# 4.1.3 ## Notable changes Fix [#7971](https://github.com/silverstripe/silverstripe-framework/pull/7971) introduces a subtle change of behaviour to how `Config` settings are prioritised. In SilverStripe 4 there was a change where `Extension` objects took the highest importance when determining Config values; this was deemed to be unexpected and unintuitive as well as making it cumbersome and difficult for developers to override module defaults defined in `Extension`s. This change reverts behaviour to that of SilverStripe 3 where `Extension` instances are of lowest importance and are used only to set a default value. If you rely on your `Extension` or module providing an overriding config value, please move this to yaml. ## Change Log ### Security * 2018-11-06 [6cb1bf5](https://github.com/silverstripe/silverstripe-admin/commit/6cb1bf53a6fd5b54b6f7bbe7a1d7b939e176cf53) Add CSRF protection (Aaron Carlino) - See [ss-2018-007](https://www.silverstripe.org/download/security-releases/ss-2018-007) * 2018-08-21 [af000be](https://github.com/silverstripe/silverstripe-framework/commit/af000bea9b16ea553cae7f7f662f74ab8dc343df) Add confirmation token to dev/build (Loz Calver) - See [ss-2018-019](https://www.silverstripe.org/download/security-releases/ss-2018-019) * 2018-07-29 [5425195](https://github.com/silverstripe/silverstripe-framework/commit/54251952387394d72b221e797a80edfbf9a973ee) Ignore arguments in mysqli::real_connect backtrace calls (Robbie Averill) - See [ss-2018-018](https://www.silverstripe.org/download/security-releases/ss-2018-018) ### Features and Enhancements * 2018-04-18 [fef734b](https://github.com/silverstripe/recipe-core/commit/fef734b5484d86f5afd4e857c556b8c1d8d66c16) Provide default IIS rewriting rules with recipe (Damian Mooyman) ### Bugfixes * 2018-10-24 [e72fc9e](https://github.com/silverstripe/silverstripe-framework/commit/e72fc9e3d0f35a1d43f55f83f9919f67d72fb7cb) DataObject singleton creation (#8516) (Sam Minnée) * 2018-09-18 [bbe7c66](https://github.com/silverstripe/silverstripe-asset-admin/commit/bbe7c660cf40d4c942eaf6e76755eeaf46c63471) Add `AssetAdmin::getMinimalistObjectFromData()` to build file metadata for UploadField (#829) (Maxime Rainville) * 2018-09-13 [5c102de](https://github.com/silverstripe/silverstripe-cms/commit/5c102decbde43395e14aeff83a20c4c6f1d048ae) Improve performance of CMSMain::getArchiveWarningMessage (#2231) (Maxime Rainville) * 2018-09-03 [1c4311d](https://github.com/silverstripe/silverstripe-asset-admin/commit/1c4311d4e6548600272daa0ce83afa12cf7e99c3) description for docs.silverstripe.org (wernerkrauss) * 2018-09-03 [b922c0d](https://github.com/silverstripe/silverstripe-framework/commit/b922c0d7327b5d0222dd280afcb64f83a09ea859) Check scheme is truthy before setting it to the request (Robbie Averill) * 2018-08-28 [d651d0f](https://github.com/silverstripe/silverstripe-framework/commit/d651d0fbfcababeaf317b27cb00b4f33b9d99eab) Use base class (not remapping target class) when looking up whether object is versioned (Robbie Averill) * 2018-08-27 [4da5569](https://github.com/silverstripe/silverstripe-framework/commit/4da5569232505ee574e0b5106ff2116611393aa4) ensure createFromVariables takes correct params on CLIRequestBuilder (Scott Hutchinson) * 2018-08-15 [0c713b5](https://github.com/silverstripe/silverstripe-assets/commit/0c713b5b1eb6a08ac00dcadb187b8b3ef7115fc4) Fix routing for files with dots in filename (Damian Mooyman) * 2018-08-14 [27ac001](https://github.com/silverstripe/silverstripe-framework/commit/27ac001d5b27cce4f80ce4b3335c14708b116830) email rendering should not include requirements (Thomas Portelange) * 2018-08-14 [8ec551e](https://github.com/silverstripe/silverstripe-cms/commit/8ec551e57b04d00d6897d06c2779557f0ec8109d) Broken "show as list" (#2232) (Maxime Rainville) * 2018-07-26 [fea9ef7](https://github.com/silverstripe/silverstripe-admin/commit/fea9ef7d2a53904086f9fad6eedba7bb307c8578) #579 BUG Ambiguous column RecordID when doing batch actions (Ed Linklater) * 2018-07-14 [a0e0bed](https://github.com/silverstripe/recipe-core/commit/a0e0bed7e7fe83b98264563efdeffa82d0d01d04) Use Injector to create PasswordValidators (Daniel Hensby) * 2018-07-14 [8703839](https://github.com/silverstripe/silverstripe-framework/commit/8703839eb142ba0414f4d84f885ff898c39d6786) updateValidatePassword calls need to be masked from backtraces (Daniel Hensby) * 2018-07-12 [e80c7e7](https://github.com/silverstripe/silverstripe-cms/commit/e80c7e712b916712d4ec7b6b8359ccf71dc9da04) Restore button now has warning colour and correct icon (Robbie Averill) * 2018-07-12 [d122995](https://github.com/silverstripe/silverstripe-framework/commit/d1229956523d69f63c9e725b261c0142d5ee1de3) Duplicate config values for cascade_duplicates no longer duplicate their duplicates (Robbie Averill) * 2018-06-19 [725212a](https://github.com/silverstripe/silverstripe-framework/commit/725212a707f6b724aff6548c3680b2cd66e9a6bb) Allow dispatcher in Embed to be configured with injector (#8192) (Robbie Averill) * 2018-06-13 [932eb2b](https://github.com/silverstripe/silverstripe-cms/commit/932eb2b22dfe6c30473b1cf973661c28c5b9c635) Fix CMS components failing to register on other CMS sections (#2182) (Damian Mooyman) * 2018-05-21 [bf5b578](https://github.com/silverstripe/silverstripe-admin/commit/bf5b5787685765c35c175c303f3f7ee719ac9453) Adding a min-width to flexbox-area-grow that allows flex blocks to shrink below their content width (Guy) * 2018-05-18 [9531535](https://github.com/silverstripe/silverstripe-framework/commit/953153500d490f5b5abf7283c34242c3b22a855a) Polymorphic relationship class columns have obsolete class names remapped (Robbie Averill) * 2018-05-08 [97a8f56](https://github.com/silverstripe/silverstripe-admin/commit/97a8f56c43ddb3c77a5bbc452755d44afb9a9472) Add missing focus styles for preview options (fixes silverstripe/silverstripe-framework #2101) (Loz Calver) * 2018-03-29 [4acec33](https://github.com/silverstripe/silverstripe-framework/commit/4acec33562e4e1230092eee7d76c2b8061ffc914) Fixed bug in config merging priorities so that config values set by extensions are now least important instead of most important (Daniel Hensby)