Hi everyone, last week I informed about the stoken check to be expected, remember? I reach out today to let you know that we had to update the behavior before the present release:
Basically the change is that stoken now is checked not for every form but only for forms intended for the logged in users. Adding the "tobasket" link could be perfromed by anonymous users therefore stoken is not checked and not validated in this case. As in our documentation we used the "tobasket" link as an example, we changed the documentation: http://wiki.oxidforge.org/Downloads/4.9.0_5.2.0#Dynamic_Group_assignment_security_improvement The note regarding not anymore supported features (adding to basket from 3rd party sites) was also removed. So no feature will be lost due to this security improvement. Sorry for any inconvenience, didn't want to confuse you just let you know in time about the changes... Regards Tomas Liubinas From: [email protected] [mailto:[email protected]] On Behalf Of Joscha Krug | marmalade GmbH Sent: Thursday, September 25, 2014 5:10 PM To: [email protected] Subject: Re: [oxid-dev-general] Security improvement: Dynamic security token check Hello Marco, Thanks for the information! Could someone from the devs explain the background? This will not be so easy to implement automaticly as i affects a lot of templates. Best regards, Joscha //--------- Joscha Krug marmalade GmbH www.marmalade.de<http://www.marmalade.de/> [email protected]<mailto:[email protected]> Leibnizstr.25 39104 Magdeburg GERMANY phone: +49 (0) 391 / 559 22 104 fax: +49 (0) 391 / 559 22 106 Am 25.09.2014 16:01, schrieb Marco Steinhaeuser: Hi everybody, just added an important section to the release notes of the upcoming OXID eShop version 4.9/5.2: The dynamic security token parameter check was expanded to all forms and action URLs. This is important for you to know especially if you're running functions like to_basket etc... Read more about it here: http://wiki.oxidforge.org/Downloads/4.9.0_5.2.0#Security_improvement:_Dynamic_security_token_check Please head back for any questions about it and the other stuff at this release notes page. Best regards! Marco _______________________________________________ dev-general mailing list [email protected]<mailto:[email protected]> http://dir.gmane.org/gmane.comp.php.oxid.general
_______________________________________________ dev-general mailing list [email protected] http://dir.gmane.org/gmane.comp.php.oxid.general
