MINOR Added documentation about the new File.ShowInSearch property

silverstripe · Dec 3, 2011 · 719bb18 · 719bb18
1 parent 880a9ac
commit 719bb18
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 7 deletions.
diff --git a/docs/en/changelogs/2.4.6.md b/docs/en/changelogs/2.4.6.md
@@ -10,6 +10,29 @@
 
 ## Upgrading Notes ##
 
+### Security: User-uploaded files searchable when using FulltextSearchable ###
+
+The FulltextSearchable default configuration includes all file names in the `assets/` folder.
+While this is desired in most cases, it can lead to unexpected public visibility of data,
+e.g. when uploaded through users. For example, CVs uploaded to a recruiting site most likely shouldn't be searchable.
+
+Option 1: Disable file search completely (through `mysite/_config.php`):
+
+	FulltextSearchable::enable(array('SiteTree'));
+
+Option 2: Exclude file search from individual files by setting the `File.ShowInSearch` database property to `0`.
+This property has been added in the 2.4.6 release. You can apply this retroactively to all files with this SQL statement:
+
+	UPDATE `File` SET `ShowInSearch` = 0;
+
+Please note that all these files are still exposed through the webserver if the path is known,
+regardless of the `ShowInSearch` setting. To fully secure uploaded files, 
+you can apply protection on a webserver level (e.g. `.htaccess`/`web.config` configuration).
+Alternatively, you can proxy these files through your own permission control system
+rather than exposing them directly through the webserver (e.g. with the ["securefiles" module](http://www.silverstripe.org/secure-files/)).
+
+One common way to allow user-uploaded files is the ["userforms" module](http://www.silverstripe.org/user-forms-module/). This module has been altered to mark all uploaded files with `ShowInSearch`=0 by default.
+
 ### Security: Cross-site scripting (XSS) on anchor links
 
 Anchor links (`<a href="#">`) are automatically rewritten by the SilverStripe

diff --git a/docs/en/tutorials/4-site-search.md b/docs/en/tutorials/4-site-search.md
@@ -16,17 +16,13 @@ results page.
 
 ## Creating the search form
 
-The Search Form functionality has been altered over time. Please use the section which applies to your SilverStripe
-version.
-
-SilverStripe does not come bundled with the search engine enabled. To enable the search engine you need to include
-the following code in your mysite/_config.php file
+To enable the search engine you need to include the following code in your `mysite/_config.php` file. 
+This will enable fulltext search on page content as well as names of all files in the `/assets` folder.
 
 	:::php
 	FulltextSearchable::enable();
 
-After including that in your _config.php you will need to rebuild the database by visiting http://yoursite.com/dev/build
-in your web browser. This will add the fulltext search columns.
+After including that in your `_config.php` you will need to rebuild the database by visiting `http://yoursite.com/dev/build` in your web browser. This will add the fulltext search columns.
 
 The actual search form code is already provided in FulltextSearchable so when you add the enable line above to your
 `_config.php` you can add your form as `$SearchForm`.

diff --git a/search/FulltextSearchable.php b/search/FulltextSearchable.php
@@ -6,6 +6,9 @@
  * (if the 'cms' module is available as well).
  * (this means you can use $SearchForm in your template without changing your own implementation).
  * 
+ * CAUTION: Will make all files in your /assets folder searchable by file name
+ * unless "File" is excluded from FulltextSearchable::enable().
+ * 
  * @see http://doc.silverstripe.org/tutorial:4-site-search
  *
  * @package sapphire