From: "David E Jones" <david.jo...@hotwaxmedia.com>
I thought we gave up with this message (or just have it only in log?).
If a change had been made you would have seen it in the commit log...
and hopefully explicitly called out as such (it is unfortunate that we
get so many poorly written commit logs that don't even try to describe
the changes made...).
I was referring to r764286 and yes the parameter in url.properties is set to
service.http.parameters.require.encrypted=Y
I thought it was =N, memory loss...
But I was just thinking about that yesterday and I think that we
should contunue to have it in trunk and not in 9.04. So we will be
able to catch them (before having a tool to list them all, I hope to
work on that next week) without disturbing 9.04 users
The main point of that error is to protect against XSRF attacks.
Without that error and not allowing the condition it checks there is
nothing keeping spoofed parameters from piggy-backing on a cloned
encrypted request (or caught and modified through a man-in-the-middle
sort of attack).
Personally I'd rather see these fixed in both the release branch and
in the trunk, but if we get too many complaints about it in the
release branch then I'm totally fine disabling that constraint
temporarily.
Yes, let's see what happens...
Jacques
-David
