silverstripe-framework/docs/en/04_Changelogs/3.2.4.md
2016-05-11 13:41:02 +12:00

7.1 KiB

3.2.4

Upgrading

LoginForm no longer disables CSRF protection. This may cause regressions on sites that statically publish pages with login forms or other changes. To re-enable this, you'll need to use the Injector to create a custom login form.

Define a login form:

class CustomLoginForm extends MemberLoginForm {

	public function __construct($controller, $name, $fields = null, $actions = null, $checkCurrentUser = true)
	{
		parent::__construct($controller, $name, $fields, $actions, $checkCurrentUser);

		$this->disableSecurityToken();
	}

}

Add this to mysite/_config/config.yml

Injector:
  MemberLoginForm:
    class: CustomLoginForm

Change Log

Security

  • 2016-04-18 3c0f2e8 Add CSFR protection to tree reorganise (Daniel Hensby) - See ss-2015-029
  • 2016-04-18 a24c826 Store current page IDs as ints (Daniel Hensby) - See ss-2016-004
  • 2016-04-18 1ccd392 Properly check backurl on CMSSecurity@success (Daniel Hensby) - See ss-2016-001
  • 2016-04-18 f32c893 Apply brute force protection to default admin (Daniel Hensby) - See ss-2016-005
  • 2016-04-18 a6bd22a dont disable XSS for login forms (Daniel Hensby) - See ss-2016-006
  • 2016-02-17 37059eb Hostname, IP and Protocol Spoofing through HTTP Headers (Ingo Schommer) - See ss-2016-003
  • 2016-02-17 5d2fc0d Block unauthenticated access to dev/build/defaults (Damian Mooyman) - See ss-2015-028
  • 2016-02-17 013524a Ensure Gridfield actions respect CSRF (Damian Mooyman) - See ss-2016-002

Bugfixes

  • 2016-04-24 fde6376 Admin bloacklisted messages using correct $.inArray check (Daniel Hensby)
  • 2016-04-12 36283b8 Stop "success" message showing in CMS (Daniel Hensby)
  • 2016-03-31 6ec2656 fix ErrorControlChain causing errors to be displayed if display_errors in php.ini is false (Damian Mooyman)
  • 2016-03-28 aeb4aa9 Dont allow plain text friendly errors (Daniel Hensby)
  • 2016-03-27 5ede516 GridField::FieldHolder() should not attempt to parse shortcodes (fixes #5129) (Loz Calver)
  • 2016-03-21 9d62d9d Link tracking not escaping # Fixes #1409 (Daniel Hensby)
  • 2016-03-21 5f8356d Fix File::getRelativePath() failing if parent folder is renamed (Damian Mooyman)
  • 2016-03-18 add2ecd Parameter tokens now redirect to correct url if mod_rewrite is off (Daniel Hensby)
  • 2016-03-18 57cfe3c Bad joining of links in reports (Daniel Hensby)
  • 2016-03-10 bc31d9c Use Controller::join_links() in Reports (Daniel Hensby)
  • 2016-03-08 0364204 Incorrect title attribute on CMS tabs (Loz Calver)
  • 2016-03-07 aa57427 Don't install imagick on php 5.3 (Damian Mooyman)
  • 2016-03-07 86b1c8f file sync removes folders with dot in name (Jonathon Menz)
  • 2016-03-07 6a22454 Fix FulltextsearchEnable (Damian Mooyman)
  • 2016-03-01 2079844 fixes "Uncaught ImagickException: Can not process empty Imagick object" when deleting an image (Ryan McLaren)
  • 2016-03-01 817b836 getIP from behind a load-balancer that adds many IPs to the header (Daniel Hensby)
  • 2016-02-26 bd48d89 undeclared constant issue (Daniel Hensby)
  • 2016-02-26 cc95703 Fix regressions in missing CSRF on print button (Damian Mooyman)
  • 2016-02-25 3dc0d0e Fix regression in gridfield get actions (Damian Mooyman)
  • 2016-02-22 65a0981 Correct behaviour of publish with $createNewVersion = true (Damian Mooyman)
  • 2016-02-16 644c807 Use correct formaction for doRollback exemption #1378 (Andrew Aitken-Fincham)
  • 2015-01-08 adf0f10 Fixes CMS errors when viewing history on "Deleted" pages. (Russell Michell)