Merge pull request #444 from creative-commoners/pulls/5/security-patc…

…h-docs DOC Update changelog for security patches
silverstripe · Jan 22, 2024 · 6be7510 · 6be7510
2 parents 1b19d5c + 137bdaa
commit 6be7510
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 6 deletions.
diff --git a/en/02_Developer_Guides/11_Integration/00_CSV_Import.md b/en/02_Developer_Guides/11_Integration/00_CSV_Import.md
@@ -52,9 +52,13 @@ $result = $loader->load('<my-file-path>');
 By the way, you can import [Member](api:SilverStripe\Security\Member) and [Group](api:SilverStripe\Security\Group) data through `https://www.example.com/admin/security`
 interface out of the box.
 
+### Permission checks
+
+`CsvBulkLoader` does *not* respect permissions by default. If you want the permissions of the current user to be respected (i.e. if the bulk loader is being used as part of user interaction), you will need to pass `true` to the [`CsvBulkLoader::setCheckPermissions()`](api:SilverStripe\Dev\CsvBulkLoader::setCheckPermissions()) method.
+
 ## Import through `ModelAdmin`
 
-The simplest way to use [CsvBulkLoader](api:SilverStripe\Dev\CsvBulkLoader) is through a [ModelAdmin](api:SilverStripe\Admin\ModelAdmin) interface - you get an upload form out of the box.
+The simplest way to use [CsvBulkLoader](api:SilverStripe\Dev\CsvBulkLoader) is through a [ModelAdmin](api:SilverStripe\Admin\ModelAdmin) interface - you get a secured upload form out of the box.
 
 ```php
 namespace App\Admin;
@@ -87,6 +91,10 @@ Let's create a simple upload form (which is used for `MyDataObject` instances).
 You'll need to add a route to your controller to make it accessible via URL
 (see [Routing](../../controllers/routing/)).
 
+[warning]
+Don't forget to perform [permission checks](#permission-checks) if the data is provided by users.
+[/warning]
+
 ```php
 namespace App\Control;
 
@@ -151,9 +159,6 @@ class MyController extends Controller
 }
 ```
 
-Note: This interface is not secured, consider using [Permission::check()](api:SilverStripe\Security\Permission::check()) to limit the controller to users
-with certain access rights.
-
 ## Column mapping and relation import
 
 We're going to use our knowledge from the previous example to import a more sophisticated CSV file.

diff --git a/en/02_Developer_Guides/11_Integration/How_Tos/Import_CSV_through_a_Controller.md b/en/02_Developer_Guides/11_Integration/How_Tos/Import_CSV_through_a_Controller.md
@@ -82,6 +82,5 @@ class MyController extends Controller
 ```
 
 [alert]
-This interface is not secured, consider using [Permission::check()](api:SilverStripe\Security\Permission::check()) to limit the controller to users with certain
-access rights.
+If the file you're loading data from is uploaded by a user, you should pass `true` to the [`CsvBulkLoader::setCheckPermissions()`](api:SilverStripe\Dev\CsvBulkLoader::setCheckPermissions()) method. Otherwise, permissions will not be respected and the user may alter data in ways they would otherwise not be permitted to.
 [/alert]
diff --git a/en/04_Changelogs/5.2.0.md b/en/04_Changelogs/5.2.0.md
@@ -6,6 +6,7 @@ title: 5.2.0 (unreleased)
 
 ## Overview
 
+- [Security considerations](#security-considerations)
 - [Features and enhancements](#features-and-enhancements)
   - [New ORM features](#new-orm-features)
   - [GridField components now work with arbitrary data](#gridfield-arbitrary-data)
@@ -19,6 +20,17 @@ title: 5.2.0 (unreleased)
 - [API changes](#api-changes)
 - [Bug fixes](#bug-fixes)
 
+## Security considerations {#security-considerations}
+
+This release includes several security fixes. Review the individual vulnerability disclosure for more detailed descriptions of each security fix. We highly encourage upgrading your project to include the latest security patches.
+
+We have provided a severity rating of the vulnerabilities below based on the CVSS score. Note that the impact of each vulnerability could vary based on the specifics of each project. You can [read the severity rating definitions in the Silverstripe CMS release process](/contributing/release_process/#severity-rating).
+
+- [CVE-2023-49783 - No permission checks for editing or deleting records with CSV import form](https://www.silverstripe.org/download/security-releases/cve-2023-49783) Severity: Medium
+  - If you implement a custom subclass of [`BulkLoader`](api:SilverStripe\Dev\BulkLoader) or you're using a `BulkLoader` directly in your code, there may be additional actions you need to take to secure your project.
+- [CVE-2023-48714 - Record titles for restricted records can be viewed if exposed by GridFieldAddExistingAutocompleter](https://www.silverstripe.org/download/security-releases/cve-2023-48714) Severity: Medium
+- [CVE-2023-44401 - View permissions are bypassed for paginated lists of ORM data in GraphQL queries](https://www.silverstripe.org/download/security-releases/cve-2023-44401) Severity: Medium
+
 ## Features and enhancements
 
 ### New ORM features {#new-orm-features}