Versions:

This document contains information for an outdated version and may not be maintained any more. If some of your projects still use this version, consider upgrading as soon as possible.

3.3.2

Upgrading

LoginForm no longer disables CSRF protection. This may cause regressions on sites that statically publish pages with login forms or other changes. To re-enable this, you'll need to use the Injector to create a custom login form.

Define a login form:

class CustomLoginForm extends MemberLoginForm {

    public function __construct($controller, $name, $fields = null, $actions = null, $checkCurrentUser = true)
    {
        parent::__construct($controller, $name, $fields, $actions, $checkCurrentUser);

        $this->disableSecurityToken();
    }

}

Add this to mysite/_config/config.yml

Injector:
  MemberLoginForm:
    class: CustomLoginForm

Change Log

Security

  • 2016-04-18 3c0f2e8 Add CSFR protection to tree reorganise (Daniel Hensby) - See ss-2015-029
  • 2016-04-18 a24c826 Store current page IDs as ints (Daniel Hensby) - See ss-2016-004
  • 2016-04-18 1ccd392 Properly check backurl on CMSSecurity@success (Daniel Hensby) - See ss-2016-001
  • 2016-04-18 f32c893 Apply brute force protection to default admin (Daniel Hensby) - See ss-2016-005
  • 2016-04-18 a6bd22a dont disable XSS for login forms (Daniel Hensby) - See ss-2016-006

Bugfixes

  • 2016-05-01 2a5ba39 Fix SS_HTTPResponse being cast as string (#5413) (Damian Mooyman)
  • 2016-04-24 fde6376 Admin bloacklisted messages using correct $.inArray check (Daniel Hensby)
  • 2016-04-12 36283b8 Stop "success" message showing in CMS (Daniel Hensby)
  • 2016-04-11 707aa14 for #5299 Adding <code> blocks to Injector documentation. (Patrick Nelson)
  • 2016-04-07 000bf09 for #1447 to ensure proper type-safe checking of file_put_contents() in ErrorPage->writeStaticPage() (Patrick Nelson)
  • 2016-04-01 9d9c572 for #5251 to address minor URL decoding/parsing bug. (Patrick Nelson)
  • 2016-03-31 6ec2656 fix ErrorControlChain causing errors to be displayed if display_errors in php.ini is false (Damian Mooyman)
  • 2016-03-28 aeb4aa9 Dont allow plain text friendly errors (Daniel Hensby)
  • 2016-03-27 5ede516 GridField::FieldHolder() should not attempt to parse shortcodes (fixes #5129) (Loz Calver)
  • 2016-03-21 9d62d9d Link tracking not escaping # Fixes #1409 (Daniel Hensby)
  • 2016-03-21 5f8356d Fix File::getRelativePath() failing if parent folder is renamed (Damian Mooyman)
  • 2016-03-20 283885f tab wrapping (Jonathon Menz)
  • 2016-03-18 ada1206 Autocomplete loading spinner now showing (Daniel Hensby)
  • 2016-03-18 add2ecd Parameter tokens now redirect to correct url if mod_rewrite is off (Daniel Hensby)
  • 2016-03-18 57cfe3c Bad joining of links in reports (Daniel Hensby)
  • 2016-03-10 bc31d9c Use Controller::join_links() in Reports (Daniel Hensby)
  • 2016-03-08 0364204 Incorrect title attribute on CMS tabs (Loz Calver)
  • 2016-03-07 aa57427 Don't install imagick on php 5.3 (Damian Mooyman)
  • 2016-03-07 86b1c8f file sync removes folders with dot in name (Jonathon Menz)
  • 2016-03-07 6a22454 Fix FulltextsearchEnable (Damian Mooyman)
  • 2016-03-01 2079844 fixes "Uncaught ImagickException: Can not process empty Imagick object" when deleting an image (Ryan McLaren)
  • 2016-03-01 817b836 getIP from behind a load-balancer that adds many IPs to the header (Daniel Hensby)
  • 2016-02-26 bd48d89 undeclared constant issue (Daniel Hensby)
  • 2016-02-26 c2a0e89 undeclared constant issue (Daniel Hensby)
  • 2016-02-26 99ca2aa Fix regressions in missing CSRF on print button (Damian Mooyman)
  • 2016-02-26 cc95703 Fix regressions in missing CSRF on print button (Damian Mooyman)
  • 2016-02-26 320c833 Fix regressions in missing CSRF on print button (Damian Mooyman)
  • 2016-02-25 f7cacca Fix regression in gridfield get actions (Damian Mooyman)
  • 2016-02-25 3dc0d0e Fix regression in gridfield get actions (Damian Mooyman)
  • 2016-02-25 b0ad86b Fix regression in gridfield get actions (Damian Mooyman)
  • 2016-02-22 65a0981 Correct behaviour of publish with $createNewVersion = true (Damian Mooyman)
  • 2016-02-16 644c807 Use correct formaction for doRollback exemption #1378 (Andrew Aitken-Fincham)
  • 2016-02-15 8771859 "where" method in SQLUpdate Example (Richard Rudy)
  • 2016-02-05 0c252af Fixed issue #5002 DatetimeField styles in the new filter panel (UndefinedOffset)
  • 2016-01-28 3fcf1e2 edge case on many many extra fields (fixes 4991) (Mark Stephens)
  • 2016-01-28 7226524 Fix invalid sv translation yml (Damian Mooyman)
  • 2016-01-27 3d0178e Use correct formaction for doRollback exemption (Damian Mooyman)
  • 2016-01-27 361c9a0 removing hardcoded target _blank for tinymce file links (Ben Manu)
  • 2016-01-24 d8e354d PHPDocs on DataList::getIDList() and UnsavedRelationList::getIDList() (Damian Mooyman)
  • 2015-01-08 adf0f10 Fixes CMS errors when viewing history on "Deleted" pages. (Russell Michell)

Was this article helpful?