This document contains information for an outdated version (3.0) and may not be maintained any more.

If some of your projects still use this version, consider upgrading as soon as possible.

2.3.12 (2011-10-17)

Overview

  • Security: Cross-site scripting on anchor links
  • Security: Possible SQL injection for MySQL when using far east character encodings
  • Security: SQL injection in Folder::findOrMake() parameter (used mostly in author-only CMS through Upload::load())
  • Security: Privilege escalation from EDIT_PERMISSIONS to ADMIN for users access to the CMS (through Member->getCMSFields() and TreeMultiselectField)

Upgrading Notes ##

See [2.4.6]

Changelog

Features and Enhancements

Bugfixes

  • 2011-10-18 bdd6391 Respecting SSViewer::$options["rewriteHashlinks"] in SSViewer::process() (Ingo Schommer)
  • 2011-10-17 52a895f Escaping base URLs for anchor links rewritten by SSViewer::process() with the 'rewriteHashlinks' option enabled (which is a framework default, and necessary because of the use of a <base> tag). Also added escaping for base URLs rendered through the 'php' variation of 'rewriteHashlinks' (Ingo Schommer)
  • 2011-09-15 07dc3e9 Consistently using Convert::raw2sql() instead of DB::getConn()->addslashes() or PHP's deprecated addslashes() for database escaping (Ingo Schommer)
  • 2011-09-15 6d6c294 Consistently using Convert::raw2sql() instead of DB::getConn()->addslashes() or PHP's deprecated addslashes() for database escaping (Ingo Schommer)
  • 2011-03-09 5bc0d00 Avoid privilege escalation from EDIT_PERMISSIONS to ADMIN through TreeMultiselectField (in Member->getCMSFields()) by checking for admin groups in Member->onChangeGroups() (Ingo Schommer)

Minor changes

  • 2011-02-21 b37836f Added deprecated SapphireTest->assertType() in order to support PHPUnit 3.5 or newer, but stay backwards compatible to PHPUnit 3.4 (Ingo Schommer)
  • 2011-02-07 e527e54 Fixing image links in docs/en/tutorials/ (Ingo Schommer)

Other

  • 2011-10-18 fbe8b7b MINO Switching 'rewriteHashlinks' sanitization from Convert::raw2att() to strip_tags() to make the resulting PHP more portable when mode is set to 'php' (Ingo Schommer)
  • 2011-09-15 ca78784 SECURITY Backporting MySQLDatabase->addslashes() to use mysql_real_escape_string() instead of the non-multibyte-safe addslashes() PHP function, and using it in Convert::raw2sql() (Ingo Schommer)

Comments

Comment policy: Please use comments for tips and corrections about the described functionality.
Comments are moderated, we reserve the right to remove comments that are inappropriate or are no longer relevant. Use the Silverstripe Forum to ask questions.

blog comments powered by Disqus