Hi Alex, On Sep 15, 2010, at 8:00 PM, abusenius (SVN) wrote:
> Author: abusenius > Date: 2010-09-15 20:00:02 +0200 (Wed, 15 Sep 2010) > New Revision: 31124 > > Modified: > > platform/xwiki-tools/trunk/xwiki-configuration-resources/src/main/resources/xwiki.properties.vm > Log: > XWIKI-5461: Added configuration for CSRF protection > > Modified: > platform/xwiki-tools/trunk/xwiki-configuration-resources/src/main/resources/xwiki.properties.vm > =================================================================== > --- > platform/xwiki-tools/trunk/xwiki-configuration-resources/src/main/resources/xwiki.properties.vm > 2010-09-15 17:59:36 UTC (rev 31123) > +++ > platform/xwiki-tools/trunk/xwiki-configuration-resources/src/main/resources/xwiki.properties.vm > 2010-09-15 18:00:02 UTC (rev 31124) > @@ -267,3 +267,23 @@ > #crypto.passwd.keyDerivationFunctionPropertiesForPasswordVerification = > millisecondsOfProcessorTimeToSpend = 200 > #crypto.passwd.keyDerivationFunctionPropertiesForPasswordVerification = > numberOfKilobytesOfMemoryToUse = 1024 > #crypto.passwd.keyDerivationFunctionPropertiesForPasswordVerification = > derivedKeyLength = 32 > + > +#------------------------------------------------------------------------------------- > +# CSRF token component > +#------------------------------------------------------------------------------------- > + > +#-# [Since 2.5M2] > +#-# Controls whether secret token validation mechanism should be used (to > prevent CSRF attacks). > +#-# > +#-# If enabled, all actions requiring "comment", "edit", "delete", "admin" > or "programming" rights > +#-# will check that the parameter "form_token" with the value of a random > secret token is present > +#-# in the request. > +#-# This feature requires CSRFToken component. I think we could remove this last sentence since the CSRFToken component is bundled with the platform and this message will probably confuse the user who's not going to know how to check if he has this component or not. It'll make him/her ask himself questions, which we don't want IMO. > +#-# > +#-# Valid values: > +#-# 0: Disabled > +#-# 1: Enabled > +#-# > +#-# Default value is 0 > +# core.csrftoken.enabled = 0 I guess we're going to turn it on by default when the implementation is finished? Thanks -Vincent _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
