Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Garion Herman
committed
Jul 12, 2020
1 parent
0eb4769
commit 1726cd1
Showing
1 changed file
with
176 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,176 @@ | ||
| # 4.5.3 | ||
|
|
||
| ## Security patches | ||
|
|
||
| This release contains security patches. Some of those patches might require some updates to your project. | ||
|
|
||
| * [CVE-2020-9309 Script execution on protected files](https://www.silverstripe.org/download/security-releases/CVE-2020-9309) | ||
| * [CVE-2019-19326 Web Cache Poisoning](https://www.silverstripe.org/download/security-releases/CVE-2019-19326) | ||
| * [CVE-2020-6164 Information disclosure on /interactive URL path](https://www.silverstripe.org/download/security-releases/CVE-2020-6164) | ||
| * [CVE-2020-6165 Limited queries break CanViewPermissionChecker](https://www.silverstripe.org/download/security-releases/CVE-2020-6165) | ||
|
|
||
|
|
||
| ### CVE-2020-9309 Script execution on protected files {#CVE-2020-9309} | ||
|
|
||
| Silverstripe can be susceptible to script execution from malicious upload contents under allowed file extensions (for example HTML code in a TXT file). When these files are stored as protected or draft files, the MIME detection can cause browsers to execute the file contents. | ||
|
|
||
| #### Risk factors | ||
|
|
||
| If your project already includes the `silverstripe/mimevalidator` module, it's already protected. CWP projects are already protected. | ||
|
|
||
| If your project includes the `silverstripe/userforms` module or allows anonymous users to upload files, it's at a higher risk because malicious users can create files without requiring a CMS access. | ||
|
|
||
| #### Actions you need to take | ||
|
|
||
| If your project already includes the `silverstripe/mimevalidator` module, you do not need to do anything. To check if the `silverstripe/mimevalidator` module is installed in your project, run this command from your project root. | ||
|
|
||
| ```sh | ||
| composer show silverstripe/mimevalidator | ||
| ``` | ||
|
|
||
| If you get an error, the module is not installed. | ||
|
|
||
| **Upgrading to `silverstripe/recipe-cms` 4.5.3 will NOT automatically install `silverstripe/mimevalidator`**. You need to manually install the module `silverstripe/mimevalidator`. To add `silverstripe/mimevalidator` to your project, run this command. | ||
|
|
||
| ```sh | ||
| composer require silverstripe/mimevalidator | ||
| ``` | ||
|
|
||
| After installing the `mimevalidator` module, you need to enable it by adding this code snippet to your YML configuration. | ||
|
|
||
| ```yml | ||
| SilverStripe\Core\Injector\Injector: | ||
| SilverStripe\Assets\Upload_Validator: | ||
| class: SilverStripe\MimeValidator\MimeUploadValidator | ||
| ``` | ||
|
|
||
| If your project overrides the defaults allowed file types, it's important that you take the time to review your configuration and adjust it as need be to work with `silverstripe/mimevalidator`. | ||
|
|
||
| Read the [Allowed file types](/Developer_Guides/Files/Allowed_file_types) documentation for more details on controling the type of files that can be stored in your Silverstrip CMS Project. | ||
|
|
||
| #### Special consideration when upgrading Userforms | ||
|
|
||
| The `silverstripe/userforms` module now also includes `silverstripe/mimevalidator` in its dependencies. Upgrading to the following versions of userforms will automatically install `silverstripe/mimevalidator`: | ||
|
|
||
| * 5.4.3 or later | ||
| * 5.5.3 or later | ||
| * 5.6.0 or later (requires CMS 4.6.0) | ||
|
|
||
| Userforms that include a file upload field will automatically use the`MimeUploadValidator`. Beware that this will NOT change the default upload validator for other file upload fields in the CMS. You'll need to update your YML configuration for the `MimeUploadValidator` to be used everywhere. | ||
|
|
||
| ### CVE-2019-19326 Web Cache Poisoning {#CVE-2019-19326} | ||
|
|
||
| Silverstripe sites using HTTP cache headers and HTTP caching proxies (e.g. CDNs) can be susceptible to web cache poisoning through the: | ||
| * `X-Original-Url` HTTP header | ||
| * `X-HTTP-Method-Override` HTTP header | ||
| * `_method` POST variable. | ||
|
|
||
| In order to remedy this vulnerability, Silverstripe Framework 4.5.3 removes native support for these features. While this is technically a semantic versioning breakage, these features are inherently insecure and date back to a time when browsers didn't natively support the full range of HTTP methods. Sites who still require these features will have highly unusual requirements that are best served by a tailored solution. | ||
|
|
||
| ### Re-enabling the support for removed features | ||
|
|
||
| These features are best implemented by defining a `Middleware`. | ||
|
|
||
| The following example illustrates how to implement an `HTTPMiddleware` that restores support for the `X-Original-Url` header and the `_method` POST parameter for requests originating from a trusted proxy. | ||
|
|
||
| ```php | ||
| <?php | ||
| use SilverStripe\Control\Middleware\HTTPMiddleware; | ||
| use SilverStripe\Control\HTTPRequest; | ||
| /** | ||
| * This is meant to illustrate how to implement an HTTPMiddleware. If you blindly | ||
| * copy-paste this in in your code base, you'll simply replicate the vulnerability. | ||
| */ | ||
| class InsecureHeaderMiddleware implements HTTPMiddleware | ||
| { | ||
| public function process(HTTPRequest $request, callable $delegate) | ||
| { | ||
| // Normally, you would validate that the request is coming from a trusted source at this point. | ||
| // View SilverStripe\Control\Middleware\TrustedProxyMiddleware for an example. | ||
| $trustedProxy = true; | ||
| if ($trustedProxy) { | ||
| $originalUrl = $request->getHeader('X-Original-Url'); | ||
| if ($originalUrl) { | ||
| $_SERVER['REQUEST_URI'] = $originalUrl; | ||
| $request->setUrl($originalUrl); | ||
| } | ||
| $methodOverride = $request->postVar('_method'); | ||
| $validMethods = ['GET', 'POST', 'PUT', 'DELETE', 'HEAD']; | ||
| if ($methodOverride && in_array(strtoupper($methodOverride), $validMethods)) { | ||
| $request->setHttpMethod($methodOverride); | ||
| } | ||
| } | ||
| return $delegate($request); | ||
| } | ||
| } | ||
| ``` | ||
|
|
||
| To learn more about re-implementing support for the disabled features: | ||
| * read [how to configure trusted proxies](/developer_guides/security/secure_coding/#request-hostname-forgery) on the Silverstripe documentation. | ||
| * read the [documentation about HTTP Middlewares](/developer_guides/controllers/middlewares/). | ||
|
|
||
| ### CVE-2020-6164 Information disclosure on /interactive URL path | ||
|
|
||
| A specific URL path configured by default through the silverstripe/framework module can be used to disclose the fact that a domain is hosting a Silverstripe application. There is no disclosure of the specific version. The functionality on this URL path is limited to execution in a CLI context, and is not known to present a vulnerability through web-based access. As a side-effect, this preconfigured path also blocks the creation of other resources on this path (e.g. a page). | ||
|
|
||
| ### CVE-2020-6165 Limited queries break CanViewPermissionChecker | ||
|
|
||
| The automatic permission checking mechanism in the silverstripe/graphql module does not provide complete protection against lists that are limited (e.g. through pagination), resulting in records that should fail the permission check being added to the final result set. | ||
|
|
||
| If your project implements custom GraphQL queries using the `CanViewPermissionChecker`, you should validate that they still work as expected after the upgrade. | ||
|
|
||
| Read [Controlling who can view results in a GraphQL result set](/Developer_Guides/GraphQL/Verifying_CanView_Permission) | ||
| for more information on updating your GraphQL queries. | ||
|
|
||
| <!--- Changes below this line will be automatically regenerated --> | ||
|
|
||
| ## Change Log | ||
|
|
||
| ### Security | ||
|
|
||
| * 2020-05-13 [cce2b1630](https://github.com/silverstripe/silverstripe-framework/commit/cce2b1630937895aa28c2914837651e7cd56d74b) Remove/deprecate unused controllers that can potentially give away some information about the underlying project. (Maxime Rainville) - See [cve-2020-6164](https://www.silverstripe.org/download/security-releases/cve-2020-6164) | ||
| * 2020-05-11 [8518987cb](https://github.com/silverstripe/silverstripe-framework/commit/8518987cbd1eaca71b65dd4a4b35591db941509a) Stop honouring X-HTTP-Method-Override header, X-Original-Url header and _method POST variable. Add SS_HTTPRequest::setHttpMethod() (Maxime Rainville) - See [cve-2019-19326](https://www.silverstripe.org/download/security-releases/cve-2019-19326) | ||
| * 2020-02-17 [d3968ad](https://github.com/silverstripe/silverstripe-asset-admin/commit/d3968adcbdb759cb20571865af3b6356c8922cde) Move the query resolution after the DataListQuery has been altered (Maxime Rainville) - See [cve-2020-6165](https://www.silverstripe.org/download/security-releases/cve-2020-6165) | ||
| * 2020-02-11 [107e6c9](https://github.com/silverstripe/silverstripe-graphql/commit/107e6c918bb6a6a536dd9e3d8f5c74b4acdfd852) Ensure canView() check is run on items (Steve Boyd) - See [cve-2020-6165](https://www.silverstripe.org/download/security-releases/cve-2020-6165) | ||
|
|
||
| ### API Changes | ||
|
|
||
| * 2020-06-30 [ec83959f2](https://github.com/silverstripe/silverstripe-framework/commit/ec83959f2c3ff7784fdd9503601732b5d006de13) Remove UpgradeBootstrap (not part of our official API) (Maxime Rainville) | ||
|
|
||
| ### Features and Enhancements | ||
|
|
||
| * 2020-04-15 [daa80d8](https://github.com/silverstripe/silverstripe-admin/commit/daa80d8d2c2a5eabf75cfd23bb40d5a4b0fab02a) Add secure icons (Sacha Judd) | ||
|
|
||
| ### Bugfixes | ||
|
|
||
| * 2020-07-09 [b780c4f50](https://github.com/silverstripe/silverstripe-framework/commit/b780c4f504555e5ae2d3861f8772f87ab20e016e) Tweak DBHTMLText::Plain to avoid treating some chinese characters as line breaks. (Maxime Rainville) | ||
| * 2020-06-23 [e033f26](https://github.com/silverstripe/silverstripe-admin/commit/e033f26d16527c04fb09c9ae3c1582367cf1dcaf) Fix external link setting text to `undefined` on text (#1059) (Andre Kiste) | ||
| * 2020-06-01 [3df2222](https://github.com/silverstripe/silverstripe-asset-admin/commit/3df222203ee563fac840e5e0727c75ddfe244886) Prevent react-selectable from interfering with pagination (Maxime Rainville) | ||
| * 2020-05-26 [3e52b1a](https://github.com/silverstripe/silverstripe-admin/commit/3e52b1ae3e5fd45dfde05913fe2fc0edd7309d82) Vertically align form description contents (including icons) (bergice) | ||
| * 2020-05-26 [09d2061](https://github.com/silverstripe/silverstripe-asset-admin/commit/09d20617620571650509b2b250117c295d58d5bb) Asset revision timestamps are no longer underlined in asset admin history tabs (Robbie Averill) | ||
| * 2020-05-19 [b9de9e6](https://github.com/silverstripe/silverstripe-asset-admin/commit/b9de9e6d608aa2b7f6d01e9c609369998d3ab0d8) Remove direct descendant selector to apply correct margins (Sacha Judd) | ||
| * 2020-05-11 [9dcc030](https://github.com/silverstripe/silverstripe-admin/commit/9dcc030aa8c2c3dab4c6a4206f883cb40e6a1458) Resize address-card-warning (Sacha Judd) | ||
| * 2020-05-08 [afc1759](https://github.com/silverstripe/silverstripe-admin/commit/afc1759f6cc74ce58be68bfb167bf52c1e972915) Page search form layout overflow issue (Mojmir Fendek) | ||
| * 2020-05-05 [2cc037b](https://github.com/silverstripe/silverstripe-versioned/commit/2cc037b2d305ed98056a9232587351949e59561f) Fix merge conflict in Travis configuration (Robbie Averill) | ||
| * 2020-05-01 [b1f6e52](https://github.com/silverstripe/silverstripe-asset-admin/commit/b1f6e521aac9bc17ee400593724e4a9290678938) Remove grid view sorting hack to correct initial state (Garion Herman) | ||
| * 2020-05-01 [891f0682](https://github.com/silverstripe/silverstripe-cms/commit/891f068202a3c7926a813c994b2802eacb7847f0) Correct placement of 'Page location' field title (Garion Herman) | ||
| * 2020-04-30 [fff806ca](https://github.com/silverstripe/silverstripe-cms/commit/fff806ca33cf6cdfd17c073f736e0faba42964a3) Prevent Treeview from always reloading (Maxime Rainville) | ||
| * 2020-04-18 [216989165](https://github.com/silverstripe/silverstripe-framework/commit/2169891651aded4defe33a1d08e1b07f79b9f086) Ensure realpath returns a string for stripos (mattclegg) | ||
| * 2020-04-15 [be80813](https://github.com/silverstripe/silverstripe-asset-admin/commit/be80813eaa8f5005b63978a53da2162c88645173) Campaign admin permission fix (Mojmir Fendek) | ||
| * 2020-04-15 [d7c76bdb](https://github.com/silverstripe/silverstripe-cms/commit/d7c76bdbba0af815d61146a1cbfc2529b3b2fe55) Published pages filter correction (missing default filter) (Mojmir Fendek) | ||
| * 2020-04-14 [e2a6281](https://github.com/silverstripe/silverstripe-asset-admin/commit/e2a6281305f23bd43d43a23adaa6807a54263f61) Legacy max upload size setting removal (Mojmir Fendek) | ||
| * 2020-03-23 [5002f514b](https://github.com/silverstripe/silverstripe-framework/commit/5002f514b3fde8e4ef75a72c964d649f46ab31f0) Capitalisation fixes in welcome back message (#9439) (Robbie Averill) | ||
| * 2020-03-23 [e5aa94c](https://github.com/silverstripe/silverstripe-admin/commit/e5aa94cfdd4fadcc87db3eee127f2f4f751ef6a7) "My profile" title in CMS is now vertical centered as other LeftAndMain screens are (Robbie Averill) | ||
| * 2020-03-20 [14fd29a](https://github.com/silverstripe/silverstripe-admin/commit/14fd29ad2c607951eff1bab65921748916a6c72e) Switch incorrect modified and draft state indicator colours (Sacha Judd) | ||
| * 2020-03-17 [7ad5f1bb1](https://github.com/silverstripe/silverstripe-framework/commit/7ad5f1bb14814bd05c6fe97e11b94c9f34936b15) Ensure diff arrays are one-dimensional (Aaron Carlino) | ||
| * 2020-03-08 [b269d8749](https://github.com/silverstripe/silverstripe-framework/commit/b269d874909cd70bb60c1a2974ea5446b43b0436) Register new sub tasks to fix files affected by CVE-2020-9280 and CVE-2019-12245 (Serge Latyntcev) | ||
| * 2020-03-04 [12ea7cd](https://github.com/silverstripe/silverstripe-assets/commit/12ea7cd2037bebcb3196dd5e3aaa72e6dbc7c7b2) Create NormaliseAccessMigrationHelper to fix files affected by CVE-2019-12245 (Maxime Rainville) | ||
| * 2020-02-24 [bba0f2f72](https://github.com/silverstripe/silverstripe-framework/commit/bba0f2f72fa2e631dbf60357a908d5d57d4467ee) Fixed issue where TimeField_Readonly would only show "(not set)" instead of the value (UndefinedOffset) | ||
| * 2020-02-20 [ff417ca](https://github.com/silverstripe/silverstripe-asset-admin/commit/ff417ca53405a4022c4fece82d50638e72940d4f) Fix last file upload showing as errored when uploading multiple files. (bergice) | ||
| * 2020-02-19 [7455d14](https://github.com/silverstripe/silverstripe-asset-admin/commit/7455d141aa6340e33674f72516e0e6b97d6d6232) Handle case where provided $context is null (Garion Herman) | ||
| * 2020-02-19 [8402966](https://github.com/silverstripe/silverstripe-assets/commit/84029664c21ba54d895aac8fa036a9c4277e56a0) Correct deprecated implode syntax for PHP 7.4 compat (Garion Herman) | ||
| * 2020-02-18 [9900d07](https://github.com/silverstripe/silverstripe-asset-admin/commit/9900d07eeb41a9c5c9dac758ee56f9397301bbdb) Tweak UsedOnTableTest ti dynamically switch protocol (Maxime Rainville) | ||
| * 2020-02-05 [c92e3b9d](https://github.com/silverstripe/silverstripe-cms/commit/c92e3b9d7967142ce59c918916441fce796c9fd8) Prioritise same-level pages in OldPageRedirector (Klemen Dolinšek) | ||
| * 2019-10-17 [b62288cc9](https://github.com/silverstripe/silverstripe-framework/commit/b62288cc92bd7e58182e1b02b083eeb474366d52) Disabled the UpgradeBootstrap upgrader doctor task (Maxime Rainville) | ||
| * 2019-09-02 [6d8a4bc](https://github.com/silverstripe/silverstripe-assets/commit/6d8a4bc4f4178c0b56ede1b01f87b162066d550a) Make AbsoluteLink work with manipulated images (fixes #322) (Loz Calver) | ||
| <!--- Changes above this line will be automatically regenerated --> |