This release includes SilverStripe 3.6.7, which contains a critical security fix for CVE-2019-5715 (SS-2018-021). See the related blog post for details.

This recipe supersedes CWP recipe 1.6.1, which contains a conflict between packages silverstripe/multivaluefield and symbiote/silverstripe-gridfieldextensions resulting in the package being installed twice. silverstripe/multivaluefield was renamed to symbiote/silverstripe-gridfieldextensions, but must remain as the former in CWP 1.6. This problem does not affect CWP recipes newer than 1.6.

We recommend upgrading to use the latest version of CWP if possible.

The changelog below contains all changes from CWP 1.6.1 as well as 1.6.2.

Change Log

Security

  • 2019-01-10 c44f06cdf Patch SQL Injection vulnerability when arrays are assigned to DataObject Fields (Aaron Carlino) - See ss-2018-021
  • 2018-12-06 bbd1a51 Adjust MultiValueField to work with the new scalarValueOnly method (Maxime Rainville) - See ss-2018-021
  • 2018-09-26 598edd913 Add confirmation token to dev/build (Loz Calver) - See ss-2018-019
  • 2018-05-08 19fdebfa2 Remove dotm, potm, jar, css, js, xltm from default File.allowed_extensions (Robbie Averill) - See ss-2018-014
  • 2018-04-11 577138882 Restrict non-admins from being assigned to admin groups (Damian Mooyman) - See ss-2018-001
  • 2017-11-30 6ba00e829 Prevent disclosure of sensitive information via LoginAttempt (Damian Mooyman) - See ss-2017-009
  • 2017-11-30 db54112f3 Fix user agent invalidation on session startup (Damian Mooyman) - See ss-2017-006
  • 2017-11-29 22ccf3e2f Ensure xls formulae are safely sanitised on output (Damian Mooyman) - See ss-2017-007
  • 2017-11-21 0f2049d4d Fix SQL injection in search engine (Daniel Hensby) - See ss-2017-008
  • 2017-09-04 f0262a8fd User enumeration via timing attack mitigated (Daniel Hensby) - See ss-2017-005
  • 2017-05-25 25b77a2ff SVG uploads disabled by default (Daniel Hensby) - See ss-2017-017

Features and Enhancements

  • 2017-08-24 fdd501182 Ability to override SS_TemplateManifest via Injector (fixes #7305) (Patrick Nelson)

Bugfixes

  • 2019-02-20 4d15355 Fix userforms to 4.3.1 (Robbie Averill)
  • 2019-01-23 746c0679a Injector may instantiate prototypes as if they're singletons (fixes #8567) (Loz Calver)
  • 2018-11-15 86701b8cd Redirect loop with multiple URL tokens (fixes #8607) (Loz Calver)
  • 2018-06-04 41e601a03 Regression from #8009 (Daniel Hensby)
  • 2018-06-01 ce1db58 Fix broken link (#92) (Raissa North)
  • 2018-06-01 1012ccb Fix broken link (Raissa North)
  • 2018-06-01 af89140 Fix broken link in developer docs (#91) (Raissa North)
  • 2018-06-01 60a98be Fix broken links in developer docs (Raissa North)
  • 2018-05-29 1cbf27e0f PHP 5.3 compat for referencing $this in closure, and make method public for same reason (Robbie Averill)
  • 2018-05-18 c7ab8df Fix broken links (Raissa North)
  • 2018-04-22 dca8ae5 fix regex issue in performance docs (Tomas Cantwell)
  • 2018-04-17 af3a9f3ec Duplicating many_many relationships looses the extra fields (fixes #7973) (UndefinedOffset)
  • 2018-03-15 d17d93f7 Remove SearchForm results() function from allowed_actions (Steve Dixon)
  • 2018-02-16 86addea1d Split HTML manipulation to onadd, so elements are not accidentally duplicated (Christopher Joe)
  • 2018-02-13 c767e472d DataObject singleton creation (Jonathon Menz)
  • 2018-01-26 416915b08 tableName is blank in CompositeDBField->addToQuery (Dominik Beerbohm)
  • 2018-01-25 cf69d0486 Fix ping including requirements (Damian Mooyman)
  • 2018-01-24 c2cd6b383 Fix Member_GroupSet::removeAll() (fixes #3948) (Loz Calver)
  • 2018-01-24 f2b4c192e Fix UploadField cuts off “Save” button (closes #2862) (Loz Calver)
  • 2018-01-23 7384e3fc2 Gridfields with dropdowns having lots of overflow (Scott Hutchinson)
  • 2018-01-09 2ef4a2d4e , adding a missing return statement. (Nathan)
  • 2017-12-21 44930f211 Allow HTML 5 input tags in FunctionalTest form submissions (Daniel Hensby)
  • 2017-12-14 81150c592 Use PHP 5.3 array syntax (Daniel Hensby)
  • 2017-12-05 8477de15 Remove unused Behat tests from 3.6 branch (Robbie Averill)
  • 2017-11-30 84d7afb34 Use baseDataClass for allVersions as with other methods (Daniel Hensby)
  • 2017-11-24 09a003bc1 Fix deprecated usage of getMock in unit tests (Daniel Hensby)
  • 2017-11-23 2ad3cc07d Update meber passwordencryption to default on password change (Daniel Hensby)
  • 2017-11-22 ef6d86f2c Allow lowercase and uppercase delcaration of legacy Int class (Daniel Hensby)
  • 2017-11-22 ec8ad45 fix: added missing image for private modules (Tomas Cantwell)
  • 2017-11-16 dda14e895 Fix HTTP::get_mime_type with uppercase filenames. (Roman Schmid)
  • 2017-11-16 52f0eadd3 for #7606: Ensure the object we're handling is actually an Image instance before calling methods specific to that class (e.g. in case of using SVG's in <img> tag which may be File instances). (Patrick Nelson)
  • 2017-11-15 ce3fd370f ManyMany link table joined with LEFT JOIN (Daniel Hensby)
  • 2017-11-09 1053de7ec Don't redirect in force_redirect() in CLI (Damian Mooyman)
  • 2017-10-25 cbac37559 Helpful warning when phpunit bootstrap appears misconfigured (Daniel Hensby)
  • 2017-10-25 32cef975e Use self::inst() for Injector/Config nest methods (Daniel Hensby)
  • 2017-10-19 a73d5b41 revert to this button after archiving (Christopher Joe)
  • 2017-10-12 fd39faee UploadField overwriteWarning isn't working in AssetAdmin (Jason)
  • 2017-10-09 264cec123 Dont use var_export for cache key generation as it fails on circular references (Daniel Hensby)
  • 2017-10-04 24e190ea Fix: TreeDropdownField showing broken page icons (fixes silverstripe/silverstripe-framework#7420) (Loz Calver)
  • 2017-09-28 378c7fa Return self for setValue (Daniel Hensby)
  • 2017-09-26 ebe1de8d8 Fix ArrayList sort error with old (supported) PHP (Dylan Wagstaff)
  • 2017-09-12 0aac4ddb Default LoginForm generated from default_authenticator (Daniel Hensby)
  • 2017-09-12 091d99f59 Authenticators are more resilient to incomplete configuration (Daniel Hensby)
  • 2017-08-28 7b200a2a6 Fix add combinedFiles to clear logic (Christopher Joe)
  • 2017-08-16 eb80a5f9e LastEdited no longer updated on skipped writes (Daniel Hensby)
  • 2017-08-14 b04a1ab41 Fix Truncate Error Issue when using views in a Unittest. (James Pluck)
  • 2017-08-13 2f579b64c Files without extensions (folders) do not have a trailing period added (Robbie Averill)
  • 2017-08-06 59b28f7d5 Fixes #7181 to config system for userland config of node display limits. (Russell Michell)
  • 2017-07-26 31c5eebda Avoid JS errors for HTMLEditorFields in small holders (Daniel Hensby)
  • 2017-07-26 82c0632f4 Fix: Use Config API for MemberAuthenticator::$migrate_legacy_hashes (fixes #7208) (Loz Calver)
  • 2017-07-19 292aaf653 Cache IDs grouped by site first (Daniel Hensby)
  • 2017-07-18 b77274c1a Add unique prefix to cache stores to prevent cache leak (Daniel Hensby)
  • 2017-07-17 515a7cb5 Make sure VirtualPage renders correct templates (Daniel Hensby)
  • 2017-07-10 960a0f834 Fix: Make File::ini2bytes() compliant with binary prefixes (fixes #7145) (Loz Calver)
  • 2017-07-09 8f2aaf5 Fixed link formats in performance guide docs (Ingo Schommer)
  • 2017-07-06 a6db16b22 Fix OS X issue with Convert::html2raw, HTMLText::FirstSentence, HTMLText::Summary and Text::FirstSentence. (Roman Schmid)
  • 2017-07-06 a8860d9 Fix formatting errors (Glen Peek)
  • 2017-07-06 3572328 Fix getBaseStyles examples (Glen Peek)
  • 2017-07-04 00f1ad5d6 Fixes #7116 Improves server requirements docs viz: OpCaches. (Russell Michell)
  • 2017-06-29 79a7b1016 add missing $rootCall param from LeftAndMain (Daniel Hensby)
  • 2017-06-20 e2116a70e Text colour in GridField filter headers for dropdown fields (Robbie Averill)
  • 2017-06-14 b33a16a Fix ADFS docs to account for DR instances (John)
  • 2017-06-14 2afe018dc Ensure HasManyList foreign ID filter includes table name (fixes #7023) (Loz Calver)
  • 2017-06-14 1073eca2f Bugfix: Complex (curly) syntax (Marcz Hermo)
  • 2017-06-14 fd57bd910 Update help link from 3.5 to 3.6 (Robbie Averill)
  • 2017-06-12 53c84d93d Fix changetracker checkbox bugs (Brian Cairns)
  • 2017-06-12 f0c00bfb7 Fixing language typo in docs (3Dgoo)
  • 2017-06-12 a5c84b12a Order of conditionals for getting default admin (Daniel Hensby)
  • 2017-06-06 4ad2cae86 Upload_Validator failed to fetch max size from PHP ini values (fixes #6999) (Loz Calver)
  • 2017-06-05 5f5bfa5e7 Fix create temp folder if it does not exist (Christopher Joe)
  • 2017-06-02 a52ed03b4 Upgrade old style constructors that were missed (Daniel Hensby)
  • 2017-06-02 4b9d5dceb Fix tinymce image selection issue in newer versions of Chrome (Christopher Joe)
  • 2017-05-29 b4368196d Use plural name for ModelAdmin tab name (Robbie Averill)
  • 2017-05-09 3dd303679 Ensure GridState_Component is added to GridField config even if we set config with GridField::setConfig (Klemen Dolinsek)
  • 2016-10-21 8e5bb6fbd Fix : relObject() should return null if one of the node is null (Jason)
  • 2016-08-15 0fbe9c7 fix formatting (Jake Ovenden)
  • 2016-08-04 2fa550e fix typo (Jake Ovenden)
  • 2016-03-20 805c38f10 don't try and switch out of context of the tab system (Stevie Mayhew)
  • 2016-03-15 22b3a71ec fixing val reference to url in https hotlink (Denise Rivera)
  • 2015-04-22 1f63637b9 for #4095, TinyMCE not able to modify props of embed media (bug 1) and invalid HTML inserted (bug 2) (Patrick Nelson)

Was this article helpful?