Versions:

2.4.8 (2012-10-30) #

Overview ##

  • Security (Moderate Severity): More solid relative/site URL checks (related to "BackURL" redirection).
  • Security (Moderate Severity): Ensure javascript content type is sent in form responses. If content type is html, and the javascript contains script tags within the content, this content will be executed.
  • Security (Low Severity): Fixed remote code execution vuln in install.php due to inserting unescaped user data into mysite/_config.php. Not critical because install.php is required to be removed on a SilverStripe installation anyway

Details

API Changes

  • 2012-02-01 bf4476a silverstripe_version file now contains the plain version number, rather than an SVN path (Ingo Schommer)
  • 2012-02-01 4abe136 silverstripe_version file now contains the plain version number, rather than an SVN path (Ingo Schommer)

Features and Enhancements

  • 2012-02-03 921bf9a Ensure that forceSSL and protocol detection respects the X-Forwarded-Protocol header. (Sam Minnee)

Bugfixes

  • 2012-09-14 8ec6312 to prevent unintended results from getComponentsQuery(...) (stozze)
  • 2012-07-09 838ac97 fixing an edge-case bug where a 404-page would get statically published and overwrite the homepage of the site (this would sometimes happen when a RedirectorPage was set to an external URL and still referenced an internal page ID) (Julian Seidenberg)
  • 2012-05-04 392543b Don't' set 'Referer' header in FunctionalTest->get()/post() if its explicitly passed to the method (Ingo Schommer)

Minor changes

  • 2012-08-15 7669871 fixed array to string conversion to avoid PHP 5.4 warnings (Adam Skrzypulec)
  • 2012-05-29 039a372 Fixed phpunit bootstrap relative path (Ingo Schommer)
  • 2012-05-14 b211c38 Manually testing exceptions in SSViewerCacheBlockTest to avoid PHPUnit 3.6 warnings (Ingo Schommer)
  • 2012-03-30 c1d2cd1 Corrected Geoip entries for ex-Yugoslavia ... better late than never (Ingo Schommer)
  • 2012-03-14 44b9d05 Backported bootstrap.php changes from master and cstom TeamCity configuration (required to run tests through phpunit binary) (Ingo Schommer)
  • 2011-12-17 af22d07 On PHPUnit 3.6, show the output of tests. (Sam Minnee)
  • 2011-11-08 5956ad8 Amended PHPUnit execution to work with PHPUnit 3.6 (Sam Minnee)

Other

  • 2012-10-05 1c7b7d0 Fixed grammatical error for Form.FIELDISREQUIRED (Will Morgan)
  • 2012-08-08 f6c69d5 Update widget documentation (fixes #706) (Will Rossiter)
  • 2012-05-16 b7c8737 SECURITY Fixed remote code execution vuln in install.php due to inserting unescaped user data into mysite/_config.php. Not critical because install.php is required to be removed on a SilverStripe installation anyway (fixes #7205) (Ingo Schommer)
  • 2012-05-04 46064f8 SECURITY More solid relative/site URL checks (related to "BackURL" redirection) (Ingo Schommer)
  • 2012-05-03 9bf3ae9 SECURITY: Ensure javascript content type is sent in form responses. If content type is html, and the javascript contains script tags within the content, this content will be executed. (Andrew O'Neil)