Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

MINOR Added documentation about the new File.ShowInSearch property

  • Loading branch information...
commit 719bb18db88a8e6abf7f9f5927efd007bc6b37bf 1 parent 880a9ac
@chillu chillu authored
View
23 docs/en/changelogs/2.4.6.md
@@ -10,6 +10,29 @@
## Upgrading Notes ##
+### Security: User-uploaded files searchable when using FulltextSearchable ###
+
+The FulltextSearchable default configuration includes all file names in the `assets/` folder.
+While this is desired in most cases, it can lead to unexpected public visibility of data,
+e.g. when uploaded through users. For example, CVs uploaded to a recruiting site most likely shouldn't be searchable.
+
+Option 1: Disable file search completely (through `mysite/_config.php`):
+
+ FulltextSearchable::enable(array('SiteTree'));
+
+Option 2: Exclude file search from individual files by setting the `File.ShowInSearch` database property to `0`.
+This property has been added in the 2.4.6 release. You can apply this retroactively to all files with this SQL statement:
+
+ UPDATE `File` SET `ShowInSearch` = 0;
+
+Please note that all these files are still exposed through the webserver if the path is known,
+regardless of the `ShowInSearch` setting. To fully secure uploaded files,
+you can apply protection on a webserver level (e.g. `.htaccess`/`web.config` configuration).
+Alternatively, you can proxy these files through your own permission control system
+rather than exposing them directly through the webserver (e.g. with the ["securefiles" module](http://www.silverstripe.org/secure-files/)).
+
+One common way to allow user-uploaded files is the ["userforms" module](http://www.silverstripe.org/user-forms-module/). This module has been altered to mark all uploaded files with `ShowInSearch`=0 by default.
+
### Security: Cross-site scripting (XSS) on anchor links
Anchor links (`<a href="#">`) are automatically rewritten by the SilverStripe
View
10 docs/en/tutorials/4-site-search.md
@@ -16,17 +16,13 @@ results page.
## Creating the search form
-The Search Form functionality has been altered over time. Please use the section which applies to your SilverStripe
-version.
-
-SilverStripe does not come bundled with the search engine enabled. To enable the search engine you need to include
-the following code in your mysite/_config.php file
+To enable the search engine you need to include the following code in your `mysite/_config.php` file.
+This will enable fulltext search on page content as well as names of all files in the `/assets` folder.
:::php
FulltextSearchable::enable();
-After including that in your _config.php you will need to rebuild the database by visiting http://yoursite.com/dev/build
-in your web browser. This will add the fulltext search columns.
+After including that in your `_config.php` you will need to rebuild the database by visiting `http://yoursite.com/dev/build` in your web browser. This will add the fulltext search columns.
The actual search form code is already provided in FulltextSearchable so when you add the enable line above to your
`_config.php` you can add your form as `$SearchForm`.
View
3  search/FulltextSearchable.php
@@ -6,6 +6,9 @@
* (if the 'cms' module is available as well).
* (this means you can use $SearchForm in your template without changing your own implementation).
*
+ * CAUTION: Will make all files in your /assets folder searchable by file name
+ * unless "File" is excluded from FulltextSearchable::enable().
+ *
* @see http://doc.silverstripe.org/tutorial:4-site-search
*
* @package sapphire
Please sign in to comment.
Something went wrong with that request. Please try again.