CVE-2020-26138

Name of the Vulnerable Software and Affected Versions: SilverStripe versions prior to 4.6.0-rc1

Description: The issue arises when a FormField with square brackets in the field name is used, causing it to skip validation. Specifically, the FileField class, commonly used for file upload, can be coerced into allowing multiple files by adding square brackets to the field name, which is not a supported feature. As a result, validation such as limiting allowed extensions is not applied, and the FileField->saveInto() behaviour is not triggered. This can lead to security issues if custom controller logic relies on validation provided by the Form system.

Recommendations: For SilverStripe versions prior to 4.6.0-rc1, consider disabling the use of square brackets in field names to prevent skipping validation until a patch is available. Restrict access to the FileField class to minimize the risk of exploitation. Avoid using the array notation in field names for file uploads until the issue is resolved.