From 9e008e634137959c0e656070654f01ed8bf1cc5c Mon Sep 17 00:00:00 2001 From: Maxime Rainville Date: Mon, 11 May 2020 13:55:33 +1200 Subject: [PATCH 1/3] [CVE-2020-9309] Require MimeUploadValidator on userformis' File Upload field --- _config/mimevalidator.yml | 6 ++++++ code/Model/EditableFormField/EditableFileField.php | 7 ++++++- composer.json | 3 ++- 3 files changed, 14 insertions(+), 2 deletions(-) create mode 100644 _config/mimevalidator.yml diff --git a/_config/mimevalidator.yml b/_config/mimevalidator.yml new file mode 100644 index 0000000..75e2e22 --- /dev/null +++ b/_config/mimevalidator.yml @@ -0,0 +1,6 @@ +--- +Name: mimeuploadvalidator-userforms +--- +SilverStripe\Core\Injector\Injector: + SilverStripe\Assets\Upload_Validator.userforms: + class: SilverStripe\MimeValidator\MimeUploadValidator diff --git a/code/Model/EditableFormField/EditableFileField.php b/code/Model/EditableFormField/EditableFileField.php index cd4a725..a91e36b 100755 --- a/code/Model/EditableFormField/EditableFileField.php +++ b/code/Model/EditableFormField/EditableFileField.php @@ -4,7 +4,9 @@ namespace SilverStripe\UserForms\Model\EditableFormField; use SilverStripe\Assets\File; use SilverStripe\Assets\Folder; +use SilverStripe\Assets\Upload_Validator; use SilverStripe\Core\Config\Config; +use SilverStripe\Core\Injector\Injector; use SilverStripe\Forms\FileField; use SilverStripe\Forms\LiteralField; use SilverStripe\Forms\NumericField; @@ -95,11 +97,14 @@ class EditableFileField extends EditableFormField return $result; } + + public function getFormField() { $field = FileField::create($this->Name, $this->Title ?: false) ->setFieldHolderTemplate(EditableFormField::class . '_holder') - ->setTemplate(__CLASS__); + ->setTemplate(__CLASS__) + ->setValidator(Injector::inst()->get(Upload_Validator::class . '.userforms')); $field->setFieldHolderTemplate(EditableFormField::class . '_holder') ->setTemplate(__CLASS__); diff --git a/composer.json b/composer.json index b4344a9..e2fc7fc 100644 --- a/composer.json +++ b/composer.json @@ -33,7 +33,8 @@ "silverstripe/cms": "^4.0", "symbiote/silverstripe-gridfieldextensions": "^3.1", "silverstripe/segment-field": "^2.0", - "silverstripe/versioned": "^1.0" + "silverstripe/versioned": "^1.0", + "silverstripe/mimevalidator": "^2.0" }, "require-dev": { "phpunit/phpunit": "^5.7", From 27228d12af8a458d0edcb3e8f2154d9731e7c303 Mon Sep 17 00:00:00 2001 From: Maxime Rainville Date: Mon, 11 May 2020 13:55:33 +1200 Subject: [PATCH 2/3] [CVE-2020-9309] Require MimeUploadValidator on userformis' File Upload field --- _config/mimevalidator.yml | 6 ++++++ code/Model/EditableFormField/EditableFileField.php | 7 ++++++- composer.json | 3 ++- 3 files changed, 14 insertions(+), 2 deletions(-) create mode 100644 _config/mimevalidator.yml diff --git a/_config/mimevalidator.yml b/_config/mimevalidator.yml new file mode 100644 index 0000000..75e2e22 --- /dev/null +++ b/_config/mimevalidator.yml @@ -0,0 +1,6 @@ +--- +Name: mimeuploadvalidator-userforms +--- +SilverStripe\Core\Injector\Injector: + SilverStripe\Assets\Upload_Validator.userforms: + class: SilverStripe\MimeValidator\MimeUploadValidator diff --git a/code/Model/EditableFormField/EditableFileField.php b/code/Model/EditableFormField/EditableFileField.php index 76f5aa7..ea4b430 100755 --- a/code/Model/EditableFormField/EditableFileField.php +++ b/code/Model/EditableFormField/EditableFileField.php @@ -4,7 +4,9 @@ namespace SilverStripe\UserForms\Model\EditableFormField; use SilverStripe\Assets\File; use SilverStripe\Assets\Folder; +use SilverStripe\Assets\Upload_Validator; use SilverStripe\Core\Config\Config; +use SilverStripe\Core\Injector\Injector; use SilverStripe\Forms\FileField; use SilverStripe\Forms\LiteralField; use SilverStripe\Forms\NumericField; @@ -96,11 +98,14 @@ class EditableFileField extends EditableFormField return $result; } + + public function getFormField() { $field = FileField::create($this->Name, $this->Title ?: false) ->setFieldHolderTemplate(EditableFormField::class . '_holder') - ->setTemplate(__CLASS__); + ->setTemplate(__CLASS__) + ->setValidator(Injector::inst()->get(Upload_Validator::class . '.userforms')); $field->setFieldHolderTemplate(EditableFormField::class . '_holder') ->setTemplate(__CLASS__); diff --git a/composer.json b/composer.json index 8cb0299..d5af2e1 100644 --- a/composer.json +++ b/composer.json @@ -33,7 +33,8 @@ "silverstripe/cms": "^4.0", "symbiote/silverstripe-gridfieldextensions": "^3.1", "silverstripe/segment-field": "^2.0", - "silverstripe/versioned": "^1.0" + "silverstripe/versioned": "^1.0", + "silverstripe/mimevalidator": "^2.0" }, "require-dev": { "phpunit/phpunit": "^5.7", From d2bf27c847655e7841c407d830d6a487caeaf02e Mon Sep 17 00:00:00 2001 From: Maxime Rainville Date: Thu, 22 Oct 2020 15:47:17 +1300 Subject: [PATCH 3/3] MNT Fix broken merged up (#1013) --- code/Model/EditableFormField/EditableFileField.php | 3 --- 1 file changed, 3 deletions(-) diff --git a/code/Model/EditableFormField/EditableFileField.php b/code/Model/EditableFormField/EditableFileField.php index 0224adf..4c13f84 100755 --- a/code/Model/EditableFormField/EditableFileField.php +++ b/code/Model/EditableFormField/EditableFileField.php @@ -6,12 +6,9 @@ use SilverStripe\Assets\File; use SilverStripe\Assets\Folder; use SilverStripe\Assets\Upload_Validator; use SilverStripe\Core\Config\Config; -<<<<<<< HEAD use SilverStripe\Core\Convert; use SilverStripe\Forms\FieldList; -======= use SilverStripe\Core\Injector\Injector; ->>>>>>> 5.5 use SilverStripe\Forms\FileField; use SilverStripe\Forms\LiteralField; use SilverStripe\Forms\NumericField;