Skip to content

4.0.2
Compare
Choose a tag to compare
@chillu chillu released this 01 Jul 23:46
· 10 commits to master since this release
4.0.2
3e2cade
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Fixed a regression caused by silverstripe/[email protected], which introduced safeguards around web-based administrative tasks triggered through URL paths and parameters. See CVE-2019-12246: Denial of Service on flush and development URL tools.

When using this framework release, and triggering administrative actions such as ?flush=1, dev/build, or dev/tasks/*, the confirmation token required for CSRF protection could not be set in the session. This prevented the task from passing the new confirmation step. The regression occurred when the silverstripe/dynamodb module is installed, and is activated through environment constants (which is the default configuration in SilverStripe Platform for stacks with multiple server environments).

The fix (#32) can be applied to existing SilverStripe environments with existing session data managed through the module. It should not cause users from losing session data, or being logged out of the CMS. On the next write to existing sessions, existing session data will automatically be converted to a binary-safe persistence format. New sessions will write in the correct format by default.

Assets 2
Loading