silverstripe-framework/docs/en/changelogs/2.4.9.md
2012-12-04 22:47:47 +01:00

3.1 KiB

2.4.9 (2012-12-04)

Overview

This release provides security fixes to make password hashes more secure, and fixes a regression around duplicated CMS actions.

Upgrading

Impact of the upgrade:

  • Reset password email links generated prior to 2.4.9 will cease to work.
  • Users who use the "remember me" login feature will have to log in again.

API changes related security patch 22095dae:

  • Member::generateAutologinHash is deprecated. You can no longer get the autologin token from AutoLoginHash field in Member. Instead use the return value of the Member::generateAutologinTokenAndStoreHash and do not persist it.
  • Security::getPasswordResetLink now requires Member object as the first parameter. The password reset URL GET parameters have changed from only h (for hash) to m (for member ID) and t (for plaintext token).
  • RandomGenerator::generateHash will be deprecated with 3.1. Rename the function call to RandomGenerator::randomToken.

Security: Hash autologin tokens before storing in the database.

Severity: Moderate

Autologin tokens (remember me and reset password) are stored in the database as a plain text. If attacker obtained the database he would be able to gain access to accounts that have requested a password change, or have "remember me" enabled.

Details

Bugfixes

  • 2012-11-21 6eb597a ed travis.yml paths (Ingo Schommer)
  • 2012-11-21 41aec54 Consistently use FormResponse in CMS JavaScript (fixes #8036) (Ingo Schommer)
  • 2012-11-09 a2501ad ed bootstrap.php path in phpunit.xml.dist (Ingo Schommer)

Other

  • 2012-12-04 2ea9f26 Support for composer-created themes dir structure (Ingo Schommer)
  • 2012-12-04 75e58c9 More graceful handling of missing GET data in ModelAdmin (Ingo Schommer)
  • 2012-12-04 c802659 Relaxed composer version requirements so that stable releases can be created. (Sam Minnee)
  • 2012-11-28 9fa3c52 Exclude vendor/ folder from default phpunit run (Ingo Schommer)
  • 2012-11-09 3f24b0f Added README with build status (Ingo Schommer)
  • 2012-11-09 65793e2 Added travis support (Ingo Schommer)
  • 2012-11-08 f8e860f Removed .mergesources.yml, not used since the dark SVN days (Ingo Schommer)
  • 2012-11-01 157a275 Removed custom repo sources from composer.json (Ingo Schommer)
  • 2012-11-01 7abb6ec Added composer.json (Ingo Schommer)