Versions:

4.3.6

Embedding files with shortcodes (FileShortcodeProvider) no longer provides a session grant by default. This is because it has the potential to escalate file access to users who otherwise should not have viewing permissions for the file.

There is a minor performance trade-off for disabling these grants. If you have a page with a lot of images that are in a draft state or have custom viewing permissions, it adds an extra database query for each embedded image. With session grants enabled, the first permission check persists the grant into the session, meaning there is no need to query the database on every single file.

Unless you have a lot of shortcode images embedded with protected or draft status on a single page, this setting is best left to its default value of false.

To revert to the old behaviour:

SilverStripe\Assets\Shortcodes\FileShortcodeProvider:
  allow_session_grant: true

If you were using the versionedfiles on your 3.x site

This release includes a security fix for users who migrated from a 3.x site that used the versionedfiles module. The file migration would have left the _versions folders in your public filesystem as artefacts, leaving all the unpublished versions of your old files publicly accessible under a guessable URL.

To work around this, you can use the VersionedFilesMigrationTask:

$ vendor/bin/sake dev/tasks/migrate-versionedfiles strategy=[delete|protect]

If you choose the delete strategy (default), the task will delete all _versions files for you. Be sure to take a snapshot of your public/assets folder before doing so. If you choose the protect strategy, the task will drop an .htaccess file in your old _versions directories. This method only works if you are using Apache to serve your static files. If you are using another server such as Nginx, these files will remain publicly exposed. It is recommended you use the delete strategy if you are not using Apache.

Change Log

Security

  • 2019-09-23 5af205993 Fix access escalation for CMS users with limited access through permission cache pollution (Serge Latyntcev) - See cve-2019-12617
  • 2019-09-16 569237c0f Session fixation in "change password" form (Serge Latyntcev) - See cve-2019-12203
  • 2019-08-20 f98a59de install.php warning does not account for public dir (Aaron Carlino) - See cve-2019-12204
  • 2019-08-17 fddf889 Broken access control on files due to session grant (Aaron Carlino) - See cve-2019-14273
  • 2019-05-21 73e0cc6 Fix incorrect access control vulnerability with unwritten files in protected folders (Robbie Averill) - See cve-2019-12245

Features and Enhancements

  • 2019-09-18 1308911 Add task to remove/protect _versions folders (Aaron Carlino)
  • 2019-06-16 06beff7 Allow export of injected GraphQL AST alongside HOC (#889) (Aaron Carlino)

Bugfixes

  • 2019-09-23 aa7c05742 Don't force-add view button to readonly GridField (fixes #… (#9254) (Guy Marriott)
  • 2019-09-23 190b2f284 run member CMS validator when editing via groups (fixes #9… (#9255) (Guy Marriott)
  • 2019-09-23 efdb9cc71 run member CMS validator when editing via groups (fixes #9184) (Loz Calver)
  • 2019-09-23 d85ff3bc4 Don't force-add view button to readonly GridField (fixes #9249) (Loz Calver)
  • 2019-09-23 fc536fa Update Apache .htaccess for new access directives (Dylan Wagstaff)
  • 2019-09-20 ea363fc Correctly process all non-insert form actions normally in the media dialog (#1005) (Damian Mooyman)
  • 2019-09-10 591b88a9b Allow infinite loop when calling DataObject::writeComponent() recursively (Maxime Rainville)
  • 2019-09-03 b0a6973 Remove Default DropzoneJS Timeout of 30s (#985) (Joe Harvey)
  • 2019-08-29 77ba8391c Byte Order Marks (BOM) are now stripped when importing CSV files (Robbie Averill)
  • 2019-08-28 73f43c6f4 Remove placeholder text on new group form (Maxime Rainville)
  • 2019-08-26 314a906 Fix the jstree styles so that the selected states are more visible (bergice)
  • 2019-08-23 5845ac6 Prevent breadcrumb item styles from bleeding into non-react (Maxime Rainville)
  • 2019-08-23 94d6c80 enter to submit form not working on Add new page (bergice)
  • 2019-08-14 9889015 Display breadcrumb element from left to right (#925) (Guy Marriott)
  • 2019-08-13 1c548cb jstree state when saving a page by retaining the open/closed state and selected node state. (bergice)
  • 2019-08-09 a2e98dc Display breadcrumb element from left to right (Maxime Rainville)
  • 2019-08-09 3d989a6ea Use content generated by DataColumns component for print and csv export (Guy Marriott)
  • 2019-07-29 5c794dfcd Prevent setting session value when no session exists yet (Robbie Averill)
  • 2019-07-25 40cd66852 Fixed issue where multiple relationship sort order columns would be lost in favor of only the last relationship column in the sort order (UndefinedOffset)
  • 2019-07-17 ef25468 Inline toolbar placement now works in HTMLEditorFields with less than 6 rows (Robbie Averill)
  • 2019-07-12 fcd7a1e63 core memory limit test (Serge Latyntcev)
  • 2019-06-27 183371b Update CSS for sitetree new page columns to use new classna… (#899) (Guy Marriott)
  • 2019-06-27 b9dcf070 Change sitetree new page column class naming to avoid conf… (#2449) (Guy Marriott)
  • 2019-06-26 b01dc580e Protect against undefined index when using nullifyEmpty opt… (#9090) (Guy Marriott)
  • 2019-06-25 c76d3a5db Protect against undefined index when using nullifyEmpty option (Robbie Averill)
  • 2019-06-19 260c89fd5 Fix of delimiter not used bug (Mario Sommereder)
  • 2019-06-19 4df7c21 Update CSS for sitetree new page columns to use new classname, fix item placement within (Mikaela Young)
  • 2019-06-19 73f4e8c8 Change sitetree new page column class naming to avoid conflicts with bootstrap (Mikaela Young)
  • 2019-06-13 562a8a5 Add FolderNameFilter class: folder names no longer allow dots, and are replaced with dashes (Robbie Averill)
  • 2019-06-05 bcc55e2 Update modal designs to match design pattern library (Guy Marriott)
  • 2019-04-12 7592db91 VirtualPage missing methods from target page (fixes #2408) (Loz Calver)

Was this article helpful?