forked from ezyang/csrf-magic
-
Notifications
You must be signed in to change notification settings - Fork 0
/
NEWS.txt
69 lines (45 loc) · 2.18 KB
/
NEWS.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
[[ news ]]
1.0.4 released 2013-07-17
[SECURITY FIXES]
- When secret key was not explicitly set, it was not being used
by the csrf_hash() function. Thanks sparticvs for reporting.
[FEATURES]
- The default 'CSRF check failed' page now offers a handy 'Try
again' button, which resubmits the form.
[BUG FIXES]
- The fix for 1.0.3 inadvertantly turned off XMLHttpRequest
overloading for all browsers; it has now been fixed to only
apply to IE.
1.0.3 released 2012-01-31
[BUG FIXES]
- Internet Explorer 8 adds support for XMLHttpRequest.prototype,
but this support is broken for method overloading. We
explicitly disable JavaScript overloading for Internet Explorer.
Thanks Kelly Lu for reporting. <[email protected]>
- A global declaration was omitted, resulting in a variable
not being properly introduced in PHP 5.3. Thanks Whitney Beck for
reporting. <[email protected]>
1.0.2 released 2009-03-08
[SECURITY FIXES]
- Due to a typo, csrf-magic accidentally treated the secret key
as always present. This means that there was a possible CSRF
attack against users without any cookies. No attacks in the
wild were known at the time of this release. Thanks Jakub
Vrána for reporting.
1.0.1 released 2008-11-02
[NEW FEATURES]
- Support for composite tokens; this also fixes a bug with using
IP-based tokens for users with cookies disabled.
- Native support cookie tokens; use csrf_conf('cookie', $name) to
specify the name of a cookie that the CSRF token should be
placed in. This is useful if you have a Squid cache, and need
to configure it to ignore this token.
- Tips/tricks section in README.txt.
- There is now a two hour expiration time on all tokens. This
can be modified using csrf_conf('expires', $seconds).
- ClickJacking protection using an iframe breaker. Disable with
csrf_conf('frame-breaker', false).
[BUG FIXES]
- CsrfMagic.send() incorrectly submitted GET requests twice,
once without the magic token and once with the token. Reported
by Kelly Lu <[email protected]>.