silverstripe-framework

mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 12:05:37 +00:00

Author	SHA1	Message	Date
Serge Latyntcev	a86093fee6	[CVE-2019-12203] Session fixation in "change password" form A potential account hijacking may happen if an attacker has physical access to victim's computer to perform session fixation. Also possible if the targeted application contains an XSS vulnerability. Requires the victim to click the password reset link sent to their email. If all the above happens, attackers may reset the password before the actual user does that.	2019-09-24 10:57:40 +12:00
Daniel Hensby	801a51d0f7	Merge branch '3.5' into 3.6	2018-06-05 16:30:20 +01:00
Robbie Averill	1cbf27e0f4	FIX PHP 5.3 compat for referencing $this in closure, and make method public for same reason sdf	2018-06-04 16:05:49 +01:00
Robbie Averill	dae8fefb1e	Merge remote-tracking branch 'origin/3.5' into 3.6	2018-05-28 17:43:55 +12:00
Damian Mooyman	5771388821	[ss-2018-001] Restrict non-admins from being assigned to admin groups	2018-05-09 15:12:40 +12:00
Robbie Averill	51d4d2c11e	Update some phpdocs that had typos, missing parts or incorrect formats	2018-04-11 20:12:38 +12:00
Damian Mooyman	4da99efd5d	Merge remote-tracking branch 'origin/3.5' into 3.6	2018-01-31 16:03:42 +13:00
Damian Mooyman	cf69d04866	BUG Fix ping including requirements Fixes #7802	2018-01-26 10:26:18 +13:00
Damian Mooyman	72e2326731	Merge pull request #7798 from kinglozzer/member-groupset-delete FIX: Fix Member_GroupSet::removeAll() (fixes #3948)	2018-01-25 09:20:30 +13:00
Loz Calver	c2cd6b3832	FIX: Fix Member_GroupSet::removeAll() (fixes #3948 )	2018-01-24 17:17:20 +00:00
Steve Boyd	f214cd52e0	Ensure currentUserID() returns an int Cast $id returned from Session as an int to ensure it's never returned as a string	2018-01-23 13:37:06 +13:00
Damian Mooyman	052f11a427	Remove merge artifact	2017-12-08 11:52:48 +13:00
Damian Mooyman	d6a93f5215	Merge remote-tracking branch 'silverstripe-security/3.5' into 3.6 # Conflicts: # security/Member.php	2017-12-06 17:26:45 +13:00
Damian Mooyman	91cf85087b	Merge remote-tracking branch 'origin/3.5' into 3.6	2017-12-06 17:21:09 +13:00
Damian Mooyman	6ba00e829a	[ss-2017-009] Prevent disclosure of sensitive information via LoginAttempt	2017-11-30 15:53:50 +13:00
Daniel Hensby	2ad3cc07d5	FIX Update meber passwordencryption to default on password change	2017-11-23 21:17:31 +00:00
Daniel Hensby	bd7abc73de	Merge branch '3.5.5' into 3.6.2	2017-09-20 16:26:30 +01:00
Daniel Hensby	72702dbd50	Merge pull request #43 from silverstripe-security/pulls/3.5/member-enumeration-timing-attack [SS-2017-005] User enumeration via timing attack mitigated	2017-09-20 11:39:39 +01:00
Daniel Hensby	f0262a8fd9	[SS-2017-005] User enumeration via timing attack mitigated	2017-09-20 11:33:22 +01:00
Daniel Hensby	091d99f599	FIX Authenticators are more resilient to incomplete configuration	2017-09-12 15:57:03 +01:00
Daniel Hensby	a3b72c500d	Merge branch '3.5' into 3.6	2017-08-14 12:55:09 +01:00
Loz Calver	82c0632f46	Fix: Use Config API for MemberAuthenticator::$migrate_legacy_hashes (fixes #7208 )	2017-07-26 09:54:29 +01:00
Daniel Hensby	1e5592a3d9	Merge branch '3.5' into 3.6	2017-06-27 13:14:39 +01:00
Daniel Hensby	a5c84b12ab	FIX Order of conditionals for getting default admin	2017-06-12 11:54:05 +01:00
Daniel Hensby	cda7e8dc39	Merge remote-tracking branch 'security/3.5.4' into 3.6.0	2017-05-29 01:29:05 +01:00
Daniel Hensby	24166700e8	Merge remote-tracking branch 'security/3.4.6' into 3.5.4	2017-05-29 01:02:35 +01:00
Daniel Hensby	447ce0f84f	[SS-2017-002] FIX Lock out users who dont exist in the DB	2017-05-25 16:14:52 +01:00
Loz Calver	05a737c5fc	Allow RandomGenerator to use random_bytes() in PHP 7	2017-04-05 11:05:28 +10:00
Joe Harvey	0d0d18612d	Adding extension hooks to Member isLockedOut() and registerSuccessfulLogin()	2017-03-30 11:07:51 +01:00
Robbie Averill	2f6f5b5eff	Do not send the header if it is not defined	2017-01-11 08:26:04 +13:00
Robbie Averill	cb2dcc75f1	Add X-Robots-Tag noindex,nofollow header from Security controller to prevent indexing	2017-01-09 16:13:39 +13:00
Daniel Hensby	69974d940a	Merge branch '3.3' into 3.4	2016-11-18 11:33:39 +00:00
Daniel Hensby	0ae4b57754	Merge branch '3.2' into 3.3	2016-11-18 11:32:36 +00:00
Daniel Hensby	5df077f24d	Merge branch '3.1' into 3.2	2016-11-18 11:29:19 +00:00
Daniel Hensby	8e5f786b8d	Merge branch '3.4' into 3.5.0	2016-11-15 11:43:16 +00:00
Daniel Hensby	3f4445641d	Merge branch '3.3' into 3.4	2016-11-15 11:35:38 +00:00
Daniel Hensby	c7778a1e9a	Merge branch '3.2' into 3.3	2016-11-15 11:19:27 +00:00
Daniel Hensby	06d0210233	Merge branch '3.1' into 3.2	2016-11-15 11:18:46 +00:00
Daniel Hensby	17097a4d11	[SS-2016-016] FIX Properly escape backURL for template injection	2016-11-10 17:00:03 +00:00
Daniel Hensby	5a7cde0e10	Merge branch '3.4' into 3.5.0	2016-11-09 16:14:40 +00:00
Loz Calver	6bf36fbd30	FIX: Correct return type for Member::currentUser()	2016-11-09 14:20:44 +00:00
Daniel Hensby	beeed8155a	Merge branch '3.4' into 3	2016-09-16 11:56:01 +01:00
Thomas Portelange	995d07756d	cache currentUser query (#6007 ) * cache currentUser query Various modules can call a lot of time Member::currentUser(). We can avoid querying the database multiple times. Cache is implemented as a static array inside the method and store the data byID, in case the currentUserID changes within the same request (not very likely, but..)	2016-09-15 15:45:40 +01:00
Daniel Hensby	3fd9fe3aa0	Merge branch '3.4' into 3	2016-09-07 09:22:06 +01:00
Daniel Hensby	060bf6b327	Merge branch '3.3' into 3.4	2016-08-22 16:22:37 +01:00
Daniel Hensby	088d88e978	Merge branch '3.2' into 3.3	2016-08-22 16:22:02 +01:00
Daniel Hensby	229a2b9217	Merge pull request #4133 from nimeso/patch-1	2016-08-22 11:52:47 +01:00
Damian Mooyman	d88516203c	Merge 3.4 into 3	2016-08-15 19:05:20 +12:00
Daniel Hensby	d1163d87b7	[SS-2016-014] FIX Autologin cookies are ignored if autologin is disabled	2016-08-15 15:52:10 +12:00
Daniel Hensby	8bbf1caae6	[SS-2016-013] FIX Uncasted member name	2016-08-15 15:52:04 +12:00

1 2 3 4 5 ...

1165 Commits