I don't have a vote obviously, but -1 just because of what I believe is
a serious security problem with WicketSessionFilter. Revision 556446,
which was trying to also make the application object available via
wicketsessionfilter, added some coded immediately after the
Session.unset(). In the next revision 556700 that change was reverted,
but instead of just removing the code from 556446 the change also
removed the Session.unset(). Now, we're using WicketSessionFilter and
our users are seeing information from other users' sessions.
I believe all that is required to fix this is to add back a
Session.unset() after the chain.doFilter in WicketSessionFilter, but
would it also be a good idea to do this?
try{
filter.doChain(...);
}finally{
Session.unset();
}
We're really looking forwarded to some of the fixes in RC2, so I hope
this can make it in there, as it appears to be just an accident.
Thanks,
Matt Clark
-----Original Message-----
From: Johan Compagner [mailto:[EMAIL PROTECTED]
Sent: Thursday, December 06, 2007 5:38 PM
To: [email protected]
Subject: Re: [VOTE] Release Wicket 1.3.0 release candidate 2
+1 release
2007/12/6, Frank Bille <[EMAIL PROTECTED]>:
> Hi all,
>
> I have uploaded the artifacts to my p.a.o account. This is what I have
> tested:
>
> * Run "mvn clean install" on the distribution. Installs, no test
failures.
> * Run RAT[1] on the release and checked the output. Nothing to notice.
> * Tried different things in the examples, like ajax, links, images,
forms,
> guice and pub2. Nothing to notice.
>
> The releases has been signed with my GPG key, which you can find in
the
> KEYS[2] file.
>
> Anyway, here you can find the distribution files:
>
http://people.apache.org/~frankbille/releases/apache-wicket-1.3.0-rc2/di
st/<http://people.apache.org/%7Efrankbille/releases/apache-wicket-1.3.0-
rc2/dist/>
>
> and here you can find the maven repo:
>
http://people.apache.org/~frankbille/releases/apache-wicket-1.3.0-rc2/m2
-repo/<http://people.apache.org/%7Efrankbille/releases/apache-wicket-1.3
.0-rc2/m2-repo/>
>
> and here I have uploaded the RAT logs:
>
http://people.apache.org/~frankbille/releases/apache-wicket-1.3.0-rc2<ht
tp://people.apache.org/%7Efrankbille/releases/apache-wicket-1.3.0-rc2>
>
> [ ] Release Apache Wicket 1.3.0-rc2
> [ ] Don't release, because...
>
>
> Regards
> Frank
>
> [1]: http://code.google.com/p/arat/
> [2]: http://svn.apache.org/repos/asf/wicket/common/KEYS
>
