Permalink
Commits on Oct 18, 2011
  1. MINO Switching 'rewriteHashlinks' sanitization from Convert::raw2att(…

    chillu committed Oct 18, 2011
    …) to strip_tags() to make the resulting PHP more portable when mode is set to 'php'
  2. ENHANCEMENT Added SSViewer::getOption() as a logical counterpart to S…

    chillu committed Oct 17, 2011
    …SViewer::setOption()
  3. BUGFIX Escaping base URLs for anchor links rewritten by SSViewer::pro…

    chillu committed Oct 17, 2011
    …cess() with the 'rewriteHashlinks' option enabled (which is a framework default, and necessary because of the use of a <base> tag). Also added escaping for base URLs rendered through the 'php' variation of 'rewriteHashlinks'
  4. BUGFIX Avoid privilege escalation from EDIT_PERMISSIONS to ADMIN thro…

    chillu committed Mar 9, 2011
    …ugh TreeMultiselectField (in Member->getCMSFields()) by checking for admin groups in Member->onChangeGroups()
Commits on Sep 15, 2011
  1. BUGFIX Consistently using Convert::raw2sql() instead of DB::getConn()…

    chillu committed Sep 15, 2011
    …->addslashes() or PHP's deprecated addslashes() for database escaping
  2. SECURITY Backporting MySQLDatabase->addslashes() to use mysql_real_es…

    chillu committed Sep 15, 2011
    …cape_string() instead of the non-multibyte-safe addslashes() PHP function, and using it in Convert::raw2sql()
Commits on Feb 21, 2011
  1. MINOR Added deprecated SapphireTest->assertType() in order to support…

    chillu committed Feb 21, 2011
    … PHPUnit 3.5 or newer, but stay backwards compatible to PHPUnit 3.4
    
    Conflicts:
    
    	dev/SapphireTest.php
Commits on Feb 7, 2011
Commits on Feb 2, 2011
  1. BUGFIX #6291 Remove rollback action from CMSMain allowed_actions and …

    halkyon authored and sminnee committed Jan 31, 2011
    …rely on form action_rollback instead which is safer (from r115440)
    
    git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@115919 467b73ca-7a2a-4603-9d3b-597d59a354a9
  2. BUGFIX Checking for existence of FormAction in Form->httpSubmission()…

    chillu authored and sminnee committed Dec 20, 2010
    … to avoid bypassing $allowed_actions definitions in controllers containing this form
    
    BUGFIX Checking for $allowed_actions in Form class, through Form->httpSubmission() (from r115182)
    
    git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@115191 467b73ca-7a2a-4603-9d3b-597d59a354a9
  3. BUGFIX Disallow web access to sapphire/silverstripe_version to avoid …

    chillu authored and sminnee committed Dec 9, 2010
    …information leakage (from r114773)
    
    git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@114776 467b73ca-7a2a-4603-9d3b-597d59a354a9
  4. BUGFIX Avoid potential referer leaking in Security->changepassword() …

    chillu authored and sminnee committed Dec 9, 2010
    …form by storing Member->AutoLoginHash in session instead of 'h' GET parameter (from r114758)
    
    git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@114763 467b73ca-7a2a-4603-9d3b-597d59a354a9
  5. BUGFIX: Fixed CSRF warning in image form after selecting a folder. (f…

    chillu authored and sminnee committed Dec 9, 2010
    …rom r80237)
    
    git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@114741 467b73ca-7a2a-4603-9d3b-597d59a354a9
  6. BUGFIX Escaping $locale values in Translatable->augmentSQL() in addit…

    chillu authored and sminnee committed Dec 5, 2010
    …ion to the i18n::validate_locale() input validation (from r114515) (from r114516)
    
    git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@114517 467b73ca-7a2a-4603-9d3b-597d59a354a9
  7. BUGFIX Limiting usage of mcrypt_create_iv() in RandomGenerator->gener…

    chillu authored and sminnee committed Dec 5, 2010
    …ateEntropy() to *nix platforms to avoid fatal errors (specically in IIS) (from r114510) (from r114512)
    
    git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@114513 467b73ca-7a2a-4603-9d3b-597d59a354a9
  8. BUGFIX Using RandomGenerator class in Member->logIn(), Member->autoLo…

    chillu authored and sminnee committed Dec 5, 2010
    …gin() and Member->generateAutologinHash() for better randomization of tokens. Increased VARCHAR length of 'RememberLoginToken' and 'AutoLoginHash' fields to 1024 characters to support longer token strings. (from r114504) (from r114507)
    
    git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@114509 467b73ca-7a2a-4603-9d3b-597d59a354a9
  9. BUGFIX Using RandomGenerator class in SecurityToken->generate() for m…

    chillu authored and sminnee committed Dec 5, 2010
    …ore random tokens (from r114500)
    
    git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@114502 467b73ca-7a2a-4603-9d3b-597d59a354a9
  10. ENHANCEMENT Added RandomGenerator for more secure CRSF tokens etc. (f…

    chillu authored and sminnee committed Dec 5, 2010
    …rom r114497) (from r114499)
    
    git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@114501 467b73ca-7a2a-4603-9d3b-597d59a354a9
  11. BUGFIX Removing quotes from test data in RestfulServiceTest, it gives…

    Rainer Spittel authored and sminnee committed Nov 29, 2010
    … different results depending on magic_quotes_gpc setting on PHP configuration (merged from r80132).
    
    git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@114266 467b73ca-7a2a-4603-9d3b-597d59a354a9
  12. API CHANGE Using Controller::join_links() to construct links in Compl…

    chillu authored and sminnee committed Nov 1, 2010
    …exTableField and TableListField (partially merged from r88495, r96775)
    
    git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@113321 467b73ca-7a2a-4603-9d3b-597d59a354a9
  13. BUGFIX: Fixed Controller::join_links() handling of fragment identifie…

    chillu authored and sminnee committed Nov 1, 2010
    …rs (merged from r104580)
    
    git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@113319 467b73ca-7a2a-4603-9d3b-597d59a354a9
  14. MINOR Using SecurityToken in ViewableData->getSecurityID() (from r113…

    chillu authored and sminnee committed Nov 1, 2010
    …274)
    
    git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@113312 467b73ca-7a2a-4603-9d3b-597d59a354a9
  15. ENHANCEMENT Added Form->enableSecurityToken() as a counterpart to the…

    chillu authored and sminnee committed Nov 1, 2010
    … existing disableSecurityToken() (from r113284)
    
    git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@113305 467b73ca-7a2a-4603-9d3b-597d59a354a9
  16. MINOR Reverted commented out code (regression from r113293)

    chillu authored and sminnee committed Nov 1, 2010
    git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@113303 467b73ca-7a2a-4603-9d3b-597d59a354a9
  17. BUGFIX Clear static marking caches on Hierarchy->flushCache() (from r…

    chillu authored and sminnee committed Nov 1, 2010
    …113277)
    
    git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@113302 467b73ca-7a2a-4603-9d3b-597d59a354a9
  18. BUGFIX Fixed ComplexTableField and TableListField GET actions against…

    chillu authored and sminnee committed Nov 1, 2010
    … CSRF attacks (with Form_SecurityToken->checkRequest()) (from r113276)
    
    git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@113301 467b73ca-7a2a-4603-9d3b-597d59a354a9
  19. MINOR Fixed HTTPRequest class usage (regression from r113293)

    chillu authored and sminnee committed Nov 1, 2010
    git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@113298 467b73ca-7a2a-4603-9d3b-597d59a354a9
  20. API CHANGE Added security token to TableListField->Link() in order to…

    chillu authored and sminnee committed Nov 1, 2010
    … include it in all URL actions automatically. This ensures that field actions bypassing Form->httpSubmission() still get CSRF protection (from r113275)
    
    git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@113297 467b73ca-7a2a-4603-9d3b-597d59a354a9
  21. BUGFIX Using current controller for MemberTableField constructor in G…

    chillu authored and sminnee committed Nov 1, 2010
    …roup->getCMSFields() instead of passing in a wrong instance (Group) (from r113273)
    
    git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@113294 467b73ca-7a2a-4603-9d3b-597d59a354a9
  22. ENHANCEMENT Added SecurityToken to wrap CSRF protection via "Security…

    chillu authored and sminnee committed Nov 1, 2010
    …ID" request parameter (from r113272)
    
    git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@113293 467b73ca-7a2a-4603-9d3b-597d59a354a9
  23. BUGFIX Add PHPUnit includes to SapphireTest class (can be loaded outs…

    chillu authored and sminnee committed Oct 27, 2010
    …ide of TestRunner for static calls, in which case the PHPUnit autoloaders/includes aren't in place yet) (merged from r113156)
    
    git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@113158 467b73ca-7a2a-4603-9d3b-597d59a354a9
  24. BUGFIX Using mock controller in RestfulServiceTest to avoid problems …

    chillu authored and sminnee committed Oct 8, 2010
    …with missing require() calls for PHPUnit/Framework.php (performed in recently merged PHPUnitWrapper::init() which is never called for "nested" true HTTP calls within unit tests). Mostly merged from branches/2.4.
    
    git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@111837 467b73ca-7a2a-4603-9d3b-597d59a354a9
  25. BUGFIX Renamed PHPUnit wrappers not to use underscores in classnames,…

    chillu authored and sminnee committed Oct 8, 2010
    … as this confuses ManifestBuilder prior to the 2.4 release
    
    git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@111836 467b73ca-7a2a-4603-9d3b-597d59a354a9