3 +1 (+ 1 non-binding) 0 +0 0 -1 Will start doing it ASAP.
Thanks, Alex On 09/10/2010 01:54 AM, Alex Busenius wrote: > Hi devs, > > > I've been working on a CSRF protection mechanism for quite some time. > It is based on so called secret tokens (also called nonces) that are > included into forms and links and checked on server side. The > implementation allows to resubmit a failed request (e.g. in case the > user is logged out in the meanwhile), so that the data is not lost in > case of bugs. > > JIRA issue: > http://jira.xwiki.org/jira/browse/XWIKI-4873 > Component implementation: > http://svn.xwiki.org/svnroot/xwiki/contrib/sandbox/xwiki-csrftoken/ > Old proposal: > http://lists.xwiki.org/pipermail/devs/2010-March/017727.html > > > I think it is time to move the CSRF component to the main repository and > start using it everywhere. The protection will be disabled by default > until all bugs are fixed. > > The steps to do would be: > > 1. Move CSRF token component to platform > 2. Fix all templates to use CSRF tokens > 3. Fix all applications to use CSRF tokens > 4. Fix all actions to check CSRF tokens > 5. Fix all integration tests to work with enabled CSRF protection > > I have patches for steps 2-4, but NOT for 5. Many (about 30-40 last time > I counted) integration tests still fail with enabled CSRF protection, > because they (mis)use CSRF to set up tests (edit/create pages). > > Here is my +1 > > > WDYT? > > > Thanks, > Alex > > _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
