Overview

This upgrade includes CMS and Framework version 3.5.0 which includes bugfixes and some minor feature and API enhancements.

Upgrade to Recipe 1.5.0 is optional, but is recommended for all CWP sites. This recipe includes an enhanced auditor module for improved security logging.

This upgrade can be carried out by any development team familiar with SilverStripe CMS, but if you would like SilverStripe's assistance, please let us know.

Details of security issues

This release includes fixes for the following minor security issues:

  • SS-2016-010 ReadOnly transformation for formfields exploitable: Read-only Form fields are vulnerable to reflected XSS injections. Values submitted to through these form fields are not filtered out from the form session data, and might be shown to the user depending on the form behaviour. SilverStripe forms automatically load values from request data, which may contain malicious HTML injected within the request, such as links to external sites. Readonly and disabled form fields are already filtered out in Form->saveInto(), so maliciously submitted data on these fields doesn't make it into the database unless you are accessing form values directly in your saving logic.
  • SS-2016-016 XSS In CMSSecurity BackURL: In follow up to SS-2016-001 there is yet a minor unresolved fix to incorrectly encoded URL.

New Features

This release also includes a new module silverstripe/auditor which will install and configure itself by default on upgrade. This module is mandatory and cannot be removed from the core installation. This will provide better and more complete system logging on all CWP sites.

Please see the Centralised logging documentation for more information. Please note that if your application uses SS_SysLogWriter there are some additional upgrading steps.

Upgrading Instructions

In order to update an existing site to use the new basic recipe the following changes to your composer.json can be made:

"require": {
    "cwp/cwp-recipe-basic": "~1.5.0@stable",
    "cwp/cwp-recipe-blog": "~1.5.0@stable",
    "cwp-themes/default": "~1.3.0@stable"
},
"prefer-stable": true

Details

Bugfixes

  • [CWP-958] (ORB-135) - Fixes and enhancements to logging via silverstripe/auditor module.

Known issues

In recipe 1.5.0 there are the following known issues in these failing tests:

framework

Accepted failing tests

In recipe 1.4.1 these module unit tests cause external errors, but do not represent legitimate issues.

framework

  • UploadFieldTest.testAllowedExtensions — Behaviour intentionally altered by the MimeValidator module
  • UploadFieldTest.testSelect — Behaviour altered by SelectUploadField intentionally
  • UploadTest.testUploadTarGzFileTwiceAppendsNumber — This test is now expected to fail as the new MimeValidator module will no longer allow random content to be uploaded with a mismatched mime and file extension. The original test is attempting to upload a bunch of text as a gzip file.

queuedjobs

  • QueuedJobsTest.testImmediateQueuedJob - Test self-aborts when detecting lack of available system resources (inconclusive).
  • QueuedJobsTest.testStartJob - Test self-aborts when detecting lack of available system resources (inconclusive).

translatable

Change Log

Security

  • 2016-11-11 4440b88 Form@httpSubmission will no longer load submitted data to disabled or readonly fields (Daniel Hensby) - See ss-2016-010
  • 2016-11-11 61e4055 Cast FormField values as Text to prevent readonly fields embeding rogue HTML (Daniel Hensby) - See ss-2016-010
  • 2016-10-27 17097a4 Properly escape backURL for template injection (Daniel Hensby) - See ss-2016-016
  • 2016-08-02 049cdef value / title escaping in CheckboxSetField and OptionsetField (Damian Mooyman) - See ss-2016-015
  • 2016-08-02 62a2421 value / title escaping in CheckboxSetField and OptionsetField (Damian Mooyman) - See ss-2016-015
  • 2016-08-02 12a6b35 value / title escaping in CheckboxSetField and OptionsetField (Damian Mooyman) - See ss-2016-015
  • 2016-07-25 b1f4497 Autologin cookies are ignored if autologin is disabled (Daniel Hensby) - See ss-2016-014
  • 2016-07-25 fa7f5af Autologin cookies are ignored if autologin is disabled (Daniel Hensby) - See ss-2016-014
  • 2016-07-25 1c7d5de Autologin cookies are ignored if autologin is disabled (Daniel Hensby) - See ss-2016-014
  • 2016-07-22 6817c57 Uncasted member name (Daniel Hensby) - See ss-2016-013
  • 2016-07-22 83e3302 Uncasted member name (Daniel Hensby) - See ss-2016-013
  • 2016-07-22 281b0de Uncasted member name (Daniel Hensby) - See ss-2016-013
  • 2016-07-15 f85dea2 Reset Member::Salt on password change (Daniel Hensby) - See ss-2016-008
  • 2016-07-15 dc47f7e Reset Member::Salt on password change (Daniel Hensby) - See ss-2016-008
  • 2016-07-15 298f615 Reset Member::Salt on password change (Daniel Hensby) - See ss-2016-008
  • 2016-07-14 2b30ade ChangePasswordForm does not check $member->canLogin before login (Daniel Hensby) - See ss-2016-011
  • 2016-07-14 6606d98 ChangePasswordForm does not check $member->canLogin before login (Daniel Hensby) - See ss-2016-011
  • 2016-07-14 6d41db7 ChangePasswordForm does not check $member->canLogin before login (Daniel Hensby) - See ss-2016-011
  • 2016-07-14 ca526b0 Missing ACL check on ReportAdmin (Daniel Hensby) - See ss-2016-012
  • 2016-07-14 efa20d2 Missing ACL check on ReportAdmin (Daniel Hensby) - See ss-2016-012
  • 2016-07-14 cff2ea9 Missing ACL check on ReportAdmin (Daniel Hensby) - See ss-2016-012
  • 2016-07-14 04b4453 Missing ACL check on ReportAdmin (Daniel Hensby) - See ss-2016-012
  • 2016-07-14 5f73d34 Missing ACL check on ReportAdmin (Daniel Hensby) - See ss-2016-012
  • 2016-05-03 3fa84cf Encode user supplied URL for embeding into page (Daniel Hensby) - See ss-2016-007

API Changes

  • 2016-11-15 f43a91a Add FormField::canSubmitValue() (Damian Mooyman)
  • 2016-11-07 ffd9938 ShortcodeParser getter and extension points (Jonathon Menz)
  • 2016-10-03 9c60c38 Add cow metadata (Damian Mooyman)
  • 2016-10-03 537e4a9 add cow metadata (Damian Mooyman)
  • 2016-09-15 b87c668 support dblib (#5996) (Damian Mooyman)
  • 2016-09-05 c6457c5 Allow has_many fixtures to be declared with array format as well as many_many (#5944) (Damian Mooyman)
  • 2016-07-15 d08ab6a Allow X-Frame-Options to be configured (Damian Mooyman)
  • 2016-06-20 e810a99 Add optimistic_connect to SS_Database (Damian Mooyman)

Features and Enhancements

  • 2016-10-14 10d4fa8 Introduced Assignee keyword for mail templates (Marcus Nyeholt)
  • 2016-08-11 b701b25 add customisable file upload size limit (muskie9)
  • 2016-06-10 19b9413 Use injector for MemberLoginForm fields (Daniel Hensby)
  • 2016-05-15 c401d9d added hide_from_cms_tree and hide_from_hierarchy (John Milmine)
  • 2015-02-11 dae2295 Allow the paddedresize to take another hex value to specify a transparency on the padded color (Nick)

Bugfixes

  • 2016-11-28 1d6024f upgrading notes for auditor module (Damian Mooyman)
  • 2016-11-16 40a1ce4 invalid composer.json (Damian Mooyman)
  • 2016-11-16 e85feff (Damian Mooyman)
  • 2016-11-11 ae6badf copying child pages to subsite (David Craig)
  • 2016-11-09 ebae480 Fix regression in aggregate column lookup from #6199 (Damian Mooyman)
  • 2016-11-09 6bf36fb Correct return type for Member::currentUser() (Loz Calver)
  • 2016-11-04 1f3adae for Silverstripe 3.3 downloading resampled assets (Ruud Arentsen)
  • 2016-11-03 135a647 Ensure that builds use the 3.4 dependencies. (Sam Minnee)
  • 2016-11-03 edfe514 Ensure that builds use the 3.4 dependencies. (Sam Minnee)
  • 2016-11-01 c61d61d default_records are no longer inherited to child classes (Daniel Hensby)
  • 2016-10-30 747bd4c filterAny error message now refers to correct method name (Daniel Hensby)
  • 2016-10-22 bec5adf Versioned sort by ID (Jonathon Menz)
  • 2016-10-19 b0445f7 Ambiguous column SQL error (Jonathon Menz)
  • 2016-10-16 fe81607 Make simplexml_load_file work on shared php-fpm (Nicola Fontana)
  • 2016-10-13 1a5d5ea incorrect method name (Nic Horstmeier)
  • 2016-10-11 7368dec Fix issue with SS_List as datasource for dropdown field (Damian Mooyman)
  • 2016-10-07 ae83b7b History controller now shows right comparison versions (Daniel Hensby)
  • 2016-10-04 797be6a Revert natural sort (Jonathon Menz)
  • 2016-10-04 6dde5ce Absolute alternate_base_url no longer breaks session cookies (Daniel Hensby)
  • 2016-10-03 98d95cd Sort order for duplicated child pages is now retained (Daniel Hensby)
  • 2016-09-29 ae4108b Content-Disposition header breaks in Firefox (#4087) (Anton Smith)
  • 2016-09-26 1ddfaf2 Add silverstripe/auditor, silverstripe/contentreview, silverstripe/reports, silverstripe/siteconfig and silverstripe/sitewidecontent-report into gitignore so people don't accidentally commit changes that don't get reflected when deploying (madmatt)
  • 2016-09-21 7648318 EditableFormHeading doesn't properly handle numeric values (Nic Horstmeier)
  • 2016-09-19 32d1856 Debug::caller() will now handle errors from outside function calls (#6029) (Daniel Hensby)
  • 2016-09-19 d2d770c Frontend UploadField wouldn't call ssdialog (Cristian Torres)
  • 2016-09-14 cd8904e ing button destroy bug (3Dgoo)
  • 2016-09-12 a14df0b Force line endings to LF on sake file (Daniel Hensby)
  • 2016-09-11 266a2ff Handle folders separately in the File Type column (Robbie Averill)
  • 2016-09-11 5d9abdc Use localised Page class name (Robbie Averill)
  • 2016-09-08 ffab2df Excerpt should be casted as HTMLText (Daniel Hensby)
  • 2016-09-06 e7ecf6c Bad strpos call in HTTP::register_etag() (Daniel Hensby)
  • 2016-09-01 f2ed59e Empty dmyfields on DateField now validate as true (Daniel Hensby)
  • 2016-08-27 91abe1f Cast Date method on BlogPost (Daniel Hensby)
  • 2016-08-23 0e61dfc Prevent translatable / subdirs interfering with test state (Damian Mooyman)
  • 2016-08-22 59be597 #1052 (Daniel Hensby)
  • 2016-08-22 4998b80 ArrayList sorting now caseinsensitive (Daniel Hensby)
  • 2016-08-16 d021372 (WorkflowInstance): Fix bug where using WorkflowInstance with frontend had inconsistencies between "index" and listing pages. Since the intent of the code points to it mainly being used for the canView(), I've moved the code there as it makes sense for a user to be able to view the WorkflowInstance of a Target() record they've written to. (Jake Bentvelzen)
  • 2016-08-15 5ad8157 Fix regression in FormField casting (Damian Mooyman)
  • 2016-08-15 a6a9cd7 Fix regression in FormField casting (Damian Mooyman)
  • 2016-08-15 95c640a Fix regression in FormField casting (Damian Mooyman)
  • 2016-08-11 d4114b3 include related fields on canFilter() check (Jonathon Menz)
  • 2016-08-09 63fc4db Fix extra border in page settings (Damian Mooyman)
  • 2016-08-07 86add3e Use create syntax for CMSMemberLoginForm remember me form (Daniel Hensby)
  • 2016-08-04 5fcdf8c don't look in node_modules (Michael Strong)
  • 2016-08-03 a84a1b7 es issue #32 (Access tab JS) (Colin Tucker)
  • 2016-07-28 56f0b72 ETag header now properly quoted (Daniel Hensby)
  • 2016-07-15 9282662 ing bad syntax from PR (Daniel Hensby)
  • 2016-07-15 3662240 Allow caching of false config values (Fixes #4755) (#4762) (Sam Minnée)
  • 2016-07-08 74c555e for #5784: Added ->setReplyTo(), deprecated ->replyTo() for API consistency. Revamping, fixing, and enhancing internal Email API documentation. Simplified code and brought up-to-date with latest standards. (Patrick Nelson)
  • 2016-07-05 9afd602 calling $record->write() breaks other 3rd party fields that write to an UnsavedRelationList. (Jake Bentvelzen)
  • 2016-07-04 637167f Fix missing icons (Damian Mooyman)
  • 2016-06-09 3bb32eb Tests need the DB (Daniel Hensby)
  • 2016-06-09 68c4040 No longer hardcoding admin links (Daniel Hensby)
  • 2016-06-03 429ce55 ViewableData::setFailover() didn't remove cached methods (Loz Calver)
  • 2016-06-01 8a58041 Remove default from address for error emails (Sam Minnee)
  • 2016-05-27 11aad47 invalid syntax in TinyMCE config (#5593) (Loz Calver)
  • 2016-05-19 b1df9dc check that we have a token and a UID before attempting a member auto login (Stevie Mayhew)

Was this article helpful?