This document contains information for an outdated version (3.0) and may not be maintained any more.

If some of your projects still use this version, consider upgrading as soon as possible.

3.0.3-rc2 (2012-11-16)

Overview

3.0.3 provides security fixes, bugfixes and a number of minor enhancements since 3.0.2.

Upgrading from 3.0.x should be a straightforward matter of dropping in the new release, with the exception noted below.

Upgrading

Impact of the upgrade:

  • Reset password email links generated prior to 3.0.3 will cease to work.
  • Users who use the "remember me" login feature will have to log in again.

API changes related to the below security patch:

  • Member::generateAutologinHash is deprecated. You can no longer get the autologin token from AutoLoginHash field in Member. Instead use the return value of the Member::generateAutologinTokenAndStoreHash and do not persist it.
  • Security::getPasswordResetLink now requires Member object as the first parameter. The password reset URL GET parameters have changed from only h (for hash) to m (for member ID) and t (for plaintext token).
  • RandomGenerator::generateHash will be deprecated with 3.1. Rename the function call to RandomGenerator::randomToken.

Security: Hash autologin tokens before storing in the database.

Severity: Moderate

Autologin tokens (remember me and reset password) are stored in the database as a plain text. If attacker obtained the database he would be able to gain access to accounts that have requested a password change, or have "remember me" enabled.

Changelog

API Changes

  • 2012-11-16 0dd97a3 Form#loadDataFrom 2nd arg now sets how existing field data is merged with new data (Hamish Friedlander)
  • 2012-11-08 a8b0e44 Hash autologin tokens before storing in the database. (Mateusz Uzdowski)

Bugfixes

  • 2012-11-16 7315be4 default values from DataObject not showing in GridField details form (Hamish Friedlander)
  • 2012-11-15 78ab9d3 Video embed from Add Media Feature no longer works (open #8033) (stojg)

Other

  • 2012-11-09 05a44e8 Correct branch for Travis build status image (Ingo Schommer)

Comments

Comment policy: Please use comments for tips and corrections about the described functionality.
Comments are moderated, we reserve the right to remove comments that are inappropriate or are no longer relevant. Use the Silverstripe Forum to ask questions.

blog comments powered by Disqus