Hi Vincent, On 09/16/2010 10:01 AM, Vincent Massol wrote: > Hi Alex, > > On Sep 15, 2010, at 8:00 PM, abusenius (SVN) wrote: > >> Author: abusenius >> Date: 2010-09-15 20:00:02 +0200 (Wed, 15 Sep 2010) >> New Revision: 31124 >> >> Modified: >> >> platform/xwiki-tools/trunk/xwiki-configuration-resources/src/main/resources/xwiki.properties.vm >> Log: >> XWIKI-5461: Added configuration for CSRF protection >> >> Modified: >> platform/xwiki-tools/trunk/xwiki-configuration-resources/src/main/resources/xwiki.properties.vm >> =================================================================== >> --- >> platform/xwiki-tools/trunk/xwiki-configuration-resources/src/main/resources/xwiki.properties.vm >> 2010-09-15 17:59:36 UTC (rev 31123) >> +++ >> platform/xwiki-tools/trunk/xwiki-configuration-resources/src/main/resources/xwiki.properties.vm >> 2010-09-15 18:00:02 UTC (rev 31124) >> @@ -267,3 +267,23 @@ >> #crypto.passwd.keyDerivationFunctionPropertiesForPasswordVerification = >> millisecondsOfProcessorTimeToSpend = 200 >> #crypto.passwd.keyDerivationFunctionPropertiesForPasswordVerification = >> numberOfKilobytesOfMemoryToUse = 1024 >> #crypto.passwd.keyDerivationFunctionPropertiesForPasswordVerification = >> derivedKeyLength = 32 >> + >> +#------------------------------------------------------------------------------------- >> +# CSRF token component >> +#------------------------------------------------------------------------------------- >> + >> +#-# [Since 2.5M2] >> +#-# Controls whether secret token validation mechanism should be used (to >> prevent CSRF attacks). >> +#-# >> +#-# If enabled, all actions requiring "comment", "edit", "delete", "admin" >> or "programming" rights >> +#-# will check that the parameter "form_token" with the value of a random >> secret token is present >> +#-# in the request. >> +#-# This feature requires CSRFToken component. > > I think we could remove this last sentence since the CSRFToken component is > bundled with the platform and this message will probably confuse the user > who's not going to know how to check if he has this component or not. It'll > make him/her ask himself questions, which we don't want IMO. > Agree.
>> +#-# >> +#-# Valid values: >> +#-# 0: Disabled >> +#-# 1: Enabled >> +#-# >> +#-# Default value is 0 >> +# core.csrftoken.enabled = 0 > > I guess we're going to turn it on by default when the implementation is > finished? > Yes, once all functional tests pass and everything appears to work. It might be a good idea to turn it on for 2.5-SNAPSHOT and turn it back off for the final release to make failing tests visible, but Hudson will be *very* noisy until then. Thanks, Alex > Thanks > -Vincent > _______________________________________________ > devs mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/devs > _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
