tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 14:05:37 +02:00
Code Issues Projects Releases Wiki Activity
16,900 Commits 31 Branches 527 Tags 162 MiB
3.7
Commit Graph

1184 Commits

Author SHA1 Message Date
Maxime Rainville
d3b23e7024 [CVE-2020-9311] Escape First Name when displaying re-login screen 2020-07-14 13:24:12 +12:00
Serge Latyntcev
e7469dadb0 Merge branch '3.6' into 3.7 2019-09-24 14:26:53 +12:00
Serge Latyntcev
a86093fee6 [CVE-2019-12203] Session fixation in "change password" form 
A potential account hijacking may happen if an attacker has physical access to
victim's computer to perform session fixation. Also possible if the targeted application contains an XSS vulnerability.
Requires the victim to click the password reset link sent to their email.
If all the above happens, attackers may reset the password before the actual user does that.
 2019-09-24 10:57:40 +12:00
Robbie Averill
d8014d3110 DOCS Update PHPdoc on Authenticator::set_default_authenticator() to show param name 2019-07-01 11:58:30 +12:00
Daniel Hensby
362c2f3b64
Make sure that CMS requests disable caching 2018-08-13 14:39:55 +01:00
Daniel Hensby
2b4954035f NEW Add better HTTP cache-control manipulation (#8086) 2018-06-08 11:56:31 +12:00
Daniel Hensby
801a51d0f7
Merge branch '3.5' into 3.6 2018-06-05 16:30:20 +01:00
Robbie Averill
1cbf27e0f4
FIX PHP 5.3 compat for referencing $this in closure, and make method public for same reason 
sdf
 2018-06-04 16:05:49 +01:00
Robbie Averill
7b23a548aa FIX PHP 5.3 compat for referencing $this in closure, and make method public for same reason 
sdf
 2018-05-29 14:55:21 +12:00
Robbie Averill
4a9e991edb Merge branch '3.6' into 3 2018-05-28 17:44:48 +12:00
Robbie Averill
dae8fefb1e Merge remote-tracking branch 'origin/3.5' into 3.6 2018-05-28 17:43:55 +12:00
Damian Mooyman
5771388821 [ss-2018-001] Restrict non-admins from being assigned to admin groups 2018-05-09 15:12:40 +12:00
Damian Mooyman
47a9cdfd49 ENHANCEMENT Backport of querystring work to 3.x (#8026) 
* WIP Backport of querystring work to 3.x

* Remove dataextension requirement

* Fix up bootstrapping

* more backporting

* Bug fix some tests

* Fix up some tests

* Fix support for custom stages
Don't set empty stage

* Better cache typehint

* Make sure useDraftSite(false) re-enables secure site

* Remove unnecessary guard around controller property
 2018-05-08 10:04:44 +12:00
Daniel Hensby
c31251911c
Merge branch '3.6' into 3 2018-04-18 13:14:46 +01:00
Robbie Averill
51d4d2c11e Update some phpdocs that had typos, missing parts or incorrect formats 2018-04-11 20:12:38 +12:00
Damian Mooyman
f4b13fb2c4
Merge remote-tracking branch 'origin/3.6' into 3 
# Conflicts:
#	model/DataQuery.php
 2018-02-05 16:53:15 +13:00
Damian Mooyman
4da99efd5d
Merge remote-tracking branch 'origin/3.5' into 3.6 2018-01-31 16:03:42 +13:00
Daniel Hensby
9103816333
NEW Add php 7.2 support 2018-01-30 16:50:32 +00:00
Damian Mooyman
cf69d04866
BUG Fix ping including requirements 
Fixes #7802
 2018-01-26 10:26:18 +13:00
Damian Mooyman
72e2326731
Merge pull request #7798 from kinglozzer/member-groupset-delete 
FIX: Fix Member_GroupSet::removeAll() (fixes #3948)
 2018-01-25 09:20:30 +13:00
Loz Calver
c2cd6b3832 FIX: Fix Member_GroupSet::removeAll() (fixes #3948) 2018-01-24 17:17:20 +00:00
Steve Boyd
f214cd52e0
Ensure currentUserID() returns an int 
Cast $id returned from Session as an int to ensure it's never returned as a string
 2018-01-23 13:37:06 +13:00
Damian Mooyman
3346b37ef0
Merge branch '3.6' into 3 2017-12-08 11:53:49 +13:00
Damian Mooyman
052f11a427
Remove merge artifact 2017-12-08 11:52:48 +13:00
Damian Mooyman
50aa1f22a6
Merge branch '3.6' into 3 2017-12-07 13:20:58 +13:00
Damian Mooyman
d6a93f5215
Merge remote-tracking branch 'silverstripe-security/3.5' into 3.6 
# Conflicts:
#	security/Member.php
 2017-12-06 17:26:45 +13:00
Damian Mooyman
91cf85087b
Merge remote-tracking branch 'origin/3.5' into 3.6 2017-12-06 17:21:09 +13:00
Damian Mooyman
6ba00e829a
[ss-2017-009] Prevent disclosure of sensitive information via LoginAttempt 2017-11-30 15:53:50 +13:00
Daniel Hensby
2ad3cc07d5
FIX Update meber passwordencryption to default on password change 2017-11-23 21:17:31 +00:00
Daniel Hensby
b49d1d7fbd
Merge branch '3.6' into 3 2017-09-28 17:17:19 +01:00
Daniel Hensby
bd7abc73de
Merge branch '3.5.5' into 3.6.2 2017-09-20 16:26:30 +01:00
Daniel Hensby
72702dbd50 Merge pull request #43 from silverstripe-security/pulls/3.5/member-enumeration-timing-attack 
[SS-2017-005] User enumeration via timing attack mitigated
 2017-09-20 11:39:39 +01:00
Daniel Hensby
f0262a8fd9
[SS-2017-005] User enumeration via timing attack mitigated 2017-09-20 11:33:22 +01:00
Daniel Hensby
091d99f599
FIX Authenticators are more resilient to incomplete configuration 2017-09-12 15:57:03 +01:00
Daniel Hensby
23a726f385
Merge branch '3.6' into 3 2017-08-14 13:43:28 +01:00
Daniel Hensby
a3b72c500d
Merge branch '3.5' into 3.6 2017-08-14 12:55:09 +01:00
Loz Calver
82c0632f46
Fix: Use Config API for MemberAuthenticator::$migrate_legacy_hashes (fixes #7208) 2017-07-26 09:54:29 +01:00
Daniel Hensby
1e5592a3d9
Merge branch '3.5' into 3.6 2017-06-27 13:14:39 +01:00
Daniel Hensby
6f2b08b962
Merge branch '3.6' into 3 2017-06-14 12:02:27 +01:00
Daniel Hensby
ecc88b2cbe
Merge branch '3.5' into 3.6 2017-06-14 12:02:06 +01:00
Daniel Hensby
a5c84b12ab
FIX Order of conditionals for getting default admin 2017-06-12 11:54:05 +01:00
Daniel Hensby
21d2e5cad1
Merge branch '3.6' into 3 2017-05-31 00:12:14 +01:00
Daniel Hensby
cda7e8dc39
Merge remote-tracking branch 'security/3.5.4' into 3.6.0 2017-05-29 01:29:05 +01:00
Daniel Hensby
24166700e8
Merge remote-tracking branch 'security/3.4.6' into 3.5.4 2017-05-29 01:02:35 +01:00
Daniel Hensby
447ce0f84f
[SS-2017-002] FIX Lock out users who dont exist in the DB 2017-05-25 16:14:52 +01:00
Damian Mooyman
f16d7e1838 API Deprecate unused / undesirable create_new_password implementation 2017-05-08 17:41:37 +12:00
Loz Calver
05a737c5fc Allow RandomGenerator to use random_bytes() in PHP 7 2017-04-05 11:05:28 +10:00
Joe Harvey
0d0d18612d Adding extension hooks to Member isLockedOut() and registerSuccessfulLogin() 2017-03-30 11:07:51 +01:00
Robbie Averill
2f6f5b5eff Do not send the header if it is not defined 2017-01-11 08:26:04 +13:00
Robbie Averill
cb2dcc75f1 Add X-Robots-Tag noindex,nofollow header from Security controller to prevent indexing 2017-01-09 16:13:39 +13:00