[xwiki-devs] [VOTE] Leave CSRF protection enabled by default in 3.2 final
Hello devs, As you know, the 3.2 branch currently has CSRF protection enabled by default for testing purposes. The tests are working fine with it since a couple of months now, and there were only some non-critical bugs found and fixed during that time. The only currently unresolved problem I'm aware of right now is http://jira.xwiki.org/browse/XWIKI-6784 I have some quick test for it locally, but I had very little time recently to clean it up and commit. The 3.2-M* and 3.2-rc* releases have the CSRF protection enabled and have been tested on myxwiki.org without big problems. CSRF protection is important security improvement and we should encourage users to enable it. Nevertheless, enabling it by default is a potentially dangerous change, since it will expose problems with not-CSRF protection aware third party extensions after the update, and therefore needs to be voted about. Related bugs (fixed): http://jira.xwiki.org/browse/XWIKI-4873 http://jira.xwiki.org/browse/XWIKI-6773 Here is my +1 for leaving it enabled. WDYT? Thanks Alex
+1 too Thanks, Marius On Thu, Oct 6, 2011 at 12:02 AM, Alex Busenius <[email protected]> wrote:
Hello devs,
As you know, the 3.2 branch currently has CSRF protection enabled by default for testing purposes. The tests are working fine with it since a couple of months now, and there were only some non-critical bugs found and fixed during that time.
The only currently unresolved problem I'm aware of right now is http://jira.xwiki.org/browse/XWIKI-6784 I have some quick test for it locally, but I had very little time recently to clean it up and commit.
The 3.2-M* and 3.2-rc* releases have the CSRF protection enabled and have been tested on myxwiki.org without big problems.
CSRF protection is important security improvement and we should encourage users to enable it. Nevertheless, enabling it by default is a potentially dangerous change, since it will expose problems with not-CSRF protection aware third party extensions after the update, and therefore needs to be voted about.
Related bugs (fixed): http://jira.xwiki.org/browse/XWIKI-4873 http://jira.xwiki.org/browse/XWIKI-6773
Here is my +1 for leaving it enabled.
WDYT?
Thanks Alex _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
+0 On Wed, Oct 5, 2011 at 11:02 PM, Alex Busenius <[email protected]> wrote:
Hello devs,
As you know, the 3.2 branch currently has CSRF protection enabled by default for testing purposes. The tests are working fine with it since a couple of months now, and there were only some non-critical bugs found and fixed during that time.
The only currently unresolved problem I'm aware of right now is http://jira.xwiki.org/browse/XWIKI-6784 I have some quick test for it locally, but I had very little time recently to clean it up and commit.
The 3.2-M* and 3.2-rc* releases have the CSRF protection enabled and have been tested on myxwiki.org without big problems.
CSRF protection is important security improvement and we should encourage users to enable it. Nevertheless, enabling it by default is a potentially dangerous change, since it will expose problems with not-CSRF protection aware third party extensions after the update, and therefore needs to be voted about.
Related bugs (fixed): http://jira.xwiki.org/browse/XWIKI-4873 http://jira.xwiki.org/browse/XWIKI-6773
Here is my +1 for leaving it enabled.
WDYT?
Thanks Alex _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
-- Thomas Mortagne
+1 Thanks, Eduard On Thu, Oct 6, 2011 at 9:54 AM, Thomas Mortagne <[email protected]>wrote:
+0
On Wed, Oct 5, 2011 at 11:02 PM, Alex Busenius <[email protected]> wrote:
Hello devs,
As you know, the 3.2 branch currently has CSRF protection enabled by default for testing purposes. The tests are working fine with it since a couple of months now, and there were only some non-critical bugs found and fixed during that time.
The only currently unresolved problem I'm aware of right now is http://jira.xwiki.org/browse/XWIKI-6784 I have some quick test for it locally, but I had very little time recently to clean it up and commit.
The 3.2-M* and 3.2-rc* releases have the CSRF protection enabled and have been tested on myxwiki.org without big problems.
CSRF protection is important security improvement and we should encourage users to enable it. Nevertheless, enabling it by default is a potentially dangerous change, since it will expose problems with not-CSRF protection aware third party extensions after the update, and therefore needs to be voted about.
Related bugs (fixed): http://jira.xwiki.org/browse/XWIKI-4873 http://jira.xwiki.org/browse/XWIKI-6773
Here is my +1 for leaving it enabled.
WDYT?
Thanks Alex _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
-- Thomas Mortagne _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
+1 Caleb On 10/05/2011 05:02 PM, Alex Busenius wrote:
Hello devs,
As you know, the 3.2 branch currently has CSRF protection enabled by default for testing purposes. The tests are working fine with it since a couple of months now, and there were only some non-critical bugs found and fixed during that time.
The only currently unresolved problem I'm aware of right now is http://jira.xwiki.org/browse/XWIKI-6784 I have some quick test for it locally, but I had very little time recently to clean it up and commit.
The 3.2-M* and 3.2-rc* releases have the CSRF protection enabled and have been tested on myxwiki.org without big problems.
CSRF protection is important security improvement and we should encourage users to enable it. Nevertheless, enabling it by default is a potentially dangerous change, since it will expose problems with not-CSRF protection aware third party extensions after the update, and therefore needs to be voted about.
Related bugs (fixed): http://jira.xwiki.org/browse/XWIKI-4873 http://jira.xwiki.org/browse/XWIKI-6773
Here is my +1 for leaving it enabled.
WDYT?
Thanks Alex _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
0, but the config file should better precise that the default has changed since 3.2 There should be clear statement in the release notes, and these should explain the potential risk for existing application, and the existence of the unresolved bug. On Thu, Oct 6, 2011 at 14:40, Caleb James DeLisle <[email protected]>wrote:
+1
Caleb
On 10/05/2011 05:02 PM, Alex Busenius wrote:
Hello devs,
As you know, the 3.2 branch currently has CSRF protection enabled by default for testing purposes. The tests are working fine with it since a couple of months now, and there were only some non-critical bugs found and fixed during that time.
The only currently unresolved problem I'm aware of right now is http://jira.xwiki.org/browse/XWIKI-6784 I have some quick test for it locally, but I had very little time recently to clean it up and commit.
The 3.2-M* and 3.2-rc* releases have the CSRF protection enabled and have been tested on myxwiki.org without big problems.
CSRF protection is important security improvement and we should encourage users to enable it. Nevertheless, enabling it by default is a potentially dangerous change, since it will expose problems with not-CSRF protection aware third party extensions after the update, and therefore needs to be voted about.
Related bugs (fixed): http://jira.xwiki.org/browse/XWIKI-4873 http://jira.xwiki.org/browse/XWIKI-6773
Here is my +1 for leaving it enabled.
WDYT?
Thanks Alex _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
_______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
-- Denis Gervalle SOFTEC sa - CEO eGuilde sarl - CTO
On 06.10.2011 15:25, Denis Gervalle wrote:
0, but the config file should better precise that the default has changed since 3.2 There should be clear statement in the release notes, and these should explain the potential risk for existing application, and the existence of the unresolved bug.
I agree, I'll take care of that. Alex
On Thu, Oct 6, 2011 at 14:40, Caleb James DeLisle <[email protected]>wrote:
+1
Caleb
On 10/05/2011 05:02 PM, Alex Busenius wrote:
Hello devs,
As you know, the 3.2 branch currently has CSRF protection enabled by default for testing purposes. The tests are working fine with it since a couple of months now, and there were only some non-critical bugs found and fixed during that time.
The only currently unresolved problem I'm aware of right now is http://jira.xwiki.org/browse/XWIKI-6784 I have some quick test for it locally, but I had very little time recently to clean it up and commit.
The 3.2-M* and 3.2-rc* releases have the CSRF protection enabled and have been tested on myxwiki.org without big problems.
CSRF protection is important security improvement and we should encourage users to enable it. Nevertheless, enabling it by default is a potentially dangerous change, since it will expose problems with not-CSRF protection aware third party extensions after the update, and therefore needs to be voted about.
Related bugs (fixed): http://jira.xwiki.org/browse/XWIKI-4873 http://jira.xwiki.org/browse/XWIKI-6773
Here is my +1 for leaving it enabled.
WDYT?
Thanks Alex _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
_______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
On 10/05/2011 05:02 PM, Alex Busenius wrote:
Hello devs,
As you know, the 3.2 branch currently has CSRF protection enabled by default for testing purposes. The tests are working fine with it since a couple of months now, and there were only some non-critical bugs found and fixed during that time.
The only currently unresolved problem I'm aware of right now is http://jira.xwiki.org/browse/XWIKI-6784 I have some quick test for it locally, but I had very little time recently to clean it up and commit.
The 3.2-M* and 3.2-rc* releases have the CSRF protection enabled and have been tested on myxwiki.org without big problems.
CSRF protection is important security improvement and we should encourage users to enable it. Nevertheless, enabling it by default is a potentially dangerous change, since it will expose problems with not-CSRF protection aware third party extensions after the update, and therefore needs to be voted about.
Related bugs (fixed): http://jira.xwiki.org/browse/XWIKI-4873 http://jira.xwiki.org/browse/XWIKI-6773
Here is my +1 for leaving it enabled.
WDYT?
I think it's quite an important change that could break a lot of (user) applications. Still, this change must happen at some point, and we already had the feature in an experimental state for quite a while (since 2.5, a year ago). +1 for leaving it enabled. -- Sergiu Dumitriu http://purl.org/net/sergiu/
On Oct 7, 2011, at 6:30 AM, Sergiu Dumitriu wrote:
On 10/05/2011 05:02 PM, Alex Busenius wrote:
Hello devs,
As you know, the 3.2 branch currently has CSRF protection enabled by default for testing purposes. The tests are working fine with it since a couple of months now, and there were only some non-critical bugs found and fixed during that time.
The only currently unresolved problem I'm aware of right now is http://jira.xwiki.org/browse/XWIKI-6784 I have some quick test for it locally, but I had very little time recently to clean it up and commit.
The 3.2-M* and 3.2-rc* releases have the CSRF protection enabled and have been tested on myxwiki.org without big problems.
CSRF protection is important security improvement and we should encourage users to enable it. Nevertheless, enabling it by default is a potentially dangerous change, since it will expose problems with not-CSRF protection aware third party extensions after the update, and therefore needs to be voted about.
Related bugs (fixed): http://jira.xwiki.org/browse/XWIKI-4873 http://jira.xwiki.org/browse/XWIKI-6773
Here is my +1 for leaving it enabled.
WDYT?
I think it's quite an important change that could break a lot of (user) applications. Still, this change must happen at some point, and we already had the feature in an experimental state for quite a while (since 2.5, a year ago).
+1 for leaving it enabled.
I agree with this. +1 too provided we clearly explain it in the Release notes and explain how do turn if off for users upgrading and having problems (with a warning on security for public sites). Thanks -Vincent
Result: +1 : 6, +0 : 2, -1 : 0 I'll update the release notes tonight. Alex On 05.10.2011 23:02, Alex Busenius wrote:
Hello devs,
As you know, the 3.2 branch currently has CSRF protection enabled by default for testing purposes. The tests are working fine with it since a couple of months now, and there were only some non-critical bugs found and fixed during that time.
The only currently unresolved problem I'm aware of right now is http://jira.xwiki.org/browse/XWIKI-6784 I have some quick test for it locally, but I had very little time recently to clean it up and commit.
The 3.2-M* and 3.2-rc* releases have the CSRF protection enabled and have been tested on myxwiki.org without big problems.
CSRF protection is important security improvement and we should encourage users to enable it. Nevertheless, enabling it by default is a potentially dangerous change, since it will expose problems with not-CSRF protection aware third party extensions after the update, and therefore needs to be voted about.
Related bugs (fixed): http://jira.xwiki.org/browse/XWIKI-4873 http://jira.xwiki.org/browse/XWIKI-6773
Here is my +1 for leaving it enabled.
WDYT?
Thanks Alex
participants (8)
-
Alex Busenius -
Caleb James DeLisle -
Denis Gervalle -
Eduard Moraru -
Marius Dumitru Florea -
Sergiu Dumitriu -
Thomas Mortagne -
Vincent Massol