SVNSearch: Apache Software Foundation

Log message:		From:		To:
Path:		Author:		Issue:
File name:		File type:

Activity by time

Activity by year and month

Activity by author

authors by first/last commit

Core group

Developer turnover

Changes Collaboration Timeline Rss Unmute 1 - 10 of 10
826295 17.10.2009 21:27:12, by markt Part 2 of CSRF protection for the host manager. Use POST and require valid nonce. M /tomcat/trunk/java/org/apache/catalina/manager/host/Constants.java M /tomcat/trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java M /tomcat/trunk/java/org/apache/catalina/manager/host/LocalStrings.properties
826294 17.10.2009 21:25:11, by markt Part 1 of CSRF protection for host manager. Move text interface from / to /text, add extra role for /text. Port 401.jsp and 404.jsp from manager. A /tomcat/trunk/webapps/host-manager/401.jsp A /tomcat/trunk/webapps/host-manager/404.jsp M /tomcat/trunk/webapps/host-manager/WEB-INF/web.xml
823975 11.10.2009 01:11:30, by markt Use a nonce to provide CSRF protection M /tomcat/trunk/java/org/apache/catalina/manager/HTMLManagerServlet.java M /tomcat/trunk/java/org/apache/catalina/manager/LocalStrings.properties
823962 10.10.2009 23:54:54, by markt Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=40001 Use POST rather than GET for all operations that are not idempotent Partly based on a patch suggested by Daniel Naber Remove the "Are you sure?", partly due to lack of i18n support and since as (based on my recollection) as many people disliked the feature as liked it. Provides a (very) small measure of CSRF protection but lays the foundation for using a nonce with POST. M /tomcat/trunk/java/org/apache/catalina/manager/Constants.java M /tomcat/trunk/java/org/apache/catalina/manager/HTMLManagerServlet.java M /tomcat/trunk/java/org/apache/catalina/manager/LocalStrings.properties
722044 01.12.2008 12:47:48, by thrantal WICKET-1886: Fixed testing things that require cookies persisted over multiple requests, such as CSRF protection in a hidden Form fields. An even more straight forward option would have been to remove clearing cookies in MockWebApplication.initialize(), and copy cookies to each request from response, because after all the lifecycle of a WicketTester (MockWebApplication) instance should be such that cookies could be preserved there. Backport from trunk. M /wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/protocol/http/MockHttpServletRequest.java M /wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/protocol/http/MockWebApplication.java M /wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/test/java/org/apache/wicket/util/tester/WicketTesterTest.java
722039 01.12.2008 12:25:55, by thrantal WICKET-1886: Fixed testing things that require cookies persisted over multiple requests, such as CSRF protection in a hidden Form fields. An even more straight forward option would have been to remove clearing cookies in MockWebApplication.initialize(), and copy cookies to each request from response, because after all the lifecycle of a WicketTester (MockWebApplication) instance should be such that cookies could be preserved there. M /wicket/trunk/wicket/src/main/java/org/apache/wicket/protocol/http/MockWebApplication.java M /wicket/trunk/wicket/src/test/java/org/apache/wicket/util/tester/WicketTesterTest.java
684127 09.08.2008 00:12:53, by ivaynberg WICKET-1782: CSRF safe encryption M /wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/settings/Settings.java A /wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/util/crypt/KeyInSessionSunJceCryptFactory.java
684126 09.08.2008 00:12:04, by ivaynberg WICKET-1782: CSRF-safe encryption M /wicket/trunk/wicket/src/main/java/org/apache/wicket/settings/Settings.java A /wicket/trunk/wicket/src/main/java/org/apache/wicket/util/crypt/KeyInSessionSunJceCryptFactory.java
663514 05.06.2008 12:01:30, by jim Merge r661666 from trunk: Prevent CSRF attacks against the balancer-manager (CVE-2007-6420) * modules/proxy/mod_proxy_balancer.c (balancer_init): New function. (balancer_handler): Place a nonce in the form output, and check that the submitted form data includes that nonce. (ap_proxy_balancer_register_hook): Register the new post_config hook. Submitted by: jorton Reviewed by: jim M /httpd/httpd/branches/2.2.x/CHANGES M /httpd/httpd/branches/2.2.x/STATUS M /httpd/httpd/branches/2.2.x/modules/proxy/mod_proxy_balancer.c
661666 30.05.2008 13:49:31, by jorton Prevent CSRF attacks against the balancer-manager (CVE-2007-6420) * modules/proxy/mod_proxy_balancer.c (balancer_init): New function. (balancer_handler): Place a nonce in the form output, and check that the submitted form data includes that nonce. (ap_proxy_balancer_register_hook): Register the new post_config hook. M /httpd/httpd/trunk/CHANGES M /httpd/httpd/trunk/modules/proxy/mod_proxy_balancer.c