-1 from me too.
I just commited the fix though. Here's a jira issue for it:
https://issues.apache.org/jira/browse/WICKET-1209
-Matej
On Dec 7, 2007 1:34 AM, Matt Clark <[EMAIL PROTECTED]> wrote:
> I don't have a vote obviously, but -1 just because of what I believe is
> a serious security problem with WicketSessionFilter. Revision 556446,
> which was trying to also make the application object available via
> wicketsessionfilter, added some coded immediately after the
> Session.unset(). In the next revision 556700 that change was reverted,
> but instead of just removing the code from 556446 the change also
> removed the Session.unset(). Now, we're using WicketSessionFilter and
> our users are seeing information from other users' sessions.
>
> I believe all that is required to fix this is to add back a
> Session.unset() after the chain.doFilter in WicketSessionFilter, but
> would it also be a good idea to do this?
>
> try{
> filter.doChain(...);
> }finally{
> Session.unset();
> }
>
> We're really looking forwarded to some of the fixes in RC2, so I hope
> this can make it in there, as it appears to be just an accident.
>
> Thanks,
> Matt Clark
>
>
> -----Original Message-----
> From: Johan Compagner [mailto:[EMAIL PROTECTED]
> Sent: Thursday, December 06, 2007 5:38 PM
> To: [email protected]
> Subject: Re: [VOTE] Release Wicket 1.3.0 release candidate 2
>
> +1 release
>
> 2007/12/6, Frank Bille <[EMAIL PROTECTED]>:
> > Hi all,
> >
> > I have uploaded the artifacts to my p.a.o account. This is what I have
> > tested:
> >
> > * Run "mvn clean install" on the distribution. Installs, no test
> failures.
> > * Run RAT[1] on the release and checked the output. Nothing to notice.
> > * Tried different things in the examples, like ajax, links, images,
> forms,
> > guice and pub2. Nothing to notice.
> >
> > The releases has been signed with my GPG key, which you can find in
> the
> > KEYS[2] file.
> >
> > Anyway, here you can find the distribution files:
> >
> http://people.apache.org/~frankbille/releases/apache-wicket-1.3.0-rc2/di
> st/<http://people.apache.org/%7Efrankbille/releases/apache-wicket-1.3.0-
> rc2/dist/>
> >
> > and here you can find the maven repo:
> >
> http://people.apache.org/~frankbille/releases/apache-wicket-1.3.0-rc2/m2
> -repo/<http://people.apache.org/%7Efrankbille/releases/apache-wicket-1.3
> .0-rc2/m2-repo/>
> >
> > and here I have uploaded the RAT logs:
> >
> http://people.apache.org/~frankbille/releases/apache-wicket-1.3.0-rc2<ht
> tp://people.apache.org/%7Efrankbille/releases/apache-wicket-1.3.0-rc2>
> >
> > [ ] Release Apache Wicket 1.3.0-rc2
> > [ ] Don't release, because...
> >
> >
> > Regards
> > Frank
> >
> > [1]: http://code.google.com/p/arat/
> > [2]: http://svn.apache.org/repos/asf/wicket/common/KEYS
> >
>
