[Framework-Team] PLIP 224: CSRF protection framework

Andreas Zeidler az at zitc.de
Thu Jan 31 20:58:50 UTC 2008


On Jan 31, 2008, at 7:15 PM, Wichert Akkerman wrote:
> See http://plone.org/products/plone/roadmap/224 for details.
>
> I absolutely hate to do this since it violates our process and we
> already have a large number of PLIPs waiting for review, but I am
> proposing this PLIP for Plone 3.1.

definitely a +1 on this from me.  not doing it right away simply  
doesn't make sense, imho...

> The implementation is based on a long debate we
> had in the security team recently as a result of a discussion with
> a security researcher contacting us about possible Plone security  
> issues.

...and we can't keep them holding back their paper for too long, anyway.

> At this moment I do not have a review bundle ready; I'm hoping that
> someone will beat me to it since I have very little time to work on  
> it.

hmm, i guess i could try to set up a buildout, but what's the status  
about determining the relevant forms and adding the protection to them?


andi

--
zeidler it consulting - http://zitc.de/ - info at zitc.de
friedelstraße 31 - 12047 berlin - telefon +49 30 25563779
pgp key at http://zitc.de/pgp - http://wwwkeys.de.pgp.net/
plone 3.0.5 released! -- http://plone.org/products/plone

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
URL: <http://lists.plone.org/pipermail/plone-framework-team/attachments/20080131/820d7fc7/attachment.sig>


More information about the Framework-Team mailing list