Merge remote-tracking branch 'security/patch/3.1/ss-2016-006' into 3.1.19

2024-06-27 15:09:30 +02:00 · 2016-05-05 01:01:49 +01:00 · 2016-05-05 01:01:49 +01:00 · 92599727b9
commit 92599727b9
parent 7af7f8dd65 a6bd22ab2f
2 changed files with 37 additions and 5 deletions
--- a/docs/en/04_Changelogs/3.1.19.md
+++ b/docs/en/04_Changelogs/3.1.19.md
@ -0,0 +1,37 @@
+# 3.1.19
+
+## Upgrading
+
+`LoginForm` no longer disables CSRF protection. This may cause regressions on sites that statically publish pages with
+login forms or other changes. To re-enable this, you'll need to use the `Injector` to create a custom login form.
+
+Define a login form:
+
+```php
+class CustomLoginForm extends MemberLoginForm {
+
+	public function __construct($controller, $name, $fields = null, $actions = null, $checkCurrentUser = true)
+	{
+		parent::__construct($controller, $name, $fields, $actions, $checkCurrentUser);
+
+		$this->disableSecurityToken();
+	}
+
+}
+```
+
+Add this to mysite/_config/config.yml
+
+```yaml
+Injector:
+  MemberLoginForm:
+    class: CustomLoginForm
+```
+
+<!--- Changes below this line will be automatically regenerated -->
+
+## Change Log
+
+### Security
+
+### Bugfixes
--- a/security/LoginForm.php
+++ b/security/LoginForm.php
@ -10,11 +10,6 @@
 * @subpackage security
 */
 abstract class LoginForm extends Form {
-	public function __construct($controller, $name, $fields, $actions) {
-		parent::__construct($controller, $name, $fields, $actions);
-		
-		$this->disableSecurityToken();	
-	}

 	/**
 	 * Authenticator class to use with this login form