This upgrade includes CMS and Framework version 3.6.3 which includes bugfixes, some minor feature and API enhancements and some security fixes (listed below). Also included are some minor enhancements to the Fulltext Search, Blog and Secure Assets modules.

Upgrade to Recipe 1.8.0 is optional, but is recommended for all CWP sites.

This upgrade can be carried out by any development team familiar with SilverStripe CMS, but if you would like SilverStripe's assistance, please let us know.

Upgrading Instructions

In order to update an existing site to use the new basic recipe the following changes to your composer.json can be made:

"require": {
    "cwp/cwp-recipe-basic": "~1.8.0@stable",
    "cwp/cwp-recipe-blog": "~1.8.0@stable",
    "cwp/starter-theme": "~1.1.0@stable"
"prefer-stable": true

Accepted failing tests

In recipe 1.8.0 these module unit tests cause external errors, but do not represent legitimate issues.


  • UploadFieldTest.testAllowedExtensions — Behaviour intentionally altered by the MimeValidator module
  • UploadFieldTest.testSelect — Behaviour altered by SelectUploadField intentionally
  • UploadTest.testUploadTarGzFileTwiceAppendsNumber — This test is now expected to fail as the new MimeValidator module will no longer allow random content to be uploaded with a mismatched mime and file extension. The original test is attempting to upload a bunch of text as a gzip file.
Expected output modified by the starter theme
  • CheckboxSetFieldTest.testSetDefaultItems
  • EmailFieldTest.testEmailFieldPopulation
  • LookupFieldTest.testNullValueWithNumericArraySource
  • LookupFieldTest.testStringValueWithNumericArraySource
  • LookupFieldTest.testUnknownStringValueWithNumericArraySource
  • LookupFieldTest.testArrayValueWithAssociativeArraySource
  • LookupFieldTest.testArrayValueWithNumericArraySource
  • LookupFieldTest.testArrayValueWithSqlMapSource
  • LookupFieldTest.testWithMultiDimensionalSource
  • OptionsetFieldTest.testSetDisabledItems
  • GridFieldDetailFormTest.testValidator
  • GridFieldSortableHeaderTest.testRenderHeaders


  • QueuedJobsTest.testImmediateQueuedJob - Test self-aborts when detecting lack of available system resources (inconclusive).
  • QueuedJobsTest.testStartJob - Test self-aborts when detecting lack of available system resources (inconclusive).



  • UserDefinedFormControllerTest.testValidation - Test failure affected by global state (starter theme template overrides).
  • UserDefinedFormControllerTest.testRenderingIntoFormTemplate - Test failure affected by global state.
  • UserDefinedFormControllerTest.testRenderingIntoTemplateWithSubstringReplacement - Test failure affected by global state.

Change Log


  • 2017-11-30 6ba00e829 Prevent disclosure of sensitive information via LoginAttempt (Damian Mooyman) - See ss-2017-009
  • 2017-11-30 db54112f3 user agent invalidation on session startup (Damian Mooyman) - See ss-2017-006
  • 2017-11-29 22ccf3e2f Ensure xls formulae are safely sanitised on output (Damian Mooyman) - See ss-2017-007
  • 2017-11-21 0f2049d4d SQL injection in search engine (Daniel Hensby) - See ss-2017-008
  • 2017-09-04 f0262a8fd User enumeration via timing attack mitigated (Daniel Hensby) - See ss-2017-005

Features and Enhancements

  • 2017-11-16 96231bc Update blog to 2.5 (Robbie Averill)
  • 2017-11-16 c038c4e Update fulltextsearch and secureassets (Robbie Averill)
  • 2017-09-08 17b7f5c Add extension to update page request, add Subsites compatibility extension (Robbie Averill)
  • 2017-08-24 fdd501182 Ability to override SS_TemplateManifest via Injector (fixes #7305) (Patrick Nelson)
  • 2017-07-03 d5340a8 config to disable sending spam notifications (Cam Findlay)


  • 2017-12-05 8477de15 Remove unused Behat tests from 3.6 branch (Robbie Averill)
  • 2017-11-30 84d7afb34 Use baseDataClass for allVersions as with other methods (Daniel Hensby)
  • 2017-11-24 09a003bc1 deprecated usage of getMock in unit tests (Daniel Hensby)
  • 2017-11-23 2ad3cc07d Update meber passwordencryption to default on password change (Daniel Hensby)
  • 2017-11-22 ef6d86f2c Allow lowercase and uppercase delcaration of legacy Int class (Daniel Hensby)
  • 2017-11-17 be255c2 Total items count in output respects canView on records (Robbie Averill)
  • 2017-11-17 b3fc680 Return string directly when no body content is provided to put/post methods (Robbie Averill)
  • 2017-11-16 dda14e895 HTTP::get_mime_type with uppercase filenames. (Roman Schmid)
  • 2017-11-16 52f0eadd3 for #7606: Ensure the object we're handling is actually an Image instance before calling methods specific to that class (e.g. in case of using SVG's in <img> tag which may be File instances). (Patrick Nelson)
  • 2017-11-15 ce3fd370f ManyMany link table joined with LEFT JOIN (Daniel Hensby)
  • 2017-11-09 1053de7ec Don't redirect in force_redirect() in CLI (Damian Mooyman)
  • 2017-11-02 c2f5850 Ensure that draft blog posts are always viewable to users with view draft permission (Robbie Averill)
  • 2017-11-02 cb92696 Ensure a Member object is passed to canView etc methods if available (Robbie Averill)
  • 2017-11-02 087c8ca ImmediateQueueHandler needs scheduleJob method to match expected API (Daniel Hensby)
  • 2017-10-25 cbac37559 Helpful warning when phpunit bootstrap appears misconfigured (Daniel Hensby)
  • 2017-10-25 32cef975e Use self::inst() for Injector/Config nest methods (Daniel Hensby)
  • 2017-10-19 a73d5b41 revert to this button after archiving (Christopher Joe)
  • 2017-10-12 fd39faee UploadField overwriteWarning isn't working in AssetAdmin (Jason)
  • 2017-10-09 264cec123 Dont use var_export for cache key generation as it fails on circular references (Daniel Hensby)
  • 2017-10-06 11a5dc7 Ensure SiteConfig defaults are used as fallback options (Robbie Averill)
  • 2017-10-05 4c4a3d4 for broken validation on optionsets (MikeyC)
  • 2017-10-04 24e190ea TreeDropdownField showing broken page icons (fixes silverstripe/silverstripe-framework#7420) (Loz Calver)
  • 2017-09-28 378c7fa Return self for setValue (Daniel Hensby)
  • 2017-09-28 d47648a Archive widget shows months from posts published that day (Robbie Averill)
  • 2017-09-26 ebe1de8d8 ArrayList sort error with old (supported) PHP (Dylan Wagstaff)
  • 2017-09-26 4b8ab26 excludeSiteTreeClassNames (#64) (Ralph Slooten)
  • 2017-09-22 7edc058 Escape dollar signs in UserForm contents before inserting them with regex (Robbie Averill)
  • 2017-09-12 0aac4ddb Default LoginForm generated from default_authenticator (Daniel Hensby)
  • 2017-09-12 091d99f59 Authenticators are more resilient to incomplete configuration (Daniel Hensby)
  • 2017-09-05 e0cca79 ed psr2 issue and removed empty id check condition. (Roopam Jain)
  • 2017-08-28 7b200a2a6 add combinedFiles to clear logic (Christopher Joe)
  • 2017-08-25 57fbfc6 no comma after lisence (Franco Springveldt)
  • 2017-08-18 e196de2 Set SearchUpdateCommitJobProcessor::$dirty_indexes prop type to array, not bool (cpenny)
  • 2017-08-16 eb80a5f9e LastEdited no longer updated on skipped writes (Daniel Hensby)
  • 2017-08-14 b04a1ab41 Truncate Error Issue when using views in a Unittest. (James Pluck)
  • 2017-08-13 2f579b64c Files without extensions (folders) do not have a trailing period added (Robbie Averill)
  • 2017-08-10 ab81117 page rendering with proper subsite locale (Gregory Smirnov)
  • 2017-08-06 59b28f7d5 Fixes #7181 to config system for userland config of node display limits. (Russell Michell)
  • 2017-07-26 31c5eebda Avoid JS errors for HTMLEditorFields in small holders (Daniel Hensby)
  • 2017-07-26 82c0632f4 Use Config API for MemberAuthenticator::$migrate_legacy_hashes (fixes #7208) (Loz Calver)
  • 2017-07-19 292aaf653 Cache IDs grouped by site first (Daniel Hensby)
  • 2017-07-18 b77274c1a Add unique prefix to cache stores to prevent cache leak (Daniel Hensby)
  • 2017-07-17 515a7cb5 Make sure VirtualPage renders correct templates (Daniel Hensby)
  • 2017-07-10 960a0f834 Make File::ini2bytes() compliant with binary prefixes (fixes #7145) (Loz Calver)
  • 2017-07-06 a6db16b22 OS X issue with Convert::html2raw, HTMLText::FirstSentence, HTMLText::Summary and Text::FirstSentence. (Roman Schmid)
  • 2017-07-04 00f1ad5d6 Fixes #7116 Improves server requirements docs viz: OpCaches. (Russell Michell)
  • 2017-06-30 a98e02f , correcting an issue where the module would end up on the wrong path. (Nathan Glasl)
  • 2017-06-30 81b0a15 (composer) Installer path fix (Marcus Nyeholt)
  • 2017-06-29 79a7b1016 add missing $rootCall param from LeftAndMain (Daniel Hensby)
  • 2017-06-20 e2116a70e Text colour in GridField filter headers for dropdown fields (Robbie Averill)
  • 2017-06-14 2afe018dc Ensure HasManyList foreign ID filter includes table name (fixes #7023) (Loz Calver)
  • 2017-06-12 53c84d93d changetracker checkbox bugs (Brian Cairns)
  • 2017-06-12 a5c84b12a Order of conditionals for getting default admin (Daniel Hensby)
  • 2017-06-06 4ad2cae86 Upload_Validator failed to fetch max size from PHP ini values (fixes #6999) (Loz Calver)
  • 2017-06-05 5f5bfa5e7 create temp folder if it does not exist (Christopher Joe)
  • 2017-06-02 4b9d5dceb tinymce image selection issue in newer versions of Chrome (Christopher Joe)
  • 2017-05-09 764fbe4 Remove After: 'mysite/*' in solr.yml (Brett Tasker)
  • 2017-05-09 3dd303679 Ensure GridState_Component is added to GridField config even if we set config with GridField::setConfig (Klemen Dolinsek)
  • 2017-02-21 f647b1c , check whether sortable exists before trying to use it. (Nathan Glasl)
  • 2017-02-06 51749c6 ed Travis URL (Ingo Schommer)
  • 2016-12-20 4fb4255 Fixed crash on older versions of PHP when the file does not exist (UndefinedOffset)
  • 2016-08-15 0fbe9c7 formatting (Jake Ovenden)
  • 2016-08-04 2fa550e typo (Jake Ovenden)
  • 2016-03-20 805c38f10 don't try and switch out of context of the tab system (Stevie Mayhew)

Was this article helpful?