From 3e88c98ca513880e2b43ed7f27ade17fef5d9170 Mon Sep 17 00:00:00 2001
From: Ingo Schommer <ingo@silverstripe.com>
Date: Wed, 8 May 2013 10:22:52 +0200
Subject: [PATCH] API Restrict MemberLoginForm to POST requests for increased
 security

CVE-2013-2653 - Thanks to Fara Rustein of Deloitte Argentina for reporting.
---
 security/MemberLoginForm.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/security/MemberLoginForm.php b/security/MemberLoginForm.php
index 1e5e2bceb..cb584539c 100644
--- a/security/MemberLoginForm.php
+++ b/security/MemberLoginForm.php
@@ -89,6 +89,9 @@ class MemberLoginForm extends LoginForm {
 			$fields->push(new HiddenField('BackURL', 'BackURL', $backURL));
 		}
 
+		// Reduce attack surface by enforcing POST requests
+		$this->setFormMethod('POST', true);
+
 		parent::__construct($controller, $name, $fields, $actions);
 
 		// Focus on the email input when the page is loaded