Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DOC Document replacing Path class with Symfony's Path class #586

Closed
wants to merge 1 commit into from
Closed

DOC Document replacing Path class with Symfony's Path class #586

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions en/08_Changelogs/6.0.0.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ title: 6.0.0 (unreleased)
- [Changes to some extension hook names](#hooks-renamed)
- [Strict typing for `Factory` implementations](#factory-strict-typing)
- [Elemental `TopPage` class names changed](#elemental-top-page)
- [`Path` class removed](#path-removed)
- [General changes](#api-general)
- [Other changes](#other-changes)
- [MySQL 5 no longer supported](#mysql-5-support)
Expand Down Expand Up @@ -367,6 +368,23 @@ The class names for the `TopPage` feature in [`dnadesign/silverstripe-elemental`

If you reference any of these classes in your project or module, most likely in config if you have [`tractorcow/silverstripe-fluent`](https://github.com/tractorcow/silverstripe-fluent) installed, then you will need to update the references to the new class names.

### `Path` class removed {#path-removed}

The `SilverStripe\Core\Path` class has been removed. If you were using this class, use the `Symfony\Component\Filesystem\Path` class from [`symfony/filesystem`](https://github.com/symfony/filesystem) instead.

Both of these classes have been included in recent installations of Silverstripe CMS, leading to confusion about which one to use. The two classes work subtly differently, so while usually the results would be the same, sometimes they would differ. Removing the class in silverstripe/framework removes the confusion about which class to use.

The important differences to note are:

- `SilverStripe\Core\Path::normalise()` would strip trailing (and optionally leading) slashes and white space. The Symfony class does not.
- `SilverStripe\Core\Path::join()` would throw an exception if any of the paths passed in included `..`, which prevented path traversal. The Symfony class allows path traversal.

This means when using `Path::join()` you will need to consider whether the paths you're joining can be trusted, and whether path traversal could lead to a potential vulnerability in that scenario. The upside is that you *can intentionally* use `../` to traverse paths when that's useful for your business logic.

See [Symfony documentation](https://symfony.com/doc/current/components/filesystem.html#path-manipulation-utilities) for documentation on Symfony's `Path` class.

See [the OWASP website](https://owasp.org/www-community/attacks/Path_Traversal) for more information about path traversal vulnerabilities.

### General changes {#api-general}

- [`DataObject::write()`](api:SilverStripe\ORM\DataObject::write()) has a new boolean `$skipValidation` parameter. This can be useful for scenarios where you want to automatically create a new record with no data initially without restricting how developers can set up their validation rules.
Expand Down
Loading