This document contains information about a future release and not the current stable version (3.1).

Be aware that information on this page may change and API's may not be stable for production use.

2.4.8-rc1 #

Overview ##

  • Security (Moderate Severity): More solid relative/site URL checks (related to "BackURL" redirection).
  • Security (Moderate Severity): Ensure javascript content type is sent in form responses. If content type is html, and the javascript contains script tags within the content, this content will be executed.
  • Security (Low Severity): Fixed remote code execution vuln in install.php due to inserting unescaped user data into mysite/_config.php. Not critical because install.php is required to be removed on a SilverStripe installation anyway

Details

API Changes

  • 2012-02-01 bf4476a silverstripe_version file now contains the plain version number, rather than an SVN path (Ingo Schommer)
  • 2012-02-01 4abe136 silverstripe_version file now contains the plain version number, rather than an SVN path (Ingo Schommer)

Features and Enhancements

  • 2012-02-03 921bf9a Ensure that forceSSL and protocol detection respects the X-Forwarded-Protocol header. (Sam Minnee)

Bugfixes

  • 2012-09-14 8ec6312 to prevent unintended results from getComponentsQuery(...) (stozze)
  • 2012-07-09 838ac97 fixing an edge-case bug where a 404-page would get statically published and overwrite the homepage of the site (this would sometimes happen when a RedirectorPage was set to an external URL and still referenced an internal page ID) (Julian Seidenberg)
  • 2012-05-04 392543b Don't' set 'Referer' header in FunctionalTest->get()/post() if its explicitly passed to the method (Ingo Schommer)

Minor changes

  • 2012-08-15 7669871 fixed array to string conversion to avoid PHP 5.4 warnings (Adam Skrzypulec)
  • 2012-05-29 039a372 Fixed phpunit bootstrap relative path (Ingo Schommer)
  • 2012-05-14 b211c38 Manually testing exceptions in SSViewerCacheBlockTest to avoid PHPUnit 3.6 warnings (Ingo Schommer)
  • 2012-03-30 c1d2cd1 Corrected Geoip entries for ex-Yugoslavia ... better late than never (Ingo Schommer)
  • 2012-03-14 44b9d05 Backported bootstrap.php changes from master and cstom TeamCity configuration (required to run tests through phpunit binary) (Ingo Schommer)
  • 2011-12-17 af22d07 On PHPUnit 3.6, show the output of tests. (Sam Minnee)
  • 2011-11-08 5956ad8 Amended PHPUnit execution to work with PHPUnit 3.6 (Sam Minnee)

Other

  • 2012-10-05 1c7b7d0 Fixed grammatical error for Form.FIELDISREQUIRED (Will Morgan)
  • 2012-08-08 f6c69d5 Update widget documentation (fixes #706) (Will Rossiter)
  • 2012-05-16 b7c8737 SECURITY Fixed remote code execution vuln in install.php due to inserting unescaped user data into mysite/_config.php. Not critical because install.php is required to be removed on a SilverStripe installation anyway (fixes #7205) (Ingo Schommer)
  • 2012-05-04 46064f8 SECURITY More solid relative/site URL checks (related to "BackURL" redirection) (Ingo Schommer)
  • 2012-05-03 9bf3ae9 SECURITY: Ensure javascript content type is sent in form responses. If content type is html, and the javascript contains script tags within the content, this content will be executed. (Andrew O'Neil)

Comments

Comment policy: Please use comments for tips and corrections about the described functionality.
Comments are moderated, we reserve the right to remove comments that are inappropriate or are no longer relevant. Use the Silverstripe Forum to ask questions.

blog comments powered by Disqus