This document contains information for an outdated version and may not be maintained any more. If some of your projects still use this version, consider upgrading as soon as possible.



Features and Enhancements

  • [rev:114572] 'bypassStaticCache' cookie set in Versioned is limited to httpOnly flag (no access by JS) to improve clientside security (from r114568)
  • [rev:114571] Session::start() forces PHPSESSID cookies to be httpOnly (no access by JS) to improve clientside security (from r114567)
  • [rev:114499] Added !RandomGenerator for more secure CRSF tokens etc. (from r114497)
  • [rev:114467] PHP requirements in installer now check for date.timezone correctly being set for PHP 5.3.0+. This option is required to be set starting with 5.3.0 and will cause an error during installation if not
  • [rev:114083] Added SS_HTTPResponse->setStatusDescription() as equivalent to setStatusCode(). Added documentation.
  • [rev:113963] Split temp directory check and writability into two checks
  • [rev:113961] #6206 Installer additional checks for module existence by checking _config.php exists, in addition to the directory
  • [rev:113919] Allowing i18nTextCollector to discover entities in templates stored in themes/ directory (thanks nlou) (from r113918)
  • [rev:113871] Update Asset's left and right panels with filders and files after 'Look for new files' was triggered (open #5543)

API Changes

  • [rev:114474] Using i18n::validate_locale() in various Translatable methods to ensure the locale exists (as defined through i18n::$allowed_locales) (from r114470)


  • [rev:114783] Removed switch in !MySQLDatabase->query() to directly echo queries with 'showqueries' parameter when request is called via ajax (from r114782)
  • [rev:114774] Disallow web access to sapphire/silverstripe_version to avoid information leakage (from r114773)
  • [rev:114771] Disallow web access to cms/silverstripe_version to avoid information leakage (from r114770)
  • [rev:114760] Avoid potential referer leaking in Security->changepassword() form by storing Member->!AutoLoginHash in session instead of 'h' GET parameter (from r114758)
  • [rev:114719] Fallback text for "Password" in !ConfirmedPasswordField when no translation found
  • [rev:114683] Populates the page with fake data in order to pass subsequent unit tests
  • [rev:114654] Test if form is the right class (if a class decorates the content controller, this test would break ie sphinx)
  • [rev:114516] Escaping $locale values in Translatable->augmentSQL() in addition to the i18n::validate_locale() input validation (from r114515)
  • [rev:114512] Limiting usage of mcrypt_create_iv() in !RandomGenerator->generateEntropy() to *nix platforms to avoid fatal errors (specically in IIS) (from r114510)
  • [rev:114507] Using !RandomGenerator class in Member->logIn(), Member->autoLogin() and Member->generateAutologinHash() for better randomization of tokens. Increased VARCHAR length of '!RememberLoginToken' and '!AutoLoginHash' fields to 1024 characters to support longer token strings. (from r114504)
  • [rev:114506] Using !RandomGenerator class in !PasswordEncryptor->salt() (from r114503)
  • [rev:114500] Using !RandomGenerator class in !SecurityToken->generate() for more random tokens
  • [rev:114473] Check for valid locale in i18n::set_locale()/set_default_locale()/include_locale_file()/include_by_locale() (as defined in i18n::$allowed_locales). Implicitly sanitizes the data for usage in controllers. (from r114469)
  • [rev:114445] Don't allow HTML formatting in !RequestHandler->httpError() by sending "Content-Type: text/plain" response headers. (from r114444)
  • [rev:114208] Including template /lang folders in i18n::include_by_locale() (implementation started in r113919)
  • [rev:114195] Added !SecurityToken to !PageCommentInterface->!DeleteAllLink() (fixes #6223, thanks Pigeon)
  • [rev:114083] Strip newlines and carriage returns from SS_HTTPResponse->getStatusDescription() (fixes #6222, thanks mattclegg) (from r114082)
  • [rev:114081] Removed double quoting of $where parameter in Translatable::get_existing_content_languages() (fixes #6203, thanks cloph) (from r114080)
  • [rev:114036] Fixed case where !AssetAdmin would throw an error if $links was not an object in !AssetAdmin::getCustomFieldsFor()
  • [rev:113976] #6201 Use of set_include_path() did not always include sapphire paths in some environments
  • [rev:113962] Installer now checks temporary directory is writable, in addition to it being available.
  • [rev:113809] #6197 simon_w: Fixed Internal Server Error when accessing assets on Apache without mod_php.
  • [rev:113692] Avoid reloading CMS form twice after certain saving actions (fixes #5451, thanks muzdowski)

Minor changes

  • [rev:114751] Setting Content-Type to text/plain in various error responses for !RestfulServer (from r114750)
  • [rev:114749] Reverting Member "!AutoLoginHash", "!RememberLoginToken" and "Salt" to their original VARCHAR length to avoid problems with invalidated hashes due to shorter field length (from r114748)
  • [rev:114745] Partially reverted r114744
  • [rev:114744] Reduced VARCHAR length from 1024 to 40 bytes, which fits the sha1 hashes created by !RandomGenerator. 1024 bytes caused problems with index lengths on MySQL (from r114743)
  • [rev:114720] Code formatting change in !ConfirmedPasswordField::__construct()
  • [rev:114454] Added exception handling if !ClassName is null in search results
  • [rev:114334] Checking for class_exists() before !SapphireTest::is_running_tests() to avoid including the whole testing framework, and triggering PHPUnit to run a performance-intensive directory traversal for coverage file blacklists (from r114332)
  • [rev:114079] Reverted r108515
  • [rev:114078] Documentation for Aggregate caching (from r114077)
  • [rev:114062] fixed visual glitch in CMS access tab for IE
  • [rev:114036] Defined $backlinks as an array before adding entries to it
  • [rev:114016] Fixed php tag in !SecurityTokenTest, should be "<?php" not "<?"
  • [rev:113984] Installer now writes "!SetEnv HTTP_MOD_REWRITE On" in .htaccess to be consistent with the original .htaccess file that comes with the phpinstaller project
  • [rev:113968] Fixed PHP strict standard where non-variables cannot be passed by reference
  • [rev:113967] Fixed undefined variable $groupList
  • [rev:113964] Re-use variable instead of check temp folder again
  • [rev:113956] Make sure that Translatable creates a translated parent of !SiteTree only when the parent is not translated (from r113955)
  • [rev:113937] don't trigger notice but Debug::show it
  • [rev:113936] don't trigger notice but Debug::show it
  • [rev:113933] test doesn't fail anymore due to time differences between db and php. The test now issues notices, warnings and errors depending on the severity of the offset
  • [rev:113924] Fixed spaces with tabs in Core
  • [rev:113923] Fixed spaces with tabs for Core::getTempFolder()
  • [rev:113696] call jquery-ui from thirdparty folder instead google api (see ticket 5915) (from r113656)
  • [rev:113695] Typo in !AssetAdmin (fixes #6191, thanks Juanitou)
  • [rev:113690] Updated cs_CZ and sk_SK translations in sapphire/javascript (fixes #6085, thanks Pike)
  • [rev:113689] Making some !JavaScript strings in cms/javascript translatable, and updated their cs_CZ and sk_SK translations (fixes #6085, thanks Pike)


  • [rev:114464] FIX: Revert last commit
  • [rev:114463] FIX: Revert last commit

Was this article helpful?