summaryrefslogtreecommitdiffstats
path: root/user_guide
diff options
context:
space:
mode:
authorAndrey Andreev <narf@bofh.bg>2012-10-06 14:42:56 +0200
committerAndrey Andreev <narf@bofh.bg>2012-10-06 14:42:56 +0200
commit481e42660f3c703789b4564402b5c47032c87c99 (patch)
treeca204dc545d2701a2f0c6edd6fdf2fae1be51fc2 /user_guide
parentb0fe0a9a6813e8d3ebca94c5fa86ab6f36f3390d (diff)
Backport security fixes
Diffstat (limited to 'user_guide')
-rw-r--r--user_guide/changelog.html2
1 files changed, 2 insertions, 0 deletions
diff --git a/user_guide/changelog.html b/user_guide/changelog.html
index d31839913..1c89f16be 100644
--- a/user_guide/changelog.html
+++ b/user_guide/changelog.html
@@ -68,6 +68,8 @@ Change Log
<li>Fixed a bug (#1699) - <a href="libraries/migration.html">Migration Library</a> ignored the <samp>$config['migration_path']</samp> setting.</li>
<li>Fixed a bug (#227) - <a href="libraries/input.html">Input Library</a> allowed unconditional spoofing of HTTP clients' IP addresses through the HTTP_CLIENT_IP header.</li>
<li>Fixed a bug (#907) - <a href="libraries/input.html">Input Library</a> ignored HTTP_X_CLUSTER_CLIENT_IP and HTTP_X_CLIENT_IP headers when checking for proxies.</li>
+ <li>Fixed a bug (#940) - <samp>csrf_verify()</samp> used to set the CSRF cookie while processing a POST request with no actual POST data, which resulted in validating a request that should be considered invalid.</li>
+ <li>Fixed a bug in the <a href="libraries/security.html">Security Library</a> where a CSRF cookie was created even if <samp>$config['csrf_protection']</samp> is set tot FALSE.</li>
</ul>
<h2>Version 2.1.2</h2>