Serge Latyntcev
e7469dadb0
Merge branch '3.6' into 3.7
2019-09-24 14:26:53 +12:00
Serge Latyntcev
a86093fee6
[CVE-2019-12203] Session fixation in "change password" form
...
A potential account hijacking may happen if an attacker has physical access to
victim's computer to perform session fixation. Also possible if the targeted application contains an XSS vulnerability.
Requires the victim to click the password reset link sent to their email.
If all the above happens, attackers may reset the password before the actual user does that.
2019-09-24 10:57:40 +12:00
Robbie Averill
d8014d3110
DOCS Update PHPdoc on Authenticator::set_default_authenticator() to show param name
2019-07-01 11:58:30 +12:00
Daniel Hensby
362c2f3b64
Make sure that CMS requests disable caching
2018-08-13 14:39:55 +01:00
Daniel Hensby
2b4954035f
NEW Add better HTTP cache-control manipulation ( #8086 )
2018-06-08 11:56:31 +12:00
Daniel Hensby
801a51d0f7
Merge branch '3.5' into 3.6
2018-06-05 16:30:20 +01:00
Robbie Averill
1cbf27e0f4
FIX PHP 5.3 compat for referencing $this in closure, and make method public for same reason
...
sdf
2018-06-04 16:05:49 +01:00
Robbie Averill
7b23a548aa
FIX PHP 5.3 compat for referencing $this in closure, and make method public for same reason
...
sdf
2018-05-29 14:55:21 +12:00
Robbie Averill
4a9e991edb
Merge branch '3.6' into 3
2018-05-28 17:44:48 +12:00
Robbie Averill
dae8fefb1e
Merge remote-tracking branch 'origin/3.5' into 3.6
2018-05-28 17:43:55 +12:00
Damian Mooyman
5771388821
[ss-2018-001] Restrict non-admins from being assigned to admin groups
2018-05-09 15:12:40 +12:00
Damian Mooyman
47a9cdfd49
ENHANCEMENT Backport of querystring work to 3.x ( #8026 )
...
* WIP Backport of querystring work to 3.x
* Remove dataextension requirement
* Fix up bootstrapping
* more backporting
* Bug fix some tests
* Fix up some tests
* Fix support for custom stages
Don't set empty stage
* Better cache typehint
* Make sure useDraftSite(false) re-enables secure site
* Remove unnecessary guard around controller property
2018-05-08 10:04:44 +12:00
Daniel Hensby
c31251911c
Merge branch '3.6' into 3
2018-04-18 13:14:46 +01:00
Robbie Averill
51d4d2c11e
Update some phpdocs that had typos, missing parts or incorrect formats
2018-04-11 20:12:38 +12:00
Damian Mooyman
f4b13fb2c4
Merge remote-tracking branch 'origin/3.6' into 3
...
# Conflicts:
# model/DataQuery.php
2018-02-05 16:53:15 +13:00
Damian Mooyman
4da99efd5d
Merge remote-tracking branch 'origin/3.5' into 3.6
2018-01-31 16:03:42 +13:00
Daniel Hensby
9103816333
NEW Add php 7.2 support
2018-01-30 16:50:32 +00:00
Damian Mooyman
cf69d04866
BUG Fix ping including requirements
...
Fixes #7802
2018-01-26 10:26:18 +13:00
Damian Mooyman
72e2326731
Merge pull request #7798 from kinglozzer/member-groupset-delete
...
FIX: Fix Member_GroupSet::removeAll() (fixes #3948 )
2018-01-25 09:20:30 +13:00
Loz Calver
c2cd6b3832
FIX: Fix Member_GroupSet::removeAll() ( fixes #3948 )
2018-01-24 17:17:20 +00:00
Steve Boyd
f214cd52e0
Ensure currentUserID() returns an int
...
Cast $id returned from Session as an int to ensure it's never returned as a string
2018-01-23 13:37:06 +13:00
Damian Mooyman
3346b37ef0
Merge branch '3.6' into 3
2017-12-08 11:53:49 +13:00
Damian Mooyman
052f11a427
Remove merge artifact
2017-12-08 11:52:48 +13:00
Damian Mooyman
50aa1f22a6
Merge branch '3.6' into 3
2017-12-07 13:20:58 +13:00
Damian Mooyman
d6a93f5215
Merge remote-tracking branch 'silverstripe-security/3.5' into 3.6
...
# Conflicts:
# security/Member.php
2017-12-06 17:26:45 +13:00
Damian Mooyman
91cf85087b
Merge remote-tracking branch 'origin/3.5' into 3.6
2017-12-06 17:21:09 +13:00
Damian Mooyman
6ba00e829a
[ss-2017-009] Prevent disclosure of sensitive information via LoginAttempt
2017-11-30 15:53:50 +13:00
Daniel Hensby
2ad3cc07d5
FIX Update meber passwordencryption to default on password change
2017-11-23 21:17:31 +00:00
Daniel Hensby
b49d1d7fbd
Merge branch '3.6' into 3
2017-09-28 17:17:19 +01:00
Daniel Hensby
bd7abc73de
Merge branch '3.5.5' into 3.6.2
2017-09-20 16:26:30 +01:00
Daniel Hensby
72702dbd50
Merge pull request #43 from silverstripe-security/pulls/3.5/member-enumeration-timing-attack
...
[SS-2017-005] User enumeration via timing attack mitigated
2017-09-20 11:39:39 +01:00
Daniel Hensby
f0262a8fd9
[SS-2017-005] User enumeration via timing attack mitigated
2017-09-20 11:33:22 +01:00
Daniel Hensby
091d99f599
FIX Authenticators are more resilient to incomplete configuration
2017-09-12 15:57:03 +01:00
Daniel Hensby
23a726f385
Merge branch '3.6' into 3
2017-08-14 13:43:28 +01:00
Daniel Hensby
a3b72c500d
Merge branch '3.5' into 3.6
2017-08-14 12:55:09 +01:00
Loz Calver
82c0632f46
Fix: Use Config API for MemberAuthenticator::$migrate_legacy_hashes ( fixes #7208 )
2017-07-26 09:54:29 +01:00
Daniel Hensby
1e5592a3d9
Merge branch '3.5' into 3.6
2017-06-27 13:14:39 +01:00
Daniel Hensby
6f2b08b962
Merge branch '3.6' into 3
2017-06-14 12:02:27 +01:00
Daniel Hensby
ecc88b2cbe
Merge branch '3.5' into 3.6
2017-06-14 12:02:06 +01:00
Daniel Hensby
a5c84b12ab
FIX Order of conditionals for getting default admin
2017-06-12 11:54:05 +01:00
Daniel Hensby
21d2e5cad1
Merge branch '3.6' into 3
2017-05-31 00:12:14 +01:00
Daniel Hensby
cda7e8dc39
Merge remote-tracking branch 'security/3.5.4' into 3.6.0
2017-05-29 01:29:05 +01:00
Daniel Hensby
24166700e8
Merge remote-tracking branch 'security/3.4.6' into 3.5.4
2017-05-29 01:02:35 +01:00
Daniel Hensby
447ce0f84f
[SS-2017-002] FIX Lock out users who dont exist in the DB
2017-05-25 16:14:52 +01:00
Damian Mooyman
f16d7e1838
API Deprecate unused / undesirable create_new_password implementation
2017-05-08 17:41:37 +12:00
Loz Calver
05a737c5fc
Allow RandomGenerator to use random_bytes() in PHP 7
2017-04-05 11:05:28 +10:00
Joe Harvey
0d0d18612d
Adding extension hooks to Member isLockedOut() and registerSuccessfulLogin()
2017-03-30 11:07:51 +01:00
Robbie Averill
2f6f5b5eff
Do not send the header if it is not defined
2017-01-11 08:26:04 +13:00
Robbie Averill
cb2dcc75f1
Add X-Robots-Tag noindex,nofollow header from Security controller to prevent indexing
2017-01-09 16:13:39 +13:00
Daniel Hensby
69974d940a
Merge branch '3.3' into 3.4
2016-11-18 11:33:39 +00:00