3.0.3 provides security fixes, bugfixes and a number of minor enhancements since 3.0.2.
Upgrading from 3.0.x should be a straightforward matter of dropping in the new release, with the exception noted below.
Impact of the upgrade:
- Reset password email links generated prior to 3.0.3 will cease to work.
- Users who use the "remember me" login feature will have to log in again.
API changes related to the below security patch:
Member::generateAutologinHashis deprecated. You can no longer get the autologin token from
Member. Instead use the return value of the
Member::generateAutologinTokenAndStoreHashand do not persist it.
Memberobject as the first parameter. The password reset URL GET parameters have changed from only
h(for hash) to
m(for member ID) and
t(for plaintext token).
RandomGenerator::generateHashwill be deprecated with 3.1. Rename the function call to
Security: Hash autologin tokens before storing in the database.
Autologin tokens (remember me and reset password) are stored in the database as a plain text. If attacker obtained the database they would be able to gain access to accounts that have requested a password change, or have "remember me" enabled.
- 2012-11-16 0dd97a3 Form#loadDataFrom 2nd arg now sets how existing field data is merged with new data (Hamish Friedlander)
- 2012-11-08 a8b0e44 Hash autologin tokens before storing in the database. (Mateusz Uzdowski)
- 2012-11-16 7315be4 default values from DataObject not showing in GridField details form (Hamish Friedlander)
- 2012-11-15 78ab9d3 Video embed from Add Media Feature no longer works (open #8033) (stojg)
- 2012-11-09 05a44e8 Correct branch for Travis build status image (Ingo Schommer)