silverstripe-framework/docs/en/04_Changelogs/3.1.19.md

# 3.1.19

## Upgrading

`LoginForm` no longer disables CSRF protection. This may cause regressions on sites that statically publish pages with
login forms or other changes. To re-enable this, you'll need to use the `Injector` to create a custom login form.

Define a login form:

```php
class CustomLoginForm extends MemberLoginForm {

	public function __construct($controller, $name, $fields = null, $actions = null, $checkCurrentUser = true)
	{
		parent::__construct($controller, $name, $fields, $actions, $checkCurrentUser);

		$this->disableSecurityToken();
	}

}
```

Add this to mysite/_config/config.yml

```yaml
Injector:
  MemberLoginForm:
    class: CustomLoginForm
```

<!--- Changes below this line will be automatically regenerated -->

## Change Log

### Security

 * 2016-04-18 [3c0f2e8](https://github.com/silverstripe/silverstripe-framework/commit/3c0f2e8e11a1bead64d869854b9dfc0f80e7579a) Add CSFR protection to tree reorganise (Daniel Hensby) - See [ss-2015-029](http://www.silverstripe.org/download/security-releases/ss-2015-029)
 * 2016-04-18 [a24c826](https://github.com/silverstripe/silverstripe-framework/commit/a24c8260b1d048dc6a0836eb1be9a1ca2056e770) Store current page IDs as ints (Daniel Hensby) - See [ss-2016-004](http://www.silverstripe.org/download/security-releases/ss-2016-004)
 * 2016-04-18 [1ccd392](https://github.com/silverstripe/silverstripe-framework/commit/1ccd3926e3dcecaa5c1b4f26a390d9eacc24a893) Properly check backurl on CMSSecurity@success (Daniel Hensby) - See [ss-2016-001](http://www.silverstripe.org/download/security-releases/ss-2016-001)
 * 2016-04-18 [f32c893](https://github.com/silverstripe/silverstripe-framework/commit/f32c893546340c8c279fd1ab6d4269e9d6539bc2) Apply brute force protection to default admin (Daniel Hensby) - See [ss-2016-005](http://www.silverstripe.org/download/security-releases/ss-2016-005)
 * 2016-04-18 [a6bd22a](https://github.com/silverstripe/silverstripe-framework/commit/a6bd22ab2f3b11a054d20be13306a19089510989) dont disable XSS for login forms (Daniel Hensby) - See [ss-2016-006](http://www.silverstripe.org/download/security-releases/ss-2016-006)

### Bugfixes

 * 2016-04-24 [fde6376](https://github.com/silverstripe/silverstripe-framework/commit/fde6376996dbaba31601065869c60676845eeb85) Admin bloacklisted messages using correct $.inArray check (Daniel Hensby)
 * 2016-04-12 [36283b8](https://github.com/silverstripe/silverstripe-framework/commit/36283b86d5305cc2c5d4823e54972cd301978389) Stop "success" message showing in CMS (Daniel Hensby)
 * 2016-03-31 [6ec2656](https://github.com/silverstripe/silverstripe-framework/commit/6ec26562019454483db79132a5c076cfa87dfe34) fix ErrorControlChain causing errors to be displayed if display_errors in php.ini is false (Damian Mooyman)
 * 2016-03-18 [add2ecd](https://github.com/silverstripe/silverstripe-framework/commit/add2ecdf8bb977a0234cf773b578eae9872a0d28) Parameter tokens now redirect to correct url if mod_rewrite is off (Daniel Hensby)
 * 2016-03-10 [bc31d9c](https://github.com/silverstripe/silverstripe-cms/commit/bc31d9ca9c667ba9015e35d5eae20158056a7b7c) Use `Controller::join_links()` in Reports (Daniel Hensby)
 * 2016-03-08 [0364204](https://github.com/silverstripe/silverstripe-cms/commit/036420470da5def5c8e45c94601d3494273d476c) Incorrect title attribute on CMS tabs (Loz Calver)
 * 2016-03-01 [817b836](https://github.com/silverstripe/silverstripe-framework/commit/817b83687028894574ba5a8e8ee8f3af21f23188) getIP from behind a load-balancer that adds many IPs to the header (Daniel Hensby)
 * 2015-01-08 [adf0f10](https://github.com/silverstripe/silverstripe-framework/commit/adf0f102cc7a04cf8fcac8743801d48214118cad) Fixes CMS errors when viewing history on "Deleted" pages. (Russell Michell)