This documention applies to an outdated version of CWP Recipe supported code and may not be maintained any more. If some of your projects still use this version, consider upgrading as soon as possible.
This recipe includes a new minor release of CMS and Framework to version 3.4.0.
Please see the changelog below for these following releases for the list of core changes since recipe 1.3.0
This upgrade is not mandatory. This upgrade fixes several security flaws. SilverStripe has determined
that the severity and breadth of applicability of the flaws does not constitute a need for a CWP-wide
Because it includes security fixes, all Agencies using Recipe 1.3.0 or below should strongly consider
upgrading to Recipe 1.4.0. Agencies should make their own determination on whether these issues present
sufficient threat to their site to require an upgrade. If you are unsure, it is safest to upgrade.
If you would like SilverStripe to carry out this upgrade for you, please let us know and we will
arrange this with you.
This upgrade includes CMS and Framework version 3.4.0, which introduces general API improvements
and enhancements. However, these changes are much less significant than those introduced in version
3.3.0, and the risk of regressions in this upgrade is minimal.
The recipe includes two enhancements funded by the CWP co-fund pool:
- Better CMS password protection when resetting password
- Increased encryption strength on Active Directory module to 256 bits
Other enhancements include:
- Improvement to ArrayList API
- Improved permission checking
- Improvements to Image manipulation API
- Improved support for versioned and subsite content in fulltextsearch
- Improvements in spam protection for userforms module
Details of security issues
This release includes fixes for the following issues:
- SS-2016-006: LoginForm calls
disableSecurityToken(), which causes a "shared host domain" vulnerability: http://stackoverflow.com/a/15350123.
- SS-2016-005: Default Administrator
accounts were not subject to the same brute force protection afforded to other Member accounts. Failed
login counts were not logged for default admins resulting in unlimited attempts on the default admin
username and password.
- SS-2016-004: Due to a lack of parameter
sanitisation a carefully crafted URL could be used to inject arbitrary HTML into the CMS Edit page.
An attacker could create a URL and share it with a site administrator to perform an attack.
- SS-2016-001: A XSS risk exists in
the returnURL parameter passed to CMSSecurity/success. An unvalidated url could cause the user to redirect
to an unverified third party url outside of the site.
- SS-2015-029: savetreenode action does
not have sufficient CSRF protection, meaning that in some cases users with CMS access can be tricked into
posting unspecified data into the CMS from external websites. The resolution for this issue is to ensure
that a security token is sent with the request and validated on the server side.
Note on issues on sites supporting large numbers of files
Additional documentation on how to improve performance in the asset admin has been added under
Supporting large numbers of files
In order to update an existing site to use the new basic recipe the following changes to your composer.json
can be made:
Note that the default theme has not been modified since recipe 1.2.0, and can be left unchanged.
- [CWP-815] - CMS: Best Practice Password Changing
- [CWP-814] - Active Directory: Security upgrade of CWP AD integration module
- [OSS-1849] - Framework: Raw PHP errors to return HTTP Error code
- [CWP-837] - Content Review: Dependant pages status change to ‘modified’ when you update another dependant page
- [CWP-817] - Userforms: submissions with higher than ~1500 records can not be exported
- [CWP-782] - Userforms: Checkbox Group Field does not allow select multiple options if it is a required field
- [OSS-1737] - Fulltext Search: SearchVariantSubsites alterDefinition issue
- [CWP-651] - Subsites: Home page url changes to home-2
In recipe 1.4.0 there are the following known issues in these failing tests:
Accepted failing tests
In recipe 1.4.0 these module unit tests cause external errors, but do not represent legitimate issues.
- UploadFieldTest.testAllowedExtensions — Behaviour intentionally altered by the MimeValidator module
- UploadFieldTest.testSelect — Behaviour altered by SelectUploadField intentionally
- UploadTest.testUploadTarGzFileTwiceAppendsNumber — This test is now expected
to fail as the new MimeValidator module will no longer allow random content to
be uploaded with a mismatched mime and file extension. The original test is
attempting to upload a bunch of text as a gzip file.
- QueuedJobsTest.testImmediateQueuedJob - Test self-aborts when detecting lack of available system
- QueuedJobsTest.testStartJob - Test self-aborts when detecting lack of available system