Commit Graph

1154 Commits

Author SHA1 Message Date
Damian Mooyman
052f11a427
Remove merge artifact 2017-12-08 11:52:48 +13:00
Damian Mooyman
d6a93f5215
Merge remote-tracking branch 'silverstripe-security/3.5' into 3.6
# Conflicts:
#	security/Member.php
2017-12-06 17:26:45 +13:00
Damian Mooyman
91cf85087b
Merge remote-tracking branch 'origin/3.5' into 3.6 2017-12-06 17:21:09 +13:00
Damian Mooyman
6ba00e829a
[ss-2017-009] Prevent disclosure of sensitive information via LoginAttempt 2017-11-30 15:53:50 +13:00
Daniel Hensby
2ad3cc07d5
FIX Update meber passwordencryption to default on password change 2017-11-23 21:17:31 +00:00
Daniel Hensby
bd7abc73de
Merge branch '3.5.5' into 3.6.2 2017-09-20 16:26:30 +01:00
Daniel Hensby
72702dbd50 Merge pull request #43 from silverstripe-security/pulls/3.5/member-enumeration-timing-attack
[SS-2017-005] User enumeration via timing attack mitigated
2017-09-20 11:39:39 +01:00
Daniel Hensby
f0262a8fd9
[SS-2017-005] User enumeration via timing attack mitigated 2017-09-20 11:33:22 +01:00
Daniel Hensby
091d99f599
FIX Authenticators are more resilient to incomplete configuration 2017-09-12 15:57:03 +01:00
Daniel Hensby
a3b72c500d
Merge branch '3.5' into 3.6 2017-08-14 12:55:09 +01:00
Loz Calver
82c0632f46
Fix: Use Config API for MemberAuthenticator::$migrate_legacy_hashes (fixes #7208) 2017-07-26 09:54:29 +01:00
Daniel Hensby
1e5592a3d9
Merge branch '3.5' into 3.6 2017-06-27 13:14:39 +01:00
Daniel Hensby
a5c84b12ab
FIX Order of conditionals for getting default admin 2017-06-12 11:54:05 +01:00
Daniel Hensby
cda7e8dc39
Merge remote-tracking branch 'security/3.5.4' into 3.6.0 2017-05-29 01:29:05 +01:00
Daniel Hensby
24166700e8
Merge remote-tracking branch 'security/3.4.6' into 3.5.4 2017-05-29 01:02:35 +01:00
Daniel Hensby
447ce0f84f
[SS-2017-002] FIX Lock out users who dont exist in the DB 2017-05-25 16:14:52 +01:00
Loz Calver
05a737c5fc Allow RandomGenerator to use random_bytes() in PHP 7 2017-04-05 11:05:28 +10:00
Joe Harvey
0d0d18612d Adding extension hooks to Member isLockedOut() and registerSuccessfulLogin() 2017-03-30 11:07:51 +01:00
Robbie Averill
2f6f5b5eff Do not send the header if it is not defined 2017-01-11 08:26:04 +13:00
Robbie Averill
cb2dcc75f1 Add X-Robots-Tag noindex,nofollow header from Security controller to prevent indexing 2017-01-09 16:13:39 +13:00
Daniel Hensby
69974d940a
Merge branch '3.3' into 3.4 2016-11-18 11:33:39 +00:00
Daniel Hensby
0ae4b57754
Merge branch '3.2' into 3.3 2016-11-18 11:32:36 +00:00
Daniel Hensby
5df077f24d
Merge branch '3.1' into 3.2 2016-11-18 11:29:19 +00:00
Daniel Hensby
8e5f786b8d
Merge branch '3.4' into 3.5.0 2016-11-15 11:43:16 +00:00
Daniel Hensby
3f4445641d
Merge branch '3.3' into 3.4 2016-11-15 11:35:38 +00:00
Daniel Hensby
c7778a1e9a
Merge branch '3.2' into 3.3 2016-11-15 11:19:27 +00:00
Daniel Hensby
06d0210233
Merge branch '3.1' into 3.2 2016-11-15 11:18:46 +00:00
Daniel Hensby
17097a4d11
[SS-2016-016] FIX Properly escape backURL for template injection 2016-11-10 17:00:03 +00:00
Daniel Hensby
5a7cde0e10
Merge branch '3.4' into 3.5.0 2016-11-09 16:14:40 +00:00
Loz Calver
6bf36fbd30
FIX: Correct return type for Member::currentUser() 2016-11-09 14:20:44 +00:00
Daniel Hensby
beeed8155a
Merge branch '3.4' into 3 2016-09-16 11:56:01 +01:00
Thomas Portelange
995d07756d cache currentUser query (#6007)
* cache currentUser query

Various modules can call a lot of time Member::currentUser(). We can avoid querying the database multiple times. Cache is implemented as a static array inside the method and store the data byID, in case the currentUserID changes within the same request (not very likely, but..)
2016-09-15 15:45:40 +01:00
Daniel Hensby
3fd9fe3aa0
Merge branch '3.4' into 3 2016-09-07 09:22:06 +01:00
Daniel Hensby
060bf6b327
Merge branch '3.3' into 3.4 2016-08-22 16:22:37 +01:00
Daniel Hensby
088d88e978
Merge branch '3.2' into 3.3 2016-08-22 16:22:02 +01:00
Daniel Hensby
229a2b9217
Merge pull request #4133 from nimeso/patch-1 2016-08-22 11:52:47 +01:00
Damian Mooyman
d88516203c Merge 3.4 into 3 2016-08-15 19:05:20 +12:00
Daniel Hensby
d1163d87b7 [SS-2016-014] FIX Autologin cookies are ignored if autologin is disabled 2016-08-15 15:52:10 +12:00
Daniel Hensby
8bbf1caae6 [SS-2016-013] FIX Uncasted member name 2016-08-15 15:52:04 +12:00
Daniel Hensby
782c18fd13 [SS-2016-011] ChangePasswordForm does not check $member->canLogin before login 2016-08-15 15:51:53 +12:00
Daniel Hensby
08384bb4d6 [SS-2016-008] Reset Member::Salt on password change 2016-08-15 15:50:56 +12:00
Daniel Hensby
fa7f5af861 [SS-2016-014] FIX Autologin cookies are ignored if autologin is disabled 2016-08-15 15:02:53 +12:00
Daniel Hensby
83e3302c04 [SS-2016-013] FIX Uncasted member name 2016-08-15 15:02:47 +12:00
Daniel Hensby
6d41db77fa [SS-2016-011] ChangePasswordForm does not check $member->canLogin before login
This could be used as a way to circumvent login restrictions by using the change password feature to log users in that are unable to login for reasons other than too many password attempts
2016-08-15 15:02:41 +12:00
Daniel Hensby
f85dea2e6d [SS-2016-008] Reset Member::Salt on password change 2016-08-15 15:02:36 +12:00
Daniel Hensby
b1f449762b [SS-2016-014] FIX Autologin cookies are ignored if autologin is disabled 2016-08-15 14:07:57 +12:00
Daniel Hensby
281b0de571 [SS-2016-013] FIX Uncasted member name 2016-08-15 14:07:51 +12:00
Daniel Hensby
2b30ade44d [SS-2016-011] ChangePasswordForm does not check $member->canLogin before login
This could be used as a way to circumvent login restrictions by using the change password feature to log users in that are unable to login for reasons other than too many password attempts
2016-08-15 14:07:40 +12:00
Daniel Hensby
dc47f7ec9a [SS-2016-008] Reset Member::Salt on password change 2016-08-15 14:07:24 +12:00
Daniel Hensby
1c7d5de51b [SS-2016-014] FIX Autologin cookies are ignored if autologin is disabled 2016-08-15 13:24:06 +12:00