# 3.2.4

## Upgrading

`LoginForm` no longer disables CSRF protection. This may cause regressions on sites that statically publish pages with
login forms or other changes. To re-enable this, you'll need to use the `Injector` to create a custom login form.

Define a login form:

```php
use SilverStripe\Security\MemberAuthenticator\MemberLoginForm;

class CustomLoginForm extends MemberLoginForm 
{

    public function __construct($controller, $name, $fields = null, $actions = null, $checkCurrentUser = true)
    {
        parent::__construct($controller, $name, $fields, $actions, $checkCurrentUser);

        $this->disableSecurityToken();
    }

}
```

Add this to mysite/_config/config.yml

```yaml
Injector:
  MemberLoginForm:
    class: CustomLoginForm
```

<!--- Changes below this line will be automatically regenerated -->

## Change Log

### Security

 * 2016-04-18 [3c0f2e8](https://github.com/silverstripe/silverstripe-framework/commit/3c0f2e8e11a1bead64d869854b9dfc0f80e7579a) Add CSFR protection to tree reorganise (Daniel Hensby) - See [ss-2015-029](http://www.silverstripe.org/download/security-releases/ss-2015-029)
 * 2016-04-18 [a24c826](https://github.com/silverstripe/silverstripe-framework/commit/a24c8260b1d048dc6a0836eb1be9a1ca2056e770) Store current page IDs as ints (Daniel Hensby) - See [ss-2016-004](http://www.silverstripe.org/download/security-releases/ss-2016-004)
 * 2016-04-18 [1ccd392](https://github.com/silverstripe/silverstripe-framework/commit/1ccd3926e3dcecaa5c1b4f26a390d9eacc24a893) Properly check backurl on CMSSecurity@success (Daniel Hensby) - See [ss-2016-001](http://www.silverstripe.org/download/security-releases/ss-2016-001)
 * 2016-04-18 [f32c893](https://github.com/silverstripe/silverstripe-framework/commit/f32c893546340c8c279fd1ab6d4269e9d6539bc2) Apply brute force protection to default admin (Daniel Hensby) - See [ss-2016-005](http://www.silverstripe.org/download/security-releases/ss-2016-005)
 * 2016-04-18 [a6bd22a](https://github.com/silverstripe/silverstripe-framework/commit/a6bd22ab2f3b11a054d20be13306a19089510989) dont disable XSS for login forms (Daniel Hensby) - See [ss-2016-006](http://www.silverstripe.org/download/security-releases/ss-2016-006)

### Bugfixes

 * 2016-04-24 [fde6376](https://github.com/silverstripe/silverstripe-framework/commit/fde6376996dbaba31601065869c60676845eeb85) Admin bloacklisted messages using correct $.inArray check (Daniel Hensby)
 * 2016-04-12 [36283b8](https://github.com/silverstripe/silverstripe-framework/commit/36283b86d5305cc2c5d4823e54972cd301978389) Stop "success" message showing in CMS (Daniel Hensby)
 * 2016-03-31 [6ec2656](https://github.com/silverstripe/silverstripe-framework/commit/6ec26562019454483db79132a5c076cfa87dfe34) fix ErrorControlChain causing errors to be displayed if display_errors in php.ini is false (Damian Mooyman)
 * 2016-03-28 [aeb4aa9](https://github.com/silverstripe/silverstripe-framework/commit/aeb4aa9565dfcd251f527362518e5c8be1df7e02) Dont allow plain text friendly errors (Daniel Hensby)
 * 2016-03-27 [5ede516](https://github.com/silverstripe/silverstripe-framework/commit/5ede516c771055d09a1578e1598ac0ec58a28f5e) GridField::FieldHolder() should not attempt to parse shortcodes (fixes #5129) (Loz Calver)
 * 2016-03-21 [9d62d9d](https://github.com/silverstripe/silverstripe-cms/commit/9d62d9d3818d6acfc08a98b5e0fcaf255295f70f) Link tracking not escaping `#` Fixes #1409 (Daniel Hensby)
 * 2016-03-21 [5f8356d](https://github.com/silverstripe/silverstripe-framework/commit/5f8356d6868be9035c4b2a4d00d04c14ab34e4e4) Fix File::getRelativePath() failing if parent folder is renamed (Damian Mooyman)
 * 2016-03-18 [add2ecd](https://github.com/silverstripe/silverstripe-framework/commit/add2ecdf8bb977a0234cf773b578eae9872a0d28) Parameter tokens now redirect to correct url if mod_rewrite is off (Daniel Hensby)
 * 2016-03-18 [57cfe3c](https://github.com/silverstripe-labs/silverstripe-reports/commit/57cfe3c66a5d67e88bbb1d4150329c6d4841f683) Bad joining of links in reports (Daniel Hensby)
 * 2016-03-10 [bc31d9c](https://github.com/silverstripe/silverstripe-cms/commit/bc31d9ca9c667ba9015e35d5eae20158056a7b7c) Use `Controller::join_links()` in Reports (Daniel Hensby)
 * 2016-03-08 [0364204](https://github.com/silverstripe/silverstripe-cms/commit/036420470da5def5c8e45c94601d3494273d476c) Incorrect title attribute on CMS tabs (Loz Calver)
 * 2016-03-07 [aa57427](https://github.com/silverstripe/silverstripe-framework/commit/aa57427874f0115c2c188dfc821ba09bf467d241) Don't install imagick on php 5.3 (Damian Mooyman)
 * 2016-03-07 [86b1c8f](https://github.com/silverstripe/silverstripe-framework/commit/86b1c8fc2849e8f65f473286a3b2d09f4b76eaf7) file sync removes folders with dot in name (Jonathon Menz)
 * 2016-03-07 [6a22454](https://github.com/silverstripe/silverstripe-framework/commit/6a2245474d0d6c13d52a9a5104ac8ac3e8fd68a2) Fix FulltextsearchEnable (Damian Mooyman)
 * 2016-03-01 [2079844](https://github.com/silverstripe/silverstripe-framework/commit/2079844647e8422e600cb7c820e624a0a108bd07) fixes "Uncaught ImagickException: Can not process empty Imagick object" when deleting an image (Ryan McLaren)
 * 2016-03-01 [817b836](https://github.com/silverstripe/silverstripe-framework/commit/817b83687028894574ba5a8e8ee8f3af21f23188) getIP from behind a load-balancer that adds many IPs to the header (Daniel Hensby)
 * 2016-02-26 [bd48d89](https://github.com/silverstripe/silverstripe-framework/commit/bd48d89642a259e0a4c93ab2a686bc45b2ac3bc4) undeclared constant issue (Daniel Hensby)
 * 2016-02-26 [cc95703](https://github.com/silverstripe/silverstripe-framework/commit/cc95703b18187b3940f02380f8e5667d61345660) Fix regressions in missing CSRF on print button (Damian Mooyman)
 * 2016-02-25 [3dc0d0e](https://github.com/silverstripe/silverstripe-framework/commit/3dc0d0ee89cba6b780c8770a94490c60a5b52745) Fix regression in gridfield get actions (Damian Mooyman)
 * 2016-02-22 [65a0981](https://github.com/silverstripe/silverstripe-framework/commit/65a0981c0895bd92bcc020ef433b04e0de6ab05c) Correct behaviour of publish with $createNewVersion = true (Damian Mooyman)
 * 2016-02-16 [644c807](https://github.com/silverstripe/silverstripe-cms/commit/644c8070311e82d35c39c6e1f0d37cc8aba53665) Use correct formaction for doRollback exemption #1378 (Andrew Aitken-Fincham)
 * 2015-01-08 [adf0f10](https://github.com/silverstripe/silverstripe-framework/commit/adf0f102cc7a04cf8fcac8743801d48214118cad) Fixes CMS errors when viewing history on "Deleted" pages. (Russell Michell)