$ RewriteRule .* - [F] # Non existant files passed to requesthandler From be96858e85272ca62f6f0ff3e24a44aa0248ac4d Mon Sep 17 00:00:00 2001 From: Robbie Averill Date: Thu, 26 Apr 2018 09:00:49 +1200 Subject: [PATCH 3/3] [SS-2018-014] Remove jar, dotm, potm, xltm from file extension whitelist, hard-code CSS and JS for TinyMCE support --- assets/.htaccess | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/.htaccess b/assets/.htaccess index fc7b16e..8c3eefb 100644 --- a/assets/.htaccess +++ b/assets/.htaccess @@ -25,7 +25,7 @@ AddHandler default-handler php phtml php3 php4 php5 inc RewriteRule error[^\\/]*\.html$ - [L] # Block invalid file extensions - RewriteCond %{REQUEST_URI} !^[^.]*\.(?i:ace|arc|arj|asf|au|avi|bmp|bz2|cab|cda|css|csv|dmg|doc|docx|dotx|dotm|flv|gif|gpx|gz|hqx|ico|jar|jpeg|jpg|js|kml|m4a|m4v|mid|midi|mkv|mov|mp3|mp4|mpa|mpeg|mpg|ogg|ogv|pages|pcx|pdf|png|pps|ppt|pptx|potx|potm|ra|ram|rm|rtf|sit|sitx|tar|tgz|tif|tiff|txt|wav|webm|wma|wmv|xls|xlsx|xltx|xltm|zip|zipx)$ + RewriteCond %{REQUEST_URI} !^[^.]*\.(?i:css|js|ace|arc|arj|asf|au|avi|bmp|bz2|cab|cda|csv|dmg|doc|docx|dotx|flv|gif|gpx|gz|hqx|ico|jpeg|jpg|kml|m4a|m4v|mid|midi|mkv|mov|mp3|mp4|mpa|mpeg|mpg|ogg|ogv|pages|pcx|pdf|png|pps|ppt|pptx|potx|ra|ram|rm|rtf|sit|sitx|tar|tgz|tif|tiff|txt|wav|webm|wma|wmv|xls|xlsx|xltx|zip|zipx)$ RewriteRule .* - [F] # Non existant files passed to requesthandler