4.4.7

Security patches

This release contains security patches. Some of those patches might require some updates to your project.

CVE-2020-9309 Script execution on protected files

Silverstripe can be susceptible to script execution from malicious upload contents under allowed file extensions (for example HTML code in a TXT file). When these files are stored as protected or draft files, the MIME detection can cause browsers to execute the file contents.

Risk factors

If your project already includes the silverstripe/mimevalidator module, it's already protected. CWP projects are already protected.

If your project includes the silverstripe/userforms module or allows anonymous users to upload files, it's at a higher risk because malicious users can create files without requiring a CMS access.

Actions you need to take

If your project already includes the silverstripe/mimevalidator module, you do not need to do anything. To check if the silverstripe/mimevalidator module is installed in your project, run this command from your project root.

composer show silverstripe/mimevalidator

If you get an error, the module is not installed.

Upgrading to silverstripe/recipe-cms 4.4.7 will NOT automatically install silverstripe/mimevalidator. You need to manually install the module silverstripe/mimevalidator. To add silverstripe/mimevalidator to your project, run this command.

composer require silverstripe/mimevalidator

After installing the mimevalidator module, you need to enable it by adding this code snippet to your YML configuration.

SilverStripe\Core\Injector\Injector:
  SilverStripe\Assets\Upload_Validator:
    class: SilverStripe\MimeValidator\MimeUploadValidator

If your project overrides the defaults allowed file types, it's important that you take the time to review your configuration and adjust it as need be to work with silverstripe/mimevalidator.

Read the Allowed file types documentation for more details on controling the type of files that can be stored in your Silverstrip CMS Project.

Special consideration when upgrading Userforms

The silverstripe/userforms module now also includes silverstripe/mimevalidator in its dependencies. Upgrading to the following versions of userforms will automatically install silverstripe/mimevalidator:

  • 5.4.3 or later
  • 5.5.3 or later
  • 5.6.0 or later (requires CMS 4.6.0)

Userforms that include a file upload field will automatically use theMimeUploadValidator. Beware that this will NOT change the default upload validator for other file upload fields in the CMS. You'll need to update your YML configuration for the MimeUploadValidator to be used everywhere.

CVE-2019-19326 Web Cache Poisoning

Silverstripe sites using HTTP cache headers and HTTP caching proxies (e.g. CDNs) can be susceptible to web cache poisoning through the:

  • X-Original-Url HTTP header
  • X-HTTP-Method-Override HTTP header
  • _method POST variable.

In order to remedy this vulnerability, Silverstripe Framework 4.4.7 removes native support for these features. While this is technically a semantic versioning breakage, these features are inherently insecure and date back to a time when browsers didn't natively support the full range of HTTP methods. Sites who still require these features will have highly unusual requirements that are best served by a tailored solution.

Re-enabling the support for removed features

These features are best implemented by defining a Middleware.

The following example illustrates how to implement an HTTPMiddleware that restores support for the X-Original-Url header and the _method POST parameter for requests originating from a trusted proxy.

<?php
use SilverStripe\Control\Middleware\HTTPMiddleware;
use SilverStripe\Control\HTTPRequest;
/**
 * This is meant to illustrate how to implement an HTTPMiddleware. If you blindly
 * copy-paste this in in your code base, you'll simply replicate the vulnerability.
 */
class InsecureHeaderMiddleware implements HTTPMiddleware
{
    public function process(HTTPRequest $request, callable $delegate)
    {
        // Normally, you would validate that the request is coming from a trusted source at this point.
        // View SilverStripe\Control\Middleware\TrustedProxyMiddleware for an example.
        $trustedProxy = true;
        if ($trustedProxy) {
            $originalUrl = $request->getHeader('X-Original-Url');
            if ($originalUrl) {
                $_SERVER['REQUEST_URI'] = $originalUrl;
                $request->setUrl($originalUrl);
            }
            $methodOverride = $request->postVar('_method');
            $validMethods = ['GET', 'POST', 'PUT', 'DELETE', 'HEAD'];
            if ($methodOverride && in_array(strtoupper($methodOverride), $validMethods)) {
                $request->setHttpMethod($methodOverride);
            }
        }
        return $delegate($request);
    }
}

To learn more about re-implementing support for the disabled features:

CVE-2020-6164 Information disclosure on /interactive URL path

A specific URL path configured by default through the silverstripe/framework module can be used to disclose the fact that a domain is hosting a Silverstripe application. There is no disclosure of the specific version. The functionality on this URL path is limited to execution in a CLI context, and is not known to present a vulnerability through web-based access. As a side-effect, this preconfigured path also blocks the creation of other resources on this path (e.g. a page).

Change Log

Security

  • 2020-05-13 91d30db88 Remove/deprecate unused controllers that can potentially give away some information about the underlying project. (Maxime Rainville) - See cve-2020-6164
  • 2020-05-11 107706c12 Stop honouring X-HTTP-Method-Override header, X-Original-Url header and _method POST variable. Add SS_HTTPRequest::setHttpMethod() (Maxime Rainville) - See cve-2019-19326

Bugfixes

  • 2020-06-01 3df2222 Prevent react-selectable from interfering with pagination (Maxime Rainville)
  • 2020-05-05 2cc037b Fix merge conflict in Travis configuration (Robbie Averill)
  • 2020-02-24 bba0f2f72 Fixed issue where TimeField_Readonly would only show "(not set)" instead of the value (UndefinedOffset)
  • 2020-02-18 e0de15f Fix broken test when FulltextSearchable is enabled (Maxime Rainville)
  • 2019-09-02 6d8a4bc Make AbsoluteLink work with manipulated images (fixes #322) (Loz Calver)