Hm, I can't count, 4 +1 and 1 non-binding :)
On 09/14/2010 11:16 AM, Alex Busenius wrote: > 3 +1 (+ 1 non-binding) > 0 +0 > 0 -1 > Will start doing it ASAP. > > > Thanks, > Alex > > > On 09/10/2010 01:54 AM, Alex Busenius wrote: >> Hi devs, >> >> >> I've been working on a CSRF protection mechanism for quite some time. >> It is based on so called secret tokens (also called nonces) that are >> included into forms and links and checked on server side. The >> implementation allows to resubmit a failed request (e.g. in case the >> user is logged out in the meanwhile), so that the data is not lost in >> case of bugs. >> >> JIRA issue: >> http://jira.xwiki.org/jira/browse/XWIKI-4873 >> Component implementation: >> http://svn.xwiki.org/svnroot/xwiki/contrib/sandbox/xwiki-csrftoken/ >> Old proposal: >> http://lists.xwiki.org/pipermail/devs/2010-March/017727.html >> >> >> I think it is time to move the CSRF component to the main repository and >> start using it everywhere. The protection will be disabled by default >> until all bugs are fixed. >> >> The steps to do would be: >> >> 1. Move CSRF token component to platform >> 2. Fix all templates to use CSRF tokens >> 3. Fix all applications to use CSRF tokens >> 4. Fix all actions to check CSRF tokens >> 5. Fix all integration tests to work with enabled CSRF protection >> >> I have patches for steps 2-4, but NOT for 5. Many (about 30-40 last time >> I counted) integration tests still fail with enabled CSRF protection, >> because they (mis)use CSRF to set up tests (edit/create pages). >> >> Here is my +1 >> >> >> WDYT? >> >> >> Thanks, >> Alex >> >> > _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
