5 Oct
2011
5 Oct
'11
11:02 p.m.
Hello devs,
As you know, the 3.2 branch currently has CSRF protection enabled by
default for testing purposes. The tests are working fine with it since
a couple of months now, and there were only some non-critical bugs found
and fixed during that time.
The only currently unresolved problem I'm aware of right now is
http://jira.xwiki.org/browse/XWIKI-6784
I have some quick test for it locally, but I had very little time
recently to clean it up and commit.
The 3.2-M* and 3.2-rc* releases have the CSRF protection enabled and
have been tested on myxwiki.org without big problems.
CSRF protection is important security improvement and we should
encourage users to enable it. Nevertheless, enabling it by default is a
potentially dangerous change, since it will expose problems with
not-CSRF protection aware third party extensions after the update, and
therefore needs to be voted about.
Related bugs (fixed):
http://jira.xwiki.org/browse/XWIKI-4873
http://jira.xwiki.org/browse/XWIKI-6773
Here is my +1 for leaving it enabled.
WDYT?
Thanks
Alex
6 Oct
6 Oct
8:28 a.m.
New subject: [xwiki-devs] [VOTE] Leave CSRF protection enabled by default in 3.2 final
+1 too
Thanks,
Marius
On Thu, Oct 6, 2011 at 12:02 AM, Alex Busenius
<alex.busenius(a)googlemail.com> wrote:
Hello devs,
As you know, the 3.2 branch currently has CSRF protection enabled by
default for testing purposes. The tests are working fine with it since
a couple of months now, and there were only some non-critical bugs found
and fixed during that time.
The only currently unresolved problem I'm aware of right now is
http://jira.xwiki.org/browse/XWIKI-6784
I have some quick test for it locally, but I had very little time
recently to clean it up and commit.
The 3.2-M* and 3.2-rc* releases have the CSRF protection enabled and
have been tested on myxwiki.org without big problems.
CSRF protection is important security improvement and we should
encourage users to enable it. Nevertheless, enabling it by default is a
potentially dangerous change, since it will expose problems with
not-CSRF protection aware third party extensions after the update, and
therefore needs to be voted about.
Related bugs (fixed):
http://jira.xwiki.org/browse/XWIKI-4873
http://jira.xwiki.org/browse/XWIKI-6773
Here is my +1 for leaving it enabled.
WDYT?
Thanks
Alex
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
8:54 a.m.
New subject: [xwiki-devs] [VOTE] Leave CSRF protection enabled by default in 3.2 final
+0
On Wed, Oct 5, 2011 at 11:02 PM, Alex Busenius
<alex.busenius(a)googlemail.com> wrote:
Hello devs,
As you know, the 3.2 branch currently has CSRF protection enabled by
default for testing purposes. The tests are working fine with it since
a couple of months now, and there were only some non-critical bugs found
and fixed during that time.
The only currently unresolved problem I'm aware of right now is
http://jira.xwiki.org/browse/XWIKI-6784
I have some quick test for it locally, but I had very little time
recently to clean it up and commit.
The 3.2-M* and 3.2-rc* releases have the CSRF protection enabled and
have been tested on myxwiki.org without big problems.
CSRF protection is important security improvement and we should
encourage users to enable it. Nevertheless, enabling it by default is a
potentially dangerous change, since it will expose problems with
not-CSRF protection aware third party extensions after the update, and
therefore needs to be voted about.
Related bugs (fixed):
http://jira.xwiki.org/browse/XWIKI-4873
http://jira.xwiki.org/browse/XWIKI-6773
Here is my +1 for leaving it enabled.
WDYT?
Thanks
Alex
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
--
Thomas Mortagne
1:40 p.m.
New subject: [xwiki-devs] [VOTE] Leave CSRF protection enabled by default in 3.2 final
+1
Thanks,
Eduard
On Thu, Oct 6, 2011 at 9:54 AM, Thomas Mortagne
<thomas.mortagne(a)xwiki.com>wrote;wrote:
+0
On Wed, Oct 5, 2011 at 11:02 PM, Alex Busenius
<alex.busenius(a)googlemail.com> wrote:
Hello devs,
As you know, the 3.2 branch currently has CSRF protection enabled by
default for testing purposes. The tests are working fine with it since
a couple of months now, and there were only some non-critical bugs found
and fixed during that time.
The only currently unresolved problem I'm aware of right now is
http://jira.xwiki.org/browse/XWIKI-6784
I have some quick test for it locally, but I had very little time
recently to clean it up and commit.
The 3.2-M* and 3.2-rc* releases have the CSRF protection enabled and
have been tested on myxwiki.org without big problems.
CSRF protection is important security improvement and we should
encourage users to enable it. Nevertheless, enabling it by default is a
potentially dangerous change, since it will expose problems with
not-CSRF protection aware third party extensions after the update, and
therefore needs to be voted about.
Related bugs (fixed):
http://jira.xwiki.org/browse/XWIKI-4873
http://jira.xwiki.org/browse/XWIKI-6773
Here is my +1 for leaving it enabled.
WDYT?
Thanks
Alex
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
--
Thomas Mortagne
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
2:40 p.m.
New subject: [xwiki-devs] [VOTE] Leave CSRF protection enabled by default in 3.2 final
+1
Caleb
On 10/05/2011 05:02 PM, Alex Busenius wrote:
Hello devs,
As you know, the 3.2 branch currently has CSRF protection enabled by
default for testing purposes. The tests are working fine with it since
a couple of months now, and there were only some non-critical bugs found
and fixed during that time.
The only currently unresolved problem I'm aware of right now is
http://jira.xwiki.org/browse/XWIKI-6784
I have some quick test for it locally, but I had very little time
recently to clean it up and commit.
The 3.2-M* and 3.2-rc* releases have the CSRF protection enabled and
have been tested on myxwiki.org without big problems.
CSRF protection is important security improvement and we should
encourage users to enable it. Nevertheless, enabling it by default is a
potentially dangerous change, since it will expose problems with
not-CSRF protection aware third party extensions after the update, and
therefore needs to be voted about.
Related bugs (fixed):
http://jira.xwiki.org/browse/XWIKI-4873
http://jira.xwiki.org/browse/XWIKI-6773
Here is my +1 for leaving it enabled.
WDYT?
Thanks
Alex
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
3:25 p.m.
New subject: [xwiki-devs] [VOTE] Leave CSRF protection enabled by default in 3.2 final
0, but the config file should better precise that the default has changed
since 3.2
There should be clear statement in the release notes, and these should
explain the potential risk for existing application, and the existence of
the unresolved bug.
On Thu, Oct 6, 2011 at 14:40, Caleb James DeLisle
<calebdelisle(a)lavabit.com>wrote;wrote:
+1
Caleb
On 10/05/2011 05:02 PM, Alex Busenius wrote:
--
Denis Gervalle
SOFTEC sa - CEO
eGuilde sarl - CTO
Hello devs,
As you know, the 3.2 branch currently has CSRF protection enabled by
default for testing purposes. The tests are working fine with it since
a couple of months now, and there were only some non-critical bugs found
and fixed during that time.
The only currently unresolved problem I'm aware of right now is
http://jira.xwiki.org/browse/XWIKI-6784
I have some quick test for it locally, but I had very little time
recently to clean it up and commit.
The 3.2-M* and 3.2-rc* releases have the CSRF protection enabled and
have been tested on myxwiki.org without big problems.
CSRF protection is important security improvement and we should
encourage users to enable it. Nevertheless, enabling it by default is a
potentially dangerous change, since it will expose problems with
not-CSRF protection aware third party extensions after the update, and
therefore needs to be voted about.
Related bugs (fixed):
http://jira.xwiki.org/browse/XWIKI-4873
http://jira.xwiki.org/browse/XWIKI-6773
Here is my +1 for leaving it enabled.
WDYT?
Thanks
Alex
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
8:31 p.m.
New subject: [xwiki-devs] [VOTE] Leave CSRF protection enabled by default in 3.2 final
On 06.10.2011 15:25, Denis Gervalle wrote:
0, but the config file should better precise that the
default has changed
since 3.2
There should be clear statement in the release notes, and these should
explain the potential risk for existing application, and the existence of
the unresolved bug.
I agree, I'll take care of that.
Alex
On Thu, Oct 6, 2011 at 14:40, Caleb James DeLisle
<calebdelisle(a)lavabit.com>wrote;wrote:
+1
Caleb
On 10/05/2011 05:02 PM, Alex Busenius wrote:
Hello devs,
As you know, the 3.2 branch currently has CSRF protection enabled by
default for testing purposes. The tests are working fine with it since
a couple of months now, and there were only some non-critical bugs found
and fixed during that time.
The only currently unresolved problem I'm aware of right now is
http://jira.xwiki.org/browse/XWIKI-6784
I have some quick test for it locally, but I had very little time
recently to clean it up and commit.
The 3.2-M* and 3.2-rc* releases have the CSRF protection enabled and
have been tested on myxwiki.org without big problems.
CSRF protection is important security improvement and we should
encourage users to enable it. Nevertheless, enabling it by default is a
potentially dangerous change, since it will expose problems with
not-CSRF protection aware third party extensions after the update, and
therefore needs to be voted about.
Related bugs (fixed):
http://jira.xwiki.org/browse/XWIKI-4873
http://jira.xwiki.org/browse/XWIKI-6773
Here is my +1 for leaving it enabled.
WDYT?
Thanks
Alex
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
7 Oct
7 Oct
6:30 a.m.
New subject: [xwiki-devs] [VOTE] Leave CSRF protection enabled by default in 3.2 final
On 10/05/2011 05:02 PM, Alex Busenius wrote:
Hello devs,
As you know, the 3.2 branch currently has CSRF protection enabled by
default for testing purposes. The tests are working fine with it since
a couple of months now, and there were only some non-critical bugs found
and fixed during that time.
The only currently unresolved problem I'm aware of right now is
http://jira.xwiki.org/browse/XWIKI-6784
I have some quick test for it locally, but I had very little time
recently to clean it up and commit.
The 3.2-M* and 3.2-rc* releases have the CSRF protection enabled and
have been tested on myxwiki.org without big problems.
CSRF protection is important security improvement and we should
encourage users to enable it. Nevertheless, enabling it by default is a
potentially dangerous change, since it will expose problems with
not-CSRF protection aware third party extensions after the update, and
therefore needs to be voted about.
Related bugs (fixed):
http://jira.xwiki.org/browse/XWIKI-4873
http://jira.xwiki.org/browse/XWIKI-6773
Here is my +1 for leaving it enabled.
WDYT?
I think it's quite an important change that could break a lot of (user)
applications. Still, this change must happen at some point, and we
already had the feature in an experimental state for quite a while
(since 2.5, a year ago).
+1 for leaving it enabled.
--
Sergiu Dumitriu
http://purl.org/net/sergiu/
8:55 a.m.
New subject: [xwiki-devs] [VOTE] Leave CSRF protection enabled by default in 3.2 final
On Oct 7, 2011, at 6:30 AM, Sergiu Dumitriu wrote:
On 10/05/2011 05:02 PM, Alex Busenius wrote:
I agree with this. +1 too provided we clearly explain it in the Release notes and explain
how do turn if off for users upgrading and having problems (with a warning on security for
public sites).
Thanks
-Vincent
Hello devs,
As you know, the 3.2 branch currently has CSRF protection enabled by
default for testing purposes. The tests are working fine with it since
a couple of months now, and there were only some non-critical bugs found
and fixed during that time.
The only currently unresolved problem I'm aware of right now is
http://jira.xwiki.org/browse/XWIKI-6784
I have some quick test for it locally, but I had very little time
recently to clean it up and commit.
The 3.2-M* and 3.2-rc* releases have the CSRF protection enabled and
have been tested on myxwiki.org without big problems.
CSRF protection is important security improvement and we should
encourage users to enable it. Nevertheless, enabling it by default is a
potentially dangerous change, since it will expose problems with
not-CSRF protection aware third party extensions after the update, and
therefore needs to be voted about.
Related bugs (fixed):
http://jira.xwiki.org/browse/XWIKI-4873
http://jira.xwiki.org/browse/XWIKI-6773
Here is my +1 for leaving it enabled.
WDYT?
I think it's quite an important change that could break a lot of (user)
applications. Still, this change must happen at some point, and we
already had the feature in an experimental state for quite a while
(since 2.5, a year ago).
+1 for leaving it enabled.
10 Oct
10 Oct
8:13 p.m.
New subject: [xwiki-devs] [VOTE] Leave CSRF protection enabled by default in 3.2 final
Result: +1 : 6, +0 : 2, -1 : 0
I'll update the release notes tonight.
Alex
On 05.10.2011 23:02, Alex Busenius wrote:
Hello devs,
As you know, the 3.2 branch currently has CSRF protection enabled by
default for testing purposes. The tests are working fine with it since a
couple of months now, and there were only some non-critical bugs found
and fixed during that time.
The only currently unresolved problem I'm aware of right now is
http://jira.xwiki.org/browse/XWIKI-6784
I have some quick test for it locally, but I had very little time
recently to clean it up and commit.
The 3.2-M* and 3.2-rc* releases have the CSRF protection enabled and
have been tested on myxwiki.org without big problems.
CSRF protection is important security improvement and we should
encourage users to enable it. Nevertheless, enabling it by default is a
potentially dangerous change, since it will expose problems with
not-CSRF protection aware third party extensions after the update, and
therefore needs to be voted about.
Related bugs (fixed):
http://jira.xwiki.org/browse/XWIKI-4873
http://jira.xwiki.org/browse/XWIKI-6773
Here is my +1 for leaving it enabled.
WDYT?
Thanks
Alex
4725
days inactive
4730
days old
9 comments
8 participants
participants (8)
-
Alex Busenius -
Caleb James DeLisle -
Denis Gervalle -
Eduard Moraru -
Marius Dumitru Florea -
Sergiu Dumitriu -
Thomas Mortagne -
Vincent Massol