[Jifty-commit] r4926 - in jifty/trunk: lib/Jifty
jifty-commit at lists.jifty.org
jifty-commit at lists.jifty.org
Thu Jan 24 11:31:50 EST 2008
Author: sartak
Date: Thu Jan 24 11:31:49 2008
New Revision: 4926
Modified:
jifty/trunk/ (props changed)
jifty/trunk/Changelog
jifty/trunk/lib/Jifty/Web.pm
Log:
r50748 at onn: sartak | 2008-01-24 11:30:28 -0500
Complain loudly about back-compat when an action is denied.
Changelog the Jifty::API changes.
Modified: jifty/trunk/Changelog
==============================================================================
--- jifty/trunk/Changelog (original)
+++ jifty/trunk/Changelog Thu Jan 24 11:31:49 2008
@@ -1,3 +1,13 @@
+Jifty $NEXT
+
+BACKWARDS COMPATIBILITY
+====
+ * Deny all actions during GET requests. Applications must now whitelist safe
+ actions. - Sartak
+ * The action API is now split between "runnable" and "inspectable". The REST
+ interface used to use the former, now it uses the latter. - Sartak
+
+
Jifty 0.71129
I18N
Modified: jifty/trunk/lib/Jifty/Web.pm
==============================================================================
--- jifty/trunk/lib/Jifty/Web.pm (original)
+++ jifty/trunk/lib/Jifty/Web.pm Thu Jan 24 11:31:49 2008
@@ -359,6 +359,7 @@
. $request_action->class
. "'" );
Carp::cluck;
+ $self->log->error("NOTICE! A cross-site scriptng security fix has been installed so that actions are now by default DENIED during GET requests. You must specifically whitelist safe actions using this in your dispatcher: before '*' => run { Jifty->api->allow('SafeAction') }; - We apologize for the inconvenience.");
push @denied_actions, $request_action;
next;
}
More information about the Jifty-commit
mailing list