Sylius v1.6.5 Release Notes
Release Date: 2020-01-27 // about 4 years ago-
CVE-2020-5218: Ability to switch channels via GET parameter enabled in production environments
โก๏ธ Please refer to the original security advisory for the most updated information.
Impact:
This vulnerability gives the ability to switch channels via the
_channel_code
GET parameter in production environments. This was meant to be enabled only when%kernel.debug%
is set to true.๐ง However, if no
sylius_channel.debug
is set explicitly in the configuration, the default value which is%kernel.debug%
will be not resolved and cast to boolean, enabling this debug feature even if that parameter is set to false.Patches:
Patch has been provided for Sylius 1.3.x and newer - 1.3.16, 1.4.12, 1.5.9, 1.6.5. Versions older than 1.3 are not covered by our security support anymore.
โช Workarounds:
๐ง Unsupported versions could be patched by adding the following configuration to run in production:
sylius\_channel: debug: false
Details
- #10296 Product show page (@kulczy, @AdamKasp)
- 0๏ธโฃ #10342 [Fixture] Togglable default locale loading (@lchrusciel)
- #10355 Adding a coupon generator command (@mamazu)
- #10361 Change master branch to v1.6.0-DEV (@pamil)
- #10382 [Admin][Shipment] Add filtering shipments by a channel (@Tomanhez, @GSadee)
- #10383 [Behat] Make feature filenames consistent with others (@GSadee)
- #10388 Fix product show page margins (@kulczy)
- ๐ #10391 [Admin][Product] Show page fixes (@AdamKasp)
- #10392 improved code quality (@oallain)
- ๐ง #10393 [Docs] Describe available configuration options for locale fixture (@lchrusciel)
- #10396 [Admin] Avoid javascript in saving positions (@Zales0123)
- #10399 Add info into install command about need of setting the locale in symfony config ()
- #10400 Add discounts and totals in the cart (@kulczy, @bartoszpietrzak1994)
- #10406 [Fixtures] Added random generated order complete date (@AdamKasp)
- ๐ #10409 Create SECURITY.md (@gabiudrescu, @pamil)
- ๐ป #10417 [Admin] Order summary UI + discounts and taxes viewing logic (@kulczy, @AdamKasp)
- #10419 Add prices and discounts to the order summary box (@kulczy)
- #10420 Change order summary table (@kulczy, @AdamKasp)
- #10429 Add admin user avatar placeholder (@kulczy)
- #10438 Keep all prices in the same currency in checkout (@pamil)
- ๐ #10441 [Inventory][Product] Move inventory to new tab (@AdamKasp)
- #10442 Add an alert about unsaved changes (@kulczy)
- #10443 Unify shipping row on the order summary table (@kulczy)
- #10444 Change dashboard view (@kulczy, @pamil)
- #10449 Administrator's avatar (@Tomanhez, @Zales0123)
- ๐ง #10451 [Admin] Add possibility to configure custom index route in routing (@GSadee)
- ๐ #10453 Fix deprecation notice (@loevgaard)
- ๐ป #10455 Improve admin product show page UI (@kulczy, @AdamKasp, @GSadee)
- #10456 Make image uploader easier to customize (@Zales0123, @pamil)
- #10460 AvatarImage Doctrine mapping fix (@bartoszpietrzak1994)
- #10461 Fix product show page elements (@kulczy)
- ๐ #10467 Drop support for Symfony 4.1 and 4.2 (@pamil)
- #10471 Add footer with Sylius version to the admin panel (@kulczy)
- #10472 [Admin] Index of payments (@Tomanhez)
- #10477 Improve bulk actions (@kulczy, @AdamKasp)
- #10482 [Promotion] Fix Action creation doc (@pierre-H)
- #10483 [Admin]Admin choose channel in product show page (@Tomanhez)
- ๐ #10484 [Admin] Minor fixes payment shipment (@Tomanhez)
- #10485 [Promotion] Coupon prefix and suffix (@Zales0123)
- #10491 [Admin] Form validation error (@Tomanhez)
- ๐ #10497 Minor Fixes - Admin choose channel in product show page (@Tomanhez)
- #10499 [Admin] Fix css file (@GSadee)
- #10510 Add avatar preview (@kulczy)
- #10514 [Admin] In sections : edit variant and edit product add button product show page in shop (@Tomanhez)
- #10516 Fix Psalm false-positives (@pamil)
- #10518 [Admin] Unify order link in Orders, Payments, Shipments (@Tomanhez)
- #10520 [Admin] Unify payment and shipment labels (@GSadee)
- #10521 [Admin][Product] Disable show in shop button when product is disabled (@GSadee)
- #10522 Fix 'disabled' label (@kulczy)
- #10529 [Fixtures] Improve fixtures. (@AdamKasp)
- ๐ป #10531 Improve filters UI (@kulczy)
- #10534 [Fixtures] Variant name now is concatenated options value. (@AdamKasp)
- ๐ #10536 [Docs] Make Plugins and Plugin Development Guide more visible (@CoderMaggie)
- #10539 [Fixtures] Add tax category to product. (@AdamKasp)
- โก๏ธ #10541 Update README.md (@AdamKasp)
- #10542 [Fixtures] Product fixtures in yaml. (@AdamKasp)
- #10546 Improve filters (@kulczy)
- ๐ #10547 [Admin] Remove avatar (@Tomanhez)
- #10552 [Order] Change OrderItemController methods to protected (@Zales0123)
- #10555 [Admin][AdminUser] Improvements for removing an avatar (@GSadee)
- #10560 [Behat][AdminUser] Fix filename typo (@GSadee)
- #10562 Avoid js when removing product from cart (@Zales0123)
- ๐ง #10570 [Fixtures] Added 'tracked' field to product fixture configuration (@AdamKasp)
- ๐ #10572 [Fixtures] Minor fixes. (@AdamKasp)
- #10576 [Fixtures] Jeans attributes names fix (@CoderMaggie)
- #10580 [Admin][Order] Change item to unit discount on summary page (@GSadee)
- #10587 Avoid BC break in ProductExampleFactory (@Zales0123)
- #10588 [AdminBundle] Payments & Shipments index pages sortable by date (@Tomanhez)
- ๐ #10594 [CoreBundle] Fixtures creating SimpleProduct, remove options from caps (@Tomanhez)
- โก๏ธ #10595 Use {{ limit }} to allow min/max value update (@Prometee)
- ๐ #10596 [Documentation][Contribution] Improve doc contribution guide (@lchrusciel)
- #10597 [AdminBundle] Extract logo to separate twig file (@Tomanhez)
- #10606 [Admin][Payment] Not displaying payments in cart state on the list (@GSadee)
- #10614 [AdminBundle] Uncoupled AdminBundle with ShopBundle (@Tomanhez)
- ๐ #10615 [HOTFIX] [Behat] Fix tax extraction (@lchrusciel)
- ๐ #10616 [Fixture] Make order fixture more flexible (@TiMESPLiNTER, @AdamKasp)
- โฌ๏ธ #10617 Provide an upgrade guide for v1.6.0 (@pamil)
- #10619 Sending email after ship shipment on grid (@AdamKasp)
- #10620 Fix bug after rebase (@AdamKasp)
- #10621 Fix email after complete payment via grid (@AdamKasp)
- 0๏ธโฃ #10627 Use fallback locale as default for the new administrators (@pamil)
- #10628 Fix OrderExampleFactory (@Zales0123)
- ๐ #10630 [HotFix] Proper order of arguments (@lchrusciel)
- #10631 [Core] Improved fixture example factory (@lchrusciel)
- โ #10636 [Admin] Proper tests for shipment mailing (@lchrusciel)
- #10639 [Admin] Fix sorting on customer orders list (@lchrusciel)
- โช #10640 Revert "[Admin][Shipment] Add filtering shipments by a channel" (@lchrusciel)
- #10642 [Admin][Shipment] Add filtering shipments by a channel (@Tomanhez, @GSadee)
- #10695 [Admin][Product] Fix displayed stocks on product show page (@GSadee)
- ๐ #10700 [Promotion] Remove coupling to core (@lchrusciel)
- ๐ #10716 Minor fixtures fixes (@AdamKasp)
- #10733 Fix 10719 infinite order fixture loading (@igormukhingmailcom)
- ๐ #10744 [Documentation][Book] Invoices (@CoderMaggie)
- ๐ #10747 Remove flashing from the bulk button (@kulczy)
- โฌ๏ธ #10760 Add JQuery Dirtyforms in UPGRADE-1.6.md (@maximehuran)
- โก๏ธ #10784 [Docs] Installation guide update (@lchrusciel)
- ๐ #10837 Remove unused templating engine from RemoveAvatarAction (@pamil)
- โก๏ธ #10842 [Docs] Update core team (@lchrusciel)
- #10844 Clarify BC promise for final controllers (@pamil)
- #10853 [Behat][Admin][Order] Fix scenarios for displaying promotions on 1.6 after upmerge (@GSadee)
- #10865 [Admin][Promotion] Fix the prevention of generating too many coupons (@GSadee)
- ๐ #10884 [Plugins][Docs] Plugin technical requirements changes (@Zales0123)
- โก๏ธ #10889 [Fixtures] Update product names (@CoderMaggie)
- ๐ #10890 Fix build - remove redundant validation message part (@Zales0123)
- โก๏ธ #11046 [Docs] Update sensio.sphinx (@Tomanhez)
- ๐ #11060 Fixed typo in services comment (@codreanulaurentiu)
- ๐ #11061 [Documentation] Backport of #11054 to 1.6 (@lchrusciel)