mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
70 lines
7.1 KiB
Markdown
70 lines
7.1 KiB
Markdown
# 3.2.4
|
|
|
|
## Upgrading
|
|
|
|
`LoginForm` no longer disables CSRF protection. This may cause regressions on sites that statically publish pages with
|
|
login forms or other changes. To re-enable this, you'll need to use the `Injector` to create a custom login form.
|
|
|
|
Define a login form:
|
|
|
|
```php
|
|
class CustomLoginForm extends MemberLoginForm {
|
|
|
|
public function __construct($controller, $name, $fields = null, $actions = null, $checkCurrentUser = true)
|
|
{
|
|
parent::__construct($controller, $name, $fields, $actions, $checkCurrentUser);
|
|
|
|
$this->disableSecurityToken();
|
|
}
|
|
|
|
}
|
|
```
|
|
|
|
Add this to mysite/_config/config.yml
|
|
|
|
```yaml
|
|
Injector:
|
|
MemberLoginForm:
|
|
class: CustomLoginForm
|
|
```
|
|
|
|
<!--- Changes below this line will be automatically regenerated -->
|
|
|
|
## Change Log
|
|
|
|
### Security
|
|
|
|
* 2016-04-18 [3c0f2e8](https://github.com/silverstripe/silverstripe-framework/commit/3c0f2e8e11a1bead64d869854b9dfc0f80e7579a) Add CSFR protection to tree reorganise (Daniel Hensby) - See [ss-2015-029](http://www.silverstripe.org/download/security-releases/ss-2015-029)
|
|
* 2016-04-18 [a24c826](https://github.com/silverstripe/silverstripe-framework/commit/a24c8260b1d048dc6a0836eb1be9a1ca2056e770) Store current page IDs as ints (Daniel Hensby) - See [ss-2016-004](http://www.silverstripe.org/download/security-releases/ss-2016-004)
|
|
* 2016-04-18 [1ccd392](https://github.com/silverstripe/silverstripe-framework/commit/1ccd3926e3dcecaa5c1b4f26a390d9eacc24a893) Properly check backurl on CMSSecurity@success (Daniel Hensby) - See [ss-2016-001](http://www.silverstripe.org/download/security-releases/ss-2016-001)
|
|
* 2016-04-18 [f32c893](https://github.com/silverstripe/silverstripe-framework/commit/f32c893546340c8c279fd1ab6d4269e9d6539bc2) Apply brute force protection to default admin (Daniel Hensby) - See [ss-2016-005](http://www.silverstripe.org/download/security-releases/ss-2016-005)
|
|
* 2016-04-18 [a6bd22a](https://github.com/silverstripe/silverstripe-framework/commit/a6bd22ab2f3b11a054d20be13306a19089510989) dont disable XSS for login forms (Daniel Hensby) - See [ss-2016-006](http://www.silverstripe.org/download/security-releases/ss-2016-006)
|
|
* 2016-02-17 [37059eb](https://github.com/silverstripe/silverstripe-framework/commit/37059eb6b3546f304e9c031abca0f096ddb175c6) Hostname, IP and Protocol Spoofing through HTTP Headers (Ingo Schommer) - See [ss-2016-003](http://www.silverstripe.org/download/security-releases/ss-2016-003)
|
|
* 2016-02-17 [5d2fc0d](https://github.com/silverstripe/silverstripe-framework/commit/5d2fc0d7cac4ce686f7ae05c1a7b1ad8c01711a8) Block unauthenticated access to dev/build/defaults (Damian Mooyman) - See [ss-2015-028](http://www.silverstripe.org/download/security-releases/ss-2015-028)
|
|
* 2016-02-17 [013524a](https://github.com/silverstripe/silverstripe-framework/commit/013524af5069bb0cf909853f04418d9bef56d18c) Ensure Gridfield actions respect CSRF (Damian Mooyman) - See [ss-2016-002](http://www.silverstripe.org/download/security-releases/ss-2016-002)
|
|
|
|
### Bugfixes
|
|
|
|
* 2016-04-24 [fde6376](https://github.com/silverstripe/silverstripe-framework/commit/fde6376996dbaba31601065869c60676845eeb85) Admin bloacklisted messages using correct $.inArray check (Daniel Hensby)
|
|
* 2016-04-12 [36283b8](https://github.com/silverstripe/silverstripe-framework/commit/36283b86d5305cc2c5d4823e54972cd301978389) Stop "success" message showing in CMS (Daniel Hensby)
|
|
* 2016-03-31 [6ec2656](https://github.com/silverstripe/silverstripe-framework/commit/6ec26562019454483db79132a5c076cfa87dfe34) fix ErrorControlChain causing errors to be displayed if display_errors in php.ini is false (Damian Mooyman)
|
|
* 2016-03-28 [aeb4aa9](https://github.com/silverstripe/silverstripe-framework/commit/aeb4aa9565dfcd251f527362518e5c8be1df7e02) Dont allow plain text friendly errors (Daniel Hensby)
|
|
* 2016-03-27 [5ede516](https://github.com/silverstripe/silverstripe-framework/commit/5ede516c771055d09a1578e1598ac0ec58a28f5e) GridField::FieldHolder() should not attempt to parse shortcodes (fixes #5129) (Loz Calver)
|
|
* 2016-03-21 [9d62d9d](https://github.com/silverstripe/silverstripe-cms/commit/9d62d9d3818d6acfc08a98b5e0fcaf255295f70f) Link tracking not escaping `#` Fixes #1409 (Daniel Hensby)
|
|
* 2016-03-21 [5f8356d](https://github.com/silverstripe/silverstripe-framework/commit/5f8356d6868be9035c4b2a4d00d04c14ab34e4e4) Fix File::getRelativePath() failing if parent folder is renamed (Damian Mooyman)
|
|
* 2016-03-18 [add2ecd](https://github.com/silverstripe/silverstripe-framework/commit/add2ecdf8bb977a0234cf773b578eae9872a0d28) Parameter tokens now redirect to correct url if mod_rewrite is off (Daniel Hensby)
|
|
* 2016-03-18 [57cfe3c](https://github.com/silverstripe-labs/silverstripe-reports/commit/57cfe3c66a5d67e88bbb1d4150329c6d4841f683) Bad joining of links in reports (Daniel Hensby)
|
|
* 2016-03-10 [bc31d9c](https://github.com/silverstripe/silverstripe-cms/commit/bc31d9ca9c667ba9015e35d5eae20158056a7b7c) Use `Controller::join_links()` in Reports (Daniel Hensby)
|
|
* 2016-03-08 [0364204](https://github.com/silverstripe/silverstripe-cms/commit/036420470da5def5c8e45c94601d3494273d476c) Incorrect title attribute on CMS tabs (Loz Calver)
|
|
* 2016-03-07 [aa57427](https://github.com/silverstripe/silverstripe-framework/commit/aa57427874f0115c2c188dfc821ba09bf467d241) Don't install imagick on php 5.3 (Damian Mooyman)
|
|
* 2016-03-07 [86b1c8f](https://github.com/silverstripe/silverstripe-framework/commit/86b1c8fc2849e8f65f473286a3b2d09f4b76eaf7) file sync removes folders with dot in name (Jonathon Menz)
|
|
* 2016-03-07 [6a22454](https://github.com/silverstripe/silverstripe-framework/commit/6a2245474d0d6c13d52a9a5104ac8ac3e8fd68a2) Fix FulltextsearchEnable (Damian Mooyman)
|
|
* 2016-03-01 [2079844](https://github.com/silverstripe/silverstripe-framework/commit/2079844647e8422e600cb7c820e624a0a108bd07) fixes "Uncaught ImagickException: Can not process empty Imagick object" when deleting an image (Ryan McLaren)
|
|
* 2016-03-01 [817b836](https://github.com/silverstripe/silverstripe-framework/commit/817b83687028894574ba5a8e8ee8f3af21f23188) getIP from behind a load-balancer that adds many IPs to the header (Daniel Hensby)
|
|
* 2016-02-26 [bd48d89](https://github.com/silverstripe/silverstripe-framework/commit/bd48d89642a259e0a4c93ab2a686bc45b2ac3bc4) undeclared constant issue (Daniel Hensby)
|
|
* 2016-02-26 [cc95703](https://github.com/silverstripe/silverstripe-framework/commit/cc95703b18187b3940f02380f8e5667d61345660) Fix regressions in missing CSRF on print button (Damian Mooyman)
|
|
* 2016-02-25 [3dc0d0e](https://github.com/silverstripe/silverstripe-framework/commit/3dc0d0ee89cba6b780c8770a94490c60a5b52745) Fix regression in gridfield get actions (Damian Mooyman)
|
|
* 2016-02-22 [65a0981](https://github.com/silverstripe/silverstripe-framework/commit/65a0981c0895bd92bcc020ef433b04e0de6ab05c) Correct behaviour of publish with $createNewVersion = true (Damian Mooyman)
|
|
* 2016-02-16 [644c807](https://github.com/silverstripe/silverstripe-cms/commit/644c8070311e82d35c39c6e1f0d37cc8aba53665) Use correct formaction for doRollback exemption #1378 (Andrew Aitken-Fincham)
|
|
* 2015-01-08 [adf0f10](https://github.com/silverstripe/silverstripe-framework/commit/adf0f102cc7a04cf8fcac8743801d48214118cad) Fixes CMS errors when viewing history on "Deleted" pages. (Russell Michell)
|