Version 4 supported
This version of Silverstripe CMS is still supported though will not receive any additional features. Go to documentation for the most recent stable version.


This security release removes the following file extensions from the default whitelist of accepted types for uploaded files: dotm, potm, jar, css, js and xltm.

If you require the ability to upload these file types in your projects, you will need to add them back in again. For more information, see "Configuring: File types".

Change log


  • 2018-04-26 299131ed2 File security documentation (Damian Mooyman) - See ss-2018-012
  • 2018-04-25 be96858 Remove jar, dotm, potm, xltm from file extension whitelist, hard-code CSS and JS for TinyMCE support (Robbie Averill) - See ss-2018-014
  • 2018-04-24 f847f186b Remove password text from session data on failed submission (Aaron Carlino) - See ss-2018-013
  • 2018-04-23 aa365e0 Remove dotm, potm, jar, css, js, xltm from default File.allowed_extensions (Robbie Averill) - See ss-2018-014
  • 2018-04-23 f9c03fa Prevent php code execution in assets folder (Damian Mooyman) - See ss-2018-012
  • 2018-04-23 1e27835 Prevent php code execution in assets folder (Damian Mooyman) - See ss-2018-012
  • 2018-04-22 beec0c0d4 regression of SS-2017-002 (Robbie Averill) - See ss-2018-010
  • 2018-04-11 e409d6f67 Restrict non-admins from being assigned to admin groups (Damian Mooyman) - See ss-2018-001
  • 2018-04-10 9053014a7 Validate against malformed urls (Damian Mooyman) - See ss-2018-008
  • 2018-04-10 2e13ae746 Prevent code execution in template value resolution (Damian Mooyman) - See ss-2018-006
  • 2018-04-09 db04ed9 Remove on* events as allowed properties (Damian Mooyman) - See ss-2018-004
  • 2018-04-08 d935140a9 Prevent unauthenticated isDev / isTest being allowed (Damian Mooyman) - See ss-2018-005


  • 2018-05-23 e7e32d13a Add namespace and encryptor to tests that expect blowfish to be available (Robbie Averill)
  • 2018-02-13 c6095cf word boundary issue with pathname matching (Christopher Joe)
  • 2018-02-06 5bff64b47 Fix Director::test() not persisting removed session keys on teardown (Damian Mooyman)