Versions:

3.1.13

Overview

This release includes several security fixes to prevent HTTP Hostname injection, as well as a fix for flush or isDev querystring parameters to be set via unauthenticated requests.

Users upgrading from 3.1.12 or below should read the security documentation on securing their site.

Security

  • 2015-05-22 a978b89 Fix handling of empty parameter token (Damian Mooyman) - See ss-2015-014
  • 2015-05-25 75137db Ensure only trusted proxy servers have control over certain HTTP headers (Damian Mooyman) - See ss-2015-013
  • 2015-05-25 22a35e4 Fix malformed urls redirecting to external sites (Damian Mooyman) - See ss-2015-012
  • 2015-05-22 79cfa2b Bug fix sqlquery select (Damian Mooyman) - See ss-2015-011

Bugfixes

  • 2015-04-24 242de4e Added Youtube's short URL. (Michael Strong)
  • 2015-05-28 9c8fa51 Allow users to specify allowed hosts (Marcus Nyeholt)
  • 2015-05-07 828ad6e Modifications to GridFieldExportButton to allow ArrayList use in SS_Report (Will Rossiter)
  • 2015-04-30 be10d90 count breaks when having clause defined (Aram Balakjian)
  • 2015-04-27 120b983 X-Reload & X-ControllerURL didn't support absolute URLs (fixes #4119) (Loz Calver)
  • 2015-04-25 bfd8b66 for #4104, minor revision of error messages in ListboxField (more intuitive). (Patrick Nelson)
  • 2015-04-23 5ae0ca1 #4100 Setup the ability to overload the ShortcodeParser class and ensuring its methods/properties are extensible via the "static" keyword. (Patrick Nelson)
  • 2015-04-23 c2fd18e use config for Security::$login_url (Daniel Hensby)
  • 2015-04-23 19423e9 Fix tinymce errors crashing CMS When removing a tinymce field, internal third party errors should be caught and ignored gracefully rather than breaking the whole CMS. (Damian Mooyman)
  • 2015-04-20 8e24511 Fix users with all cms section access not able to edit files Fixes #4078 (Damian Mooyman)
  • 2015-04-14 8caaae6 Fix accordion sometimes displaying scrollbars (Damian Mooyman)
  • 2015-03-31 a71f5f9 Use SearchForm::create to instantiate SearchForm (Daniel Hensby)
  • 2015-03-26 636cddb export and print buttons outside button row (Naomi Guyer)
  • 2015-03-26 a7d3f89 Check for existence of HTTP_USER_AGENT to avoid E_NOTICE error. (Sean Harvey)
  • 2015-03-25 8d6cd15 Fix some database errors during dev/build where an auth token exists for the current user Fixes #3660 (Damian Mooyman)
  • 2015-03-23 aba0b70 GridFieldDetailForm::setItemEditFormCalback broke chaining (Daniel Hensby)
  • 2015-03-23 72bb9a2 Debug::text no longer incorrecty returns "ViewableData_debugger" (Daniel Hensby)
  • 2015-03-16 f2b1fa9 broken link in docs to how_tos/extend_cms_interface (Jeremy Shipman)
  • 2015-02-24 6c92a86 Fix CMSMainTest attempting to render page on Security permission error (Damian Mooyman)

Was this article helpful?