Serge Latyntcev
e7469dadb0
Merge branch '3.6' into 3.7
2019-09-24 14:26:53 +12:00
Serge Latyntcev
a86093fee6
[CVE-2019-12203] Session fixation in "change password" form
...
A potential account hijacking may happen if an attacker has physical access to
victim's computer to perform session fixation. Also possible if the targeted application contains an XSS vulnerability.
Requires the victim to click the password reset link sent to their email.
If all the above happens, attackers may reset the password before the actual user does that.
2019-09-24 10:57:40 +12:00
Daniel Hensby
362c2f3b64
Make sure that CMS requests disable caching
2018-08-13 14:39:55 +01:00
Daniel Hensby
2b4954035f
NEW Add better HTTP cache-control manipulation ( #8086 )
2018-06-08 11:56:31 +12:00
Damian Mooyman
47a9cdfd49
ENHANCEMENT Backport of querystring work to 3.x ( #8026 )
...
* WIP Backport of querystring work to 3.x
* Remove dataextension requirement
* Fix up bootstrapping
* more backporting
* Bug fix some tests
* Fix up some tests
* Fix support for custom stages
Don't set empty stage
* Better cache typehint
* Make sure useDraftSite(false) re-enables secure site
* Remove unnecessary guard around controller property
2018-05-08 10:04:44 +12:00
Damian Mooyman
f4b13fb2c4
Merge remote-tracking branch 'origin/3.6' into 3
...
# Conflicts:
# model/DataQuery.php
2018-02-05 16:53:15 +13:00
Damian Mooyman
4da99efd5d
Merge remote-tracking branch 'origin/3.5' into 3.6
2018-01-31 16:03:42 +13:00
Daniel Hensby
9103816333
NEW Add php 7.2 support
2018-01-30 16:50:32 +00:00
Damian Mooyman
cf69d04866
BUG Fix ping including requirements
...
Fixes #7802
2018-01-26 10:26:18 +13:00
Daniel Hensby
1e5592a3d9
Merge branch '3.5' into 3.6
2017-06-27 13:14:39 +01:00
Daniel Hensby
ecc88b2cbe
Merge branch '3.5' into 3.6
2017-06-14 12:02:06 +01:00
Daniel Hensby
a5c84b12ab
FIX Order of conditionals for getting default admin
2017-06-12 11:54:05 +01:00
Robbie Averill
2f6f5b5eff
Do not send the header if it is not defined
2017-01-11 08:26:04 +13:00
Robbie Averill
cb2dcc75f1
Add X-Robots-Tag noindex,nofollow header from Security controller to prevent indexing
2017-01-09 16:13:39 +13:00
Damian Mooyman
7de5b998e1
Merge 3.4 into 3
2016-08-05 19:12:25 +12:00
Damian Mooyman
0d5ae23f2b
Merge 3.2 into 3.3
2016-08-05 14:36:35 +12:00
Andrew Aitken-Fincham
66f2e6811b
modify getAuthenticator to fall back to get_default_authenticator
2016-08-03 10:36:43 +12:00
Damian Mooyman
d08ab6ac81
API Allow X-Frame-Options to be configured
...
Fixes #2970
2016-07-15 14:08:14 +12:00
Daniel Hensby
ee326f6394
Merge branch 'hailwood/patch-5' into 3
2016-07-01 14:53:02 +01:00
Matthew Hailwood
4f0969f119
Make lost password url a config option like login_url and logout_url
...
Also makes the login_url, logout_url and new lost_password_url functions
return their link relative to the base url rather than assuming the base tag
2016-07-01 14:47:51 +01:00
Damian Mooyman
2a5ba397e6
BUG Fix SS_HTTPResponse being cast as string ( #5413 )
...
Fixes #5335
2016-05-02 08:54:19 +12:00
Damian Mooyman
38e154af0a
API Disable get parameter access to site stage mode
...
BUG Fix missing and undocumented response from Security::permissionFailure()
2015-12-07 17:39:18 +13:00
Damian Mooyman
71b8aec306
Merge remote-tracking branch 'origin/3.2' into 3
2015-09-15 13:35:51 +12:00
Damian Mooyman
c4710b2272
Merge remote-tracking branch 'origin/3.1' into 3.2
...
Conflicts:
admin/code/GroupImportForm.php
admin/code/MemberImportForm.php
tests/model/DataListTest.php
2015-09-15 13:18:47 +12:00
Damian Mooyman
7367cf54c4
[ss-2015-020]: Prevent possible Privilege escalation
2015-09-10 13:01:24 +12:00
Stevie Mayhew
1b57e0ca5b
FEATURE: implement getter and setter usage for response
2015-08-29 10:24:06 +12:00
Phill Price
b2024107a9
DOCS: Typo in a block
2015-06-24 11:57:12 +01:00
Damian Mooyman
e14f743bf0
Set deprecation level for all changes in 3.x to 4.0
2015-06-19 13:07:41 +12:00
Stevie Mayhew
0d94cf15a5
UPDATE: change all instances of $this->request to use appropriate getter/setter
2015-04-30 11:04:08 +12:00
Daniel Hensby
c2fd18e829
FIX use config for Security::$login_url
2015-04-23 17:20:07 +01:00
Damian Mooyman
95c162ef0d
API Security better respects BackURL on login
...
BUG Restore missing authentication message not appearing in the login form $Content area (regression from #1807 )
2015-03-31 20:22:35 +13:00
Damian Mooyman
43f49e8434
Merge remote-tracking branch 'origin/3.1' into 3
...
Conflicts:
admin/code/ModelAdmin.php
control/Director.php
model/SQLQuery.php
security/Member.php
tests/control/HTTPTest.php
tests/model/SQLQueryTest.php
tests/security/SecurityTest.php
tests/view/SSViewerTest.php
2015-03-31 19:54:15 +13:00
Daniel Hensby
de2aa47250
Merge pull request #4006 from kinglozzer/patch-1
...
FIX: Security::$default_message_set Config value unusable
2015-03-17 17:05:01 +00:00
Loz Calver
a61c08d031
FIX: Security::$default_message_set Config value unusable
2015-03-17 15:51:31 +00:00
Damian Mooyman
6baf63e18c
Merge remote-tracking branch 'origin/3.1'
...
Conflicts:
dev/install/install.php5
docs/en/changelogs/index.md
security/Security.php
2014-11-19 11:16:46 +13:00
Damian Mooyman
ce93a8a98e
Resolve merge regressions
2014-11-19 11:05:07 +13:00
Damian Mooyman
2bdfd65e9b
BUG Security::findAnAdministrator doesn't always find an admin
2014-11-18 15:36:34 +13:00
Damian Mooyman
0b1f297873
Merge remote-tracking branch 'origin/3.1'
...
Conflicts:
.travis.yml
README.md
admin/code/LeftAndMain.php
admin/css/screen.css
admin/scss/screen.scss
api/RestfulService.php
conf/ConfigureFromEnv.php
control/injector/ServiceConfigurationLocator.php
control/injector/SilverStripeServiceConfigurationLocator.php
core/ClassInfo.php
core/Object.php
css/AssetUploadField.css
css/ComplexTableField_popup.css
dev/CSSContentParser.php
dev/DevelopmentAdmin.php
docs/en/changelogs/index.md
docs/en/misc/contributing/code.md
docs/en/reference/execution-pipeline.md
filesystem/GD.php
filesystem/ImagickBackend.php
filesystem/Upload.php
forms/Form.php
forms/FormField.php
forms/HtmlEditorConfig.php
forms/gridfield/GridFieldDetailForm.php
forms/gridfield/GridFieldSortableHeader.php
lang/en.yml
model/Aggregate.php
model/DataList.php
model/DataObject.php
model/DataQuery.php
model/Image.php
model/MySQLDatabase.php
model/SQLQuery.php
model/fieldtypes/HTMLText.php
model/fieldtypes/Text.php
scss/AssetUploadField.scss
search/filters/SearchFilter.php
security/Authenticator.php
security/LoginForm.php
security/Member.php
security/MemberAuthenticator.php
security/MemberLoginForm.php
security/Security.php
tests/behat/features/bootstrap/SilverStripe/Framework/Test/Behaviour/CmsFormsContext.php
tests/control/HTTPTest.php
tests/control/RequestHandlingTest.php
tests/filesystem/UploadTest.php
tests/forms/FormTest.php
tests/forms/NumericFieldTest.php
tests/model/DataListTest.php
tests/model/DataObjectTest.php
tests/model/TextTest.php
tests/security/MemberAuthenticatorTest.php
tests/security/SecurityDefaultAdminTest.php
tests/view/SSViewerCacheBlockTest.php
tests/view/SSViewerTest.php
2014-11-18 12:45:54 +13:00
Damian Mooyman
53c40a94fa
API Enable re-authentication within the CMS if a user session is lost
...
BUG Resolve issue with error redirection being ignored within CMS
BUG Fix issue with invalid securityID being re-emitted on failure
2014-10-14 15:19:48 +13:00
Will Rossiter
4b6a03bb0b
Fix deprecation warning with word_list
2014-08-31 15:59:16 +12:00
Damian Mooyman
eb069e605d
Remove all redundant whitespace
2014-08-19 09:17:15 +12:00
Damian Mooyman
0433ba1642
BUG Revert some changes to ManyManyList
...
BUG Fix incompatibility in Member_GroupList
Fix regressions in merges from 3.1
BUG Fix Security failing on test classes
BUG Fix postgresql compatibility
Clarify sql encoding of table names
2014-07-23 12:38:41 +12:00
Damian Mooyman
d8e9af8af8
API New Database abstraction layer. Ticket #7429
...
Database abstraction broken up into controller, connector, query builder, and schema manager, each independently configurable via YAML / Injector
Creation of new DBQueryGenerator for database specific generation of SQL
Support for parameterised queries, move of code base to use these over escaped conditions
Refactor of SQLQuery into separate query classes for each of INSERT UPDATE DELETE and SELECT
Support for PDO
Installation process upgraded to use new ORM
SS_DatabaseException created to handle database errors, maintaining details of raw sql and parameter details for user code designed interested in that data.
Renamed DB static methods to conform correctly to naming conventions (e.g. DB::getConn -> DB::get_conn)
3.2 upgrade docs
Performance Optimisation and simplification of code to use more concise API
API Ability for database adapters to register extensions to ConfigureFromEnv.php
2014-07-09 18:04:05 +12:00
Damian Mooyman
982ad569b9
Merge remote-tracking branch 'origin/3.1'
2014-04-22 12:09:51 +12:00
Damian Mooyman
997077ae83
API Security.remember_username to disable login form autocompletion
2014-04-11 09:05:25 +12:00
Daniel Hensby
ab52b677aa
FIX Log out current member when forgotten password
...
At the moment, if a user is logged in on a device (say, their phone) but has forgotten their password.
If they attempt to reset their password on their desktop, then open the email on their phone they then see the reset password form *with* the CurrentPassword field. I'm not entirely sure what happens if a DIFFERENT user is currently logged in, but I think they remain logged in and you're effectively trying to change their password.
Both scenarios are not ideal and (in fact) this happens a lot in the real world as it's a legitimate complaint we're receiving from a visitors of one of our client's websites.
2014-02-28 14:27:45 +00:00
micmania1
229bea399b
added logout url to Security and deprecated Security::set_login_url in favour of config
2013-12-20 21:55:54 +00:00
Ingo Schommer
f29d51f433
Merge remote-tracking branch 'origin/3.1'
...
Conflicts:
docs/en/reference/dataobject.md
lang/es.yml
2013-12-19 20:23:09 +01:00
Ingo Schommer
23371b01aa
"lost password" translation master ( fixes #2725 )
2013-12-19 20:00:59 +01:00
Andrew Short
bedf292612
Merge branch '3.1'
...
Conflicts:
docs/en/reference/execution-pipeline.md
lang/nl.yml
2013-11-11 18:18:25 +11:00