Permalink
Commits on Mar 19, 2013
  1. BUG SQL Injection in CsvBulkLoader (fixes #6227)

    Diff should speak for itself, looks like this will have to be implemented in all supported branches. 
    ss23 committed with chillu Mar 19, 2013
Commits on Feb 1, 2012
  1. API CHANGE silverstripe_version file now contains the plain version n…

    …umber, rather than an SVN path
    chillu committed Feb 1, 2012
Commits on Jan 31, 2012
  1. BUGFIX: Don't break CMS tree if HTML gets into MenuTitle

    git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@77826 467b73ca-7a2a-4603-9d3b-597d59a354a9
    sminnee committed with chillu May 26, 2009
  2. SECURITY Sanitize messages passed to generated JS calls in FormRespon…

    …se::status_message(), e.g. to avoid XSS on 'Successfully published <page title>' messages
    chillu committed Jan 31, 2012
Commits on Oct 18, 2011
  1. MINO Switching 'rewriteHashlinks' sanitization from Convert::raw2att(…

    …) to strip_tags() to make the resulting PHP more portable when mode is set to 'php'
    chillu committed Oct 18, 2011
  2. ENHANCEMENT Added SSViewer::getOption() as a logical counterpart to S…

    …SViewer::setOption()
    chillu committed Oct 17, 2011
  3. BUGFIX Escaping base URLs for anchor links rewritten by SSViewer::pro…

    …cess() with the 'rewriteHashlinks' option enabled (which is a framework default, and necessary because of the use of a <base> tag). Also added escaping for base URLs rendered through the 'php' variation of 'rewriteHashlinks'
    chillu committed Oct 17, 2011
  4. BUGFIX Avoid privilege escalation from EDIT_PERMISSIONS to ADMIN thro…

    …ugh TreeMultiselectField (in Member->getCMSFields()) by checking for admin groups in Member->onChangeGroups()
    chillu committed Mar 9, 2011
Commits on Sep 15, 2011
  1. BUGFIX Consistently using Convert::raw2sql() instead of DB::getConn()…

    …->addslashes() or PHP's deprecated addslashes() for database escaping
    chillu committed Sep 15, 2011
  2. SECURITY Backporting MySQLDatabase->addslashes() to use mysql_real_es…

    …cape_string() instead of the non-multibyte-safe addslashes() PHP function, and using it in Convert::raw2sql()
    chillu committed Sep 15, 2011
Commits on Feb 21, 2011
  1. MINOR Added deprecated SapphireTest->assertType() in order to support…

    … PHPUnit 3.5 or newer, but stay backwards compatible to PHPUnit 3.4
    
    Conflicts:
    
    	dev/SapphireTest.php
    chillu committed Feb 21, 2011
Commits on Feb 7, 2011
Commits on Feb 2, 2011
  1. BUGFIX #6291 Remove rollback action from CMSMain allowed_actions and …

    …rely on form action_rollback instead which is safer (from r115440)
    
    git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@115919 467b73ca-7a2a-4603-9d3b-597d59a354a9
    halkyon committed with sminnee Jan 31, 2011
  2. BUGFIX Checking for existence of FormAction in Form->httpSubmission()…

    … to avoid bypassing $allowed_actions definitions in controllers containing this form
    
    BUGFIX Checking for $allowed_actions in Form class, through Form->httpSubmission() (from r115182)
    
    git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@115191 467b73ca-7a2a-4603-9d3b-597d59a354a9
    chillu committed with sminnee Dec 20, 2010
  3. BUGFIX Disallow web access to sapphire/silverstripe_version to avoid …

    …information leakage (from r114773)
    
    git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@114776 467b73ca-7a2a-4603-9d3b-597d59a354a9
    chillu committed with sminnee Dec 9, 2010
  4. BUGFIX Avoid potential referer leaking in Security->changepassword() …

    …form by storing Member->AutoLoginHash in session instead of 'h' GET parameter (from r114758)
    
    git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@114763 467b73ca-7a2a-4603-9d3b-597d59a354a9
    chillu committed with sminnee Dec 9, 2010
  5. BUGFIX: Fixed CSRF warning in image form after selecting a folder. (f…

    …rom r80237)
    
    git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@114741 467b73ca-7a2a-4603-9d3b-597d59a354a9
    chillu committed with sminnee Dec 9, 2010
  6. BUGFIX Escaping $locale values in Translatable->augmentSQL() in addit…

    …ion to the i18n::validate_locale() input validation (from r114515) (from r114516)
    
    git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@114517 467b73ca-7a2a-4603-9d3b-597d59a354a9
    chillu committed with sminnee Dec 5, 2010
  7. BUGFIX Limiting usage of mcrypt_create_iv() in RandomGenerator->gener…

    …ateEntropy() to *nix platforms to avoid fatal errors (specically in IIS) (from r114510) (from r114512)
    
    git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@114513 467b73ca-7a2a-4603-9d3b-597d59a354a9
    chillu committed with sminnee Dec 5, 2010
  8. BUGFIX Using RandomGenerator class in Member->logIn(), Member->autoLo…

    …gin() and Member->generateAutologinHash() for better randomization of tokens. Increased VARCHAR length of 'RememberLoginToken' and 'AutoLoginHash' fields to 1024 characters to support longer token strings. (from r114504) (from r114507)
    
    git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@114509 467b73ca-7a2a-4603-9d3b-597d59a354a9
    chillu committed with sminnee Dec 5, 2010
  9. BUGFIX Using RandomGenerator class in SecurityToken->generate() for m…

    …ore random tokens (from r114500)
    
    git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@114502 467b73ca-7a2a-4603-9d3b-597d59a354a9
    chillu committed with sminnee Dec 5, 2010
  10. ENHANCEMENT Added RandomGenerator for more secure CRSF tokens etc. (f…

    …rom r114497) (from r114499)
    
    git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@114501 467b73ca-7a2a-4603-9d3b-597d59a354a9
    chillu committed with sminnee Dec 5, 2010
  11. BUGFIX Removing quotes from test data in RestfulServiceTest, it gives…

    … different results depending on magic_quotes_gpc setting on PHP configuration (merged from r80132).
    
    git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@114266 467b73ca-7a2a-4603-9d3b-597d59a354a9
    Rainer Spittel committed with sminnee Nov 29, 2010
  12. API CHANGE Using Controller::join_links() to construct links in Compl…

    …exTableField and TableListField (partially merged from r88495, r96775)
    
    git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@113321 467b73ca-7a2a-4603-9d3b-597d59a354a9
    chillu committed with sminnee Nov 1, 2010
  13. BUGFIX: Fixed Controller::join_links() handling of fragment identifie…

    …rs (merged from r104580)
    
    git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@113319 467b73ca-7a2a-4603-9d3b-597d59a354a9
    chillu committed with sminnee Nov 1, 2010
  14. MINOR Using SecurityToken in ViewableData->getSecurityID() (from r113…

    …274)
    
    git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@113312 467b73ca-7a2a-4603-9d3b-597d59a354a9
    chillu committed with sminnee Nov 1, 2010
  15. ENHANCEMENT Added Form->enableSecurityToken() as a counterpart to the…

    … existing disableSecurityToken() (from r113284)
    
    git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@113305 467b73ca-7a2a-4603-9d3b-597d59a354a9
    chillu committed with sminnee Nov 1, 2010
  16. MINOR Reverted commented out code (regression from r113293)

    git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@113303 467b73ca-7a2a-4603-9d3b-597d59a354a9
    chillu committed with sminnee Nov 1, 2010
  17. BUGFIX Clear static marking caches on Hierarchy->flushCache() (from r…

    …113277)
    
    git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@113302 467b73ca-7a2a-4603-9d3b-597d59a354a9
    chillu committed with sminnee Nov 1, 2010
  18. BUGFIX Fixed ComplexTableField and TableListField GET actions against…

    … CSRF attacks (with Form_SecurityToken->checkRequest()) (from r113276)
    
    git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@113301 467b73ca-7a2a-4603-9d3b-597d59a354a9
    chillu committed with sminnee Nov 1, 2010
  19. MINOR Fixed HTTPRequest class usage (regression from r113293)

    git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@113298 467b73ca-7a2a-4603-9d3b-597d59a354a9
    chillu committed with sminnee Nov 1, 2010