3.0.6-rc1 (2013-08-08)


  • Security: Require ADMIN for ?flush=1 (stop denial of service attacks) (#1692)


Security: Require ADMIN for ?flush=1

Flushing the various manifests (class, template, config) is performed through a GET parameter (flush=1). Since this action requires more server resources than normal requests, it can facilitate denial-of-service attacks.

To prevent this, main.php now checks and only allows the flush parameter in the following cases:

  • The environment is in "dev mode"
  • A user is logged in with ADMIN permissions
  • An error occurs during startup

This applies to both flush=1 and flush=all (technically we only check for the existence of any parameter value) but only through web requests made through main.php - CLI requests, or any other request that goes through a custom start up script will still process all flush requests as normal.

Thanks to Christopher Tombleson for reporting.


  • If you have created your own composite database fields, then you should amend the setValue() to allow the passing of an object (usually DataObject) as well as an array.
  • If you have provided your own startup scripts (ones that include core/Core.php) that can be accessed via a web request, you should ensure that you limit use of the flush parameter
  • Translation entity namespaces can no longer contain dots, since it conflicts with the YAML format.
  • Translation entities defined in templates now use their fully qualified entity name without dots. Before:, after BackLink_Button_ss.Back. Please fix any custom language files or uses of those entities in custom code.
  • If using "Māori/Te Reo" (mi_NZ) as your CMS locale, please re-select it in admin/myprofile to ensure correct operation (it has changed its locale identifier)


API Changes

  • 2013-03-08 b81f39a Handle uncaught ValidationException on CMS controller execution (Ingo Schommer)
  • 2013-02-27 e6fffb9 Remove content-length setting in HTTPResponse (Ingo Schommer)
  • 2013-02-27 600d9cf Make Object::config use late static binding (Hamish Friedlander)
  • 2013-02-12 10199f9 Data corruption on Versioned due to lazy loading (Julian Seidenberg)
  • 2013-01-24 11f4b2c HTTP::urlRewriter with (string)$code deprecated in 3.1. Fixed regressions and CSS urls. (Damian Mooyman)

Features and Enhancements

  • 2013-04-21 eb583c5 Added DataObject::getQueriedDatabaseFields() as faster alternative to toMap() API: CompositeDBField::setValue() may be passed an object as its second argument, in addition to array. (Sam Minnee)
  • 2013-03-18 b401d39 Move temp data into a user-specific subfolder, to stop temp-permission bugs from occurring. (Sam Minnee)
  • 2013-02-22 de641dd updated the reference index on 3.0 - There were lots of broken and missing links (Jeremy Bridson)


  • 2013-08-05 5f9387c Constants magic_quotes handling needs function from Core (Hamish Friedlander)
  • 2013-08-05 041466f Token redirect where in IIS a / needs adding between host & url (Hamish Friedlander)
  • 2013-08-02 a685a8d Include flushtoken when install redirects to successfullyinstalled (Hamish Friedlander)
  • 2013-08-01 3420587 Flush on memory exhaustion and headers sent (Hamish Friedlander)
  • 2013-07-23 a1ea905 Nice errors and allows flush on module removal (Hamish Friedlander)
  • 2013-07-22 84011aa Only suppress fatal errors (Hamish Friedlander)
  • 2013-07-19 a312cd0 Ignore invalid tokens instead of throwing 403 (Hamish Friedlander)
  • 2013-07-19 036c36a Have ParameterConfirmationToken work regardless of include path (Hamish Friedlander)
  • 2013-07-18 1298d4a Prevent DOS by checking for env and admin on ?flush=1 (#1692) (Hamish Friedlander)
  • 2013-07-15 999fd39 preg_replace_callback in emailer was broken (Stephen Shkardoon)
  • 2013-06-13 3b40711 Resize infinite loops in IE8 (fixes #575) (Ingo Schommer)
  • 2013-05-27 c7f1412 #651 Broken redirection after creating new folder in assets (Mike Parkhill)
  • 2013-05-23 c85c495 GridFieldFilterHeader works without non-filterable cols (Ingo Schommer)
  • 2013-05-08 00b8ffd File class typo (Tony Air)
  • 2013-04-26 b211f22 JSONDataFormatter wrong relation identifiers (fixes #1795) (Ingo Schommer)
  • 2013-04-20 41c0f80 Only block root vendor folder (colymba)
  • 2013-04-01 df4d742 Saving of custom meta tags (fixes #8288) (Joseph Madden)
  • 2013-03-29 3aced11 GridFieldFilterHeader only filters on last filter (Stig Lindqvist)
  • 2013-03-27 19a8545 update deprecated 'live' jquery to 'on' (Naomi Guyer)
  • 2013-03-25 0ebd525 Unset "underneath page" title when switching to "top" in "add page" (Ingo Schommer)
  • 2013-03-25 3f2b6a5 Don't silently unset ParentID in "add page" dialog (Ingo Schommer)
  • 2013-03-25 0a283ea Unset internal metadata on TreeDropdownField setValue() (Ingo Schommer)
  • 2013-03-20 2787d36 "Insert Link" and other TinyMCE loading bugs (fixes #8327) (Ingo Schommer)
  • 2013-03-20 143317c SQL Injection in CsvBulkLoader (fixes #6227) (Stephen Shkardoon)
  • 2013-03-19 9ac104b $_COOKIES is not un-magic_quotes'd (Stephen Shkardoon)
  • 2013-03-18 5c933b4 SilverStripeNavigator shows wrong message. (uniun)
  • 2013-03-12 dd6f33a Respect tree node limits, fix search result node display (Ingo Schommer)
  • 2013-02-26 a8a10f8 Transaction stub methods for better cross 2.x and 3.x compat (Ingo Schommer)
  • 2013-02-17 c7b0666 Escape page titles in CommentAdmin table listing (Ingo Schommer)
  • 2013-02-15 428cbe4 issue with Injector::create not passing args (Marcus Nyeholt)
  • 2013-01-30 b24a0a5 Remove extraneous </div> breaking IE8 image embedding (os#8218) (Mateusz Uzdowski)
  • 2013-01-15 50995fb Undefined $allowed_actions overrides parent definitions, stricter handling of $allowed_actions on Extension (Ingo Schommer)
  • 2013-01-06 eecd348 Keep Member.PasswordEncryption setting on empty passwords (Ingo Schommer)
  • 2012-10-26 d8b106e TestRunner was not cleaning up DB on failure (Craig Weber)
  • 2012-10-10 e2bf964 7934 When lazy loading fields respect version of the record (jean)
  • 2012-10-05 1ffbb8f Exclude framework/dev from text collection (fixes #4754) (Ingo Schommer)
  • 2012-09-10 17bd873 7853 Flush the content of drop down fields when closing html editor linker (links and images) (jean)