silverstripe-framework/docs/en/04_Changelogs/3.1.19.md

3.1.19

Upgrading

LoginForm no longer disables CSRF protection. This may cause regressions on sites that statically publish pages with login forms or other changes. To re-enable this, you'll need to use the Injector to create a custom login form.

Define a login form:

class CustomLoginForm extends MemberLoginForm {

	public function __construct($controller, $name, $fields = null, $actions = null, $checkCurrentUser = true)
	{
		parent::__construct($controller, $name, $fields, $actions, $checkCurrentUser);

		$this->disableSecurityToken();
	}

}

Add this to mysite/_config/config.yml

Injector:
  MemberLoginForm:
    class: CustomLoginForm

Change Log

Security

• 2016-04-18 3c0f2e8 Add CSFR protection to tree reorganise (Daniel Hensby) - See ss-2015-029
• 2016-04-18 a24c826 Store current page IDs as ints (Daniel Hensby) - See ss-2016-004
• 2016-04-18 1ccd392 Properly check backurl on CMSSecurity@success (Daniel Hensby) - See ss-2016-001
• 2016-04-18 f32c893 Apply brute force protection to default admin (Daniel Hensby) - See ss-2016-005
• 2016-04-18 a6bd22a dont disable XSS for login forms (Daniel Hensby) - See ss-2016-006

Bugfixes

• 2016-04-24 fde6376 Admin bloacklisted messages using correct $.inArray check (Daniel Hensby)
• 2016-04-12 36283b8 Stop "success" message showing in CMS (Daniel Hensby)
• 2016-03-31 6ec2656 fix ErrorControlChain causing errors to be displayed if display_errors in php.ini is false (Damian Mooyman)
• 2016-03-18 add2ecd Parameter tokens now redirect to correct url if mod_rewrite is off (Daniel Hensby)
• 2016-03-10 bc31d9c Use Controller::join_links() in Reports (Daniel Hensby)
• 2016-03-08 0364204 Incorrect title attribute on CMS tabs (Loz Calver)
• 2016-03-01 817b836 getIP from behind a load-balancer that adds many IPs to the header (Daniel Hensby)
• 2015-01-08 adf0f10 Fixes CMS errors when viewing history on "Deleted" pages. (Russell Michell)