Sylius v1.5.9

« Changelog History

Sylius v1.5.9 Release Notes

• CVE-2020-5218: Ability to switch channels via GET parameter enabled in production environments

  ⚡️ Please refer to the original security advisory for the most updated information.

  Impact:

  This vulnerability gives the ability to switch channels via the _channel_code GET parameter in production environments. This was meant to be enabled only when %kernel.debug% is set to true.

  🔧 However, if no sylius_channel.debug is set explicitly in the configuration, the default value which is %kernel.debug% will be not resolved and cast to boolean, enabling this debug feature even if that parameter is set to false.

  Patches:

  Patch has been provided for Sylius 1.3.x and newer - 1.3.16, 1.4.12, 1.5.9, 1.6.5. Versions older than 1.3 are not covered by our security support anymore.

  ↪ Workarounds:

  🔧 Unsupported versions could be patched by adding the following configuration to run in production:

  sylius\_channel: debug: false
  

  Details

  • #9050 Added LazyCustomerLoader for OrderType of SyliusAdminApiBundle (@jdeveloper, @lchrusciel)
  • #9844 Fix ShippingPercentageDiscountPromotionActionCommand.php (@cosyz2010, @Zales0123)
  • #10863 [SyliusUserBundle] Improve output of Promote/DemoteUserCommand (@markbeazley)
  • #10901 Fix missing colon (@reyostallenberg)
  • 🛠 #10909 [Taxation] [Shipping] Fixed issue with shipping zones available to select in tax rate form (and the other way) (@plewandowski)
  • 📚 #10916 [Docs] Improve platform.sh documentation for deployment (@Tomanhez)
  • #10922 fix: api URI for getting single product detail (@hsharghi)
  • ⚡️ #10923 [Maintenance] Update PR template with supported versions (@lchrusciel)
  • 👕 #10926 Add lint:container command to the build & fix errors reported by it (@pamil)
  • 📄 #10935 [Docs] Platform.sh cookbook refinement (@CoderMaggie)
  • #10938 [Payum][Paypal] Use full price instead of discounted one (@Prometee)
  • #10943 Yaml standards (@sspooky13, @pamil)
  • 0️⃣ #10947 [Channel] Prevent from adding default tax zone of a channel in a different scope than tax or all (@GSadee)
  • 🚧 #10961 [Maintenance] Remove shipping bundle from spec namespace config (@lchrusciel)
  • #10963 Fix phpspec also on 1.5 (@Zales0123, @pamil)
  • #10964 [Behat] Disallow w3c in Behat Selenium session (@Zales0123)
  • 🔌 #10979 [Installation] Inform about BitBagCommerce/SyliusCmsPlugin after installing Sylius (@AdamKasp)
  • 🚚 #10995 Move Taxation core service from TaxationBundle to CoreBundle (@hmonglee)
  • 🔒 #11005 SyliusGridBundle downgrade lock (@Tomanhez, @lchrusciel)
  • 🛠 #11006 [API] Fixed OrderController save action issue in not html requests (@pfazzi)
  • #11013 Fix typo in PromotionCouponFactoryInterface (@pamil)
  • 📚 #11019 [Documentation] Add hint about disabling autowire when extending a controller (@adrianmarte)
  • 🚀 #11022 Clarify release process regarding PHP versions + update the table (@pamil)
  • #11024 Replace unbound behat/mink dependency with tagged friends-of-behat/mink fork (@pamil)

• All Versions
• Previous v1.5.8
• Next v1.6.0-ALPHA.1
• Latest Version