Commit Graph

983 Commits

Author SHA1 Message Date
Daniel Hensby
1c7d5de51b [SS-2016-014] FIX Autologin cookies are ignored if autologin is disabled 2016-08-15 13:24:06 +12:00
Daniel Hensby
6817c57f64 [SS-2016-013] FIX Uncasted member name 2016-08-15 13:21:14 +12:00
Daniel Hensby
6606d98663 [SS-2016-011] ChangePasswordForm does not check $member->canLogin before login
This could be used as a way to circumvent login restrictions by using the change password feature to log users in that are unable to login for reasons other than too many password attempts
2016-08-15 13:20:02 +12:00
Daniel Hensby
298f61521c [SS-2016-008] Reset Member::Salt on password change 2016-08-15 13:19:02 +12:00
Daniel Hensby
92599727b9
Merge remote-tracking branch 'security/patch/3.1/ss-2016-006' into 3.1.19 2016-05-05 01:01:49 +01:00
Daniel Hensby
7af7f8dd65
Merge remote-tracking branch 'security/patch/3.1/ss-2016-005' into 3.1.19 2016-05-05 01:01:44 +01:00
Daniel Hensby
1ccd3926e3
[SS-2016-001] FIX Properly check backurl on CMSSecurity@success 2016-04-20 23:58:50 +01:00
Daniel Hensby
a6bd22ab2f
[SS-2016-006] FIX dont disable XSS for login forms 2016-04-20 23:57:59 +01:00
Daniel Hensby
f32c893546
[SS-2016-005] FIX Apply brute force protection to default admin 2016-04-19 23:20:29 +01:00
Damian Mooyman
21e1e938eb Merge pull request #4893 from dhensby/pulls/member-regenerate-session-id
FIX session_regenerate_id uses config system
2016-01-06 15:16:31 +13:00
Daniel Hensby
00544ff100 FIX session_regenerate_id uses config system 2016-01-05 22:31:58 +00:00
Daniel Hensby
4335d8ed22 FIX Members with no ID inherit logged in user permission 2016-01-05 08:16:18 +00:00
Damian Mooyman
7367cf54c4 [ss-2015-020]: Prevent possible Privilege escalation 2015-09-10 13:01:24 +12:00
Daniel Hensby
2d4b743090 FIX Members can access their own profiles in CMS 2015-08-26 15:47:51 +01:00
Daniel Hensby
ab0572e7cc DOCS Permission comments made a bit clearer 2015-08-21 09:16:46 +01:00
Daniel Hensby
6eede57ff2 Fix issue where Access All CMS Sections doesnt work 2015-08-20 22:30:43 +01:00
Damian Mooyman
6fabd0122b BUG Fix potential XSS injection 2015-07-01 17:41:32 +12:00
Sean Harvey
fd755a7ff9 BUG ChangePasswordForm validation message should render HTML correctly.
HTML shows up in the form message escaped, but it shouldn't be.
2015-07-01 17:41:32 +12:00
Damian Mooyman
22a35e48a9 BUG Fix malformed urls redirecting to external sites 2015-05-28 10:12:18 +12:00
Daniel Hensby
c2fd18e829 FIX use config for Security::$login_url 2015-04-23 17:20:07 +01:00
Damian Mooyman
8d6cd1529f BUG Fix some database errors during dev/build where an auth token exists for the current user
Fixes #3660
2015-03-25 11:34:13 +13:00
Damian Mooyman
a775a44387 Merge pull request #4016 from guru-digital/REDIRECT_fix
HTTP basic auth fix
2015-03-19 14:55:20 +13:00
Daniel Hensby
de2aa47250 Merge pull request #4006 from kinglozzer/patch-1
FIX: Security::$default_message_set Config value unusable
2015-03-17 17:05:01 +00:00
Loz Calver
a61c08d031 FIX: Security::$default_message_set Config value unusable 2015-03-17 15:51:31 +00:00
Corey Sewell
46e61b3448 Check both $_SERVER['HTTP_AUTHORIZATION'] and $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] for HTTP Basic authentication headers 2015-03-17 14:15:54 +13:00
Daniel Hensby
d2a3da2203 Making docs gender agnostic 2015-03-07 12:32:04 +00:00
Damian Mooyman
49c462710d Merge pull request #3795 from uniun/patch-2
FIX. Summary fields can't be translated
2015-02-16 15:55:29 +13:00
Daniel Hensby
89c14d079d Making TreeMultiSelectField consistent with parent class
NEW TreeDropdownField sanatiser helper added
Use config for default_cast of objects
FIX Determine if Diffed value should be escaped
Forcing casting for core DB fields
Fixing permissions labels
2015-02-13 11:12:30 +13:00
Elvinas L.
32ce85d9f4 FIX. Summary fields can't be translated
fieldLabels() now can find these fields and translate them.
2015-01-15 15:09:32 +02:00
Will Rossiter
220bdf342c Merge pull request #3577 from tractorcow/pulls/3.1/fix-basicauth-resetlogin
BUG Fix BasicAuth not resetting failed login counts on authentication
2015-01-15 11:03:52 +13:00
Daniel Hensby
b2ace2b76c Merge pull request #3689 from guru-digital/patch-2
Add ability to use Basic Auth when running PHP in CGI mode in Apache
2014-12-08 18:39:42 +00:00
Corey Sewell
fbebf96d66 Add detection for PHP running in CGI mode and add HTTP_AUTHORIZATION rewrite rule
Detect and parse HTTP_AUTHORIZATION for basic authentication running PHP in CGI mode
Add comments about using CGI mode with Apache and Basic Auth in /docs/en/topics/environment-management.md
Added notes  to docs/en/changelogs/3.1.9.md
2014-12-05 11:35:52 +13:00
JorisDebonnet
1cd54e6bdc Update Member.Email from 256 to 254 length
Fixes #3074
2014-11-29 22:30:11 +01:00
Damian Mooyman
31b5a9dc86 API Allow CMS re-authentication to be completely disabled if necessary 2014-11-21 17:43:53 +13:00
Damian Mooyman
2bdfd65e9b BUG Security::findAnAdministrator doesn't always find an admin 2014-11-18 15:36:34 +13:00
Damian Mooyman
9d78eb7fe6 BUG Fix BasicAuth not resetting failed login counts on authentication 2014-10-24 14:19:12 +13:00
Damian Mooyman
53c40a94fa API Enable re-authentication within the CMS if a user session is lost
BUG Resolve issue with error redirection being ignored within CMS
BUG Fix issue with invalid securityID being re-emitted on failure
2014-10-14 15:19:48 +13:00
Will Rossiter
61ec808604 Set $lock_out_after_incorrect_logins out of the box 2014-09-26 10:49:53 +12:00
Sean Harvey
0e07f1a7f5 Merge remote-tracking branch 'origin/3.0' into 3.1 2014-08-22 17:50:36 +12:00
Ingo Schommer
1661213e5b FIX Opt-out pf form message escaping (fixes #2796)
This fixes a limitation introduced through http://www.silverstripe.org/ss-2013-008-xss-in-numericfield-validation/.
Form messages used to accept HTML, now they’re escaped by default, effectively removing the ability
to pass in HTML and take care of escaping manually.

We pass through HTML to message in core through the CTF system, so this needs to be fixed.
It’s an alternative fix to https://github.com/silverstripe/silverstripe-framework/pull/2803.
2014-08-22 16:59:34 +12:00
Tim Snadden
afad65ee71 Fix 'Uncaught ReferenceError: jQuery is not defined' if jQuery is not included in template. 2014-04-30 09:30:22 +12:00
Mateusz U
36d925543b Merge pull request #3020 from tractorcow/pulls/3.1-autocomplete-username
API Security.remember_username to disable login form autocompletion
2014-04-11 09:17:27 +12:00
Damian Mooyman
997077ae83 API Security.remember_username to disable login form autocompletion 2014-04-11 09:05:25 +12:00
Ingo Schommer
be12656bd9 Returning response from doChangePassword() 2014-04-10 17:21:56 +12:00
Ingo Schommer
f737922cdf Prevent IE errors on hidden login forms
In order to focus a field, it needs to be visible,
which can't be guaranteed on a core level by the login form JavaScript.
Optionally check for visibility via jQuery if it exists,
and allow explicit disabling of this behaviour via a unique identifier.
2014-04-08 11:28:54 +12:00
Damian Mooyman
1cc366fe23 Merge pull request #2850 from kinglozzer/2827-member-extend
FIX: Rewrite Member getCMSFields to ensure updateCMSFields is only run once (fixes #2827)
2014-03-04 13:42:17 +13:00
Ingo Schommer
c047a7b990 Reset FailedLoginCount on successful password reset 2014-03-03 17:47:16 +13:00
Ingo Schommer
9afcf8f01a Allow vetoing forgot password requests 2014-02-25 13:05:32 +13:00
Loz Calver
d91c7d14b8 FIX: Rewrite Member getCMSFields to ensure updateCMSFields is only run once (fixes #2827)
Fix usage of  inside closure

Can't use self:: in closure either

Basic unit tests to check extensions are applied correctly
2014-02-16 21:21:15 +00:00
Kirk Mayo
632884252b NEW: Updating out of date URLs in the framework source code and docs 2014-02-07 15:10:44 +13:00