tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 14:05:37 +02:00
Code Issues Projects Releases Wiki Activity

[SS-2016-006] FIX dont disable XSS for login forms

Browse Source
This commit is contained in:
Daniel Hensby 2016-04-18 17:50:31 +01:00
parent 1f820b0b1c
commit a6bd22ab2f
No known key found for this signature in database
GPG Key ID: E38EC566FE29EB66
2 changed files with 37 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
docs/en/04_Changelogs/3.1.19.md Normal file
View File

@ -0,0 +1,37 @@
# 3.1.19
## Upgrading
`LoginForm` no longer disables CSRF protection. This may cause regressions on sites that statically publish pages with
login forms or other changes. To re-enable this, you'll need to use the `Injector` to create a custom login form.
Define a login form:
```php
class CustomLoginForm extends MemberLoginForm {
public function __construct($controller, $name, $fields = null, $actions = null, $checkCurrentUser = true)
{
parent::__construct($controller, $name, $fields, $actions, $checkCurrentUser);
$this->disableSecurityToken();
}
}
```
Add this to mysite/_config/config.yml
```yaml
Injector:
MemberLoginForm:
class: CustomLoginForm
```
<!--- Changes below this line will be automatically regenerated -->
## Change Log
### Security
### Bugfixes

5
security/LoginForm.php
View File

@ -10,11 +10,6 @@
* @subpackage security
*/
abstract class LoginForm extends Form {
public function __construct($controller, $name, $fields, $actions) {
parent::__construct($controller, $name, $fields, $actions);
$this->disableSecurityToken();
}
/**
* Authenticator class to use with this login form