tonyair/silverstripe-userforms
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-userforms.git synced 2024-10-22 17:05:42 +02:00
Code Issues Projects Releases Wiki Activity

[CVE-2020-9309] Require MimeUploadValidator on userformis' File Upload field

Browse Source
This commit is contained in:
Maxime Rainville 2020-05-11 13:55:33 +12:00 committed by Garion Herman
parent 6f04f9537d
commit 9e008e6341
3 changed files with 14 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
_config/mimevalidator.yml Normal file
View File

@ -0,0 +1,6 @@
---
Name: mimeuploadvalidator-userforms
---
SilverStripe\Core\Injector\Injector:
SilverStripe\Assets\Upload_Validator.userforms:
class: SilverStripe\MimeValidator\MimeUploadValidator

7
code/Model/EditableFormField/EditableFileField.php
View File

@ -4,7 +4,9 @@ namespace SilverStripe\UserForms\Model\EditableFormField;
use SilverStripe\Assets\File; use SilverStripe\Assets\File;
use SilverStripe\Assets\Folder; use SilverStripe\Assets\Folder;
use SilverStripe\Assets\Upload_Validator;
use SilverStripe\Core\Config\Config; use SilverStripe\Core\Config\Config;
use SilverStripe\Core\Injector\Injector;
use SilverStripe\Forms\FileField; use SilverStripe\Forms\FileField;
use SilverStripe\Forms\LiteralField; use SilverStripe\Forms\LiteralField;
use SilverStripe\Forms\NumericField; use SilverStripe\Forms\NumericField;
@ -95,11 +97,14 @@ class EditableFileField extends EditableFormField
return $result; return $result;
} }
public function getFormField() public function getFormField()
{ {
$field = FileField::create($this->Name, $this->Title ?: false) $field = FileField::create($this->Name, $this->Title ?: false)
->setFieldHolderTemplate(EditableFormField::class . '_holder') ->setFieldHolderTemplate(EditableFormField::class . '_holder')
->setTemplate(__CLASS__); ->setTemplate(__CLASS__)
->setValidator(Injector::inst()->get(Upload_Validator::class . '.userforms'));
$field->setFieldHolderTemplate(EditableFormField::class . '_holder') $field->setFieldHolderTemplate(EditableFormField::class . '_holder')
->setTemplate(__CLASS__); ->setTemplate(__CLASS__);

3
composer.json
View File

@ -33,7 +33,8 @@
"silverstripe/cms": "^4.0", "silverstripe/cms": "^4.0",
"symbiote/silverstripe-gridfieldextensions": "^3.1", "symbiote/silverstripe-gridfieldextensions": "^3.1",
"silverstripe/segment-field": "^2.0", "silverstripe/segment-field": "^2.0",
"silverstripe/versioned": "^1.0" "silverstripe/versioned": "^1.0",
"silverstripe/mimevalidator": "^2.0"
}, },
"require-dev": { "require-dev": {
"phpunit/phpunit": "^5.7", "phpunit/phpunit": "^5.7",