[Building Sakai] Assignment2 CSRF security in 2.9
Kusnetz, Jeremy
JKusnetz at APUS.EDU
Thu Mar 14 12:49:46 PDT 2013
When uploading attachments in the Assignment2 tool we are seeing:
Missing CSRF Token session attribute: doAttachupload; toolId=sakai.assignment2
It looks like the CSRF security is something new in Sakai 2.9
It looks like I can probably get around this problem via (confirmed):
velocity.csrf.insecure.tools.count=1
velocity.csrf.insecure.tools.1= sakai.assignment2
But is that really the right solution? Is there something that we are missing? Looking through catalina.out I see a few of these errors for sakai.sitesetup too.
Is there an issue with our setup, or is this something that assignment2 needs to address? Just grepping around I see a bunch of .vm's with <input type="hidden" name="sakai_csrf_token" value="$sakai_csrf_token" /> So I'm wondering if Assignment2 needs some updating?
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20130314/58100c6a/attachment.html
More information about the sakai-dev
mailing list