10 Sep
2010
10 Sep
'10
12:17 p.m.
Hi,
I'm +1 as well from a broad point of view since this will significantly
improve XWiki's security and I know users who are waiting for this specific
fix.
However please consider it non-binding since I don't have a good grasp of
the potential underlying implementation issues.
Guillaume
On Fri, Sep 10, 2010 at 01:54, Alex Busenius
<alex.busenius(a)googlemail.com>wrote;wrote:
Hi devs,
I've been working on a CSRF protection mechanism for quite some time.
It is based on so called secret tokens (also called nonces) that are
included into forms and links and checked on server side. The
implementation allows to resubmit a failed request (e.g. in case the
user is logged out in the meanwhile), so that the data is not lost in
case of bugs.
JIRA issue:
http://jira.xwiki.org/jira/browse/XWIKI-4873
Component implementation:
http://svn.xwiki.org/svnroot/xwiki/contrib/sandbox/xwiki-csrftoken/
Old proposal:
http://lists.xwiki.org/pipermail/devs/2010-March/017727.html
I think it is time to move the CSRF component to the main repository and
start using it everywhere. The protection will be disabled by default
until all bugs are fixed.
The steps to do would be:
1. Move CSRF token component to platform
2. Fix all templates to use CSRF tokens
3. Fix all applications to use CSRF tokens
4. Fix all actions to check CSRF tokens
5. Fix all integration tests to work with enabled CSRF protection
I have patches for steps 2-4, but NOT for 5. Many (about 30-40 last time
I counted) integration tests still fail with enabled CSRF protection,
because they (mis)use CSRF to set up tests (edit/create pages).
Here is my +1
WDYT?
Thanks,
Alex
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs