[Jifty-commit] r4926 - in jifty/trunk: lib/Jifty

[jifty-commit at lists.jifty.org]

Author: sartak
Date: Thu Jan 24 11:31:49 2008
New Revision: 4926

Modified:
   jifty/trunk/   (props changed)
   jifty/trunk/Changelog
   jifty/trunk/lib/Jifty/Web.pm

Log:
 r50748 at onn:  sartak | 2008-01-24 11:30:28 -0500
 Complain loudly about back-compat when an action is denied.
 Changelog the Jifty::API changes.


Modified: jifty/trunk/Changelog
==============================================================================
--- jifty/trunk/Changelog	(original)
+++ jifty/trunk/Changelog	Thu Jan 24 11:31:49 2008
@@ -1,3 +1,13 @@
+Jifty $NEXT
+
+BACKWARDS COMPATIBILITY
+====
+ * Deny all actions during GET requests. Applications must now whitelist safe
+   actions. - Sartak
+ * The action API is now split between "runnable" and "inspectable". The REST
+   interface used to use the former, now it uses the latter. - Sartak
+
+
 Jifty 0.71129
 
 I18N

Modified: jifty/trunk/lib/Jifty/Web.pm
==============================================================================
--- jifty/trunk/lib/Jifty/Web.pm	(original)
+++ jifty/trunk/lib/Jifty/Web.pm	Thu Jan 24 11:31:49 2008
@@ -359,6 +359,7 @@
                         . $request_action->class
                         . "'" );
                 Carp::cluck;
+                $self->log->error("NOTICE! A cross-site scriptng security fix has been installed so that actions are now by default DENIED during GET requests. You must specifically whitelist safe actions using this in your dispatcher: before '*' => run { Jifty->api->allow('SafeAction') }; - We apologize for the inconvenience.");
                 push @denied_actions, $request_action;
                 next;
             }