Ok, unless someone has a good reason that the issue is invalid, I will stop the vote now.
I can first rebuild on sunday, but Matej, can you commit the fix to the release branch as well as update the issue to say that it's fixed in rc2? Frank On Dec 7, 2007 1:40 AM, Matej Knopp <[EMAIL PROTECTED]> wrote: > -1 from me too. > > I just commited the fix though. Here's a jira issue for it: > https://issues.apache.org/jira/browse/WICKET-1209 > > -Matej > > On Dec 7, 2007 1:34 AM, Matt Clark <[EMAIL PROTECTED]> wrote: > > I don't have a vote obviously, but -1 just because of what I believe is > > a serious security problem with WicketSessionFilter. Revision 556446, > > which was trying to also make the application object available via > > wicketsessionfilter, added some coded immediately after the > > Session.unset(). In the next revision 556700 that change was reverted, > > but instead of just removing the code from 556446 the change also > > removed the Session.unset(). Now, we're using WicketSessionFilter and > > our users are seeing information from other users' sessions. > > > > I believe all that is required to fix this is to add back a > > Session.unset() after the chain.doFilter in WicketSessionFilter, but > > would it also be a good idea to do this? > > > > try{ > > filter.doChain(...); > > }finally{ > > Session.unset(); > > } > > > > We're really looking forwarded to some of the fixes in RC2, so I hope > > this can make it in there, as it appears to be just an accident. > > > > Thanks, > > Matt Clark > > > > > > -----Original Message----- > > From: Johan Compagner [mailto:[EMAIL PROTECTED] > > Sent: Thursday, December 06, 2007 5:38 PM > > To: dev@wicket.apache.org > > Subject: Re: [VOTE] Release Wicket 1.3.0 release candidate 2 > > > > +1 release > > > > 2007/12/6, Frank Bille <[EMAIL PROTECTED]>: > > > Hi all, > > > > > > I have uploaded the artifacts to my p.a.o account. This is what I have > > > tested: > > > > > > * Run "mvn clean install" on the distribution. Installs, no test > > failures. > > > * Run RAT[1] on the release and checked the output. Nothing to notice. > > > * Tried different things in the examples, like ajax, links, images, > > forms, > > > guice and pub2. Nothing to notice. > > > > > > The releases has been signed with my GPG key, which you can find in > > the > > > KEYS[2] file. > > > > > > Anyway, here you can find the distribution files: > > > > > http://people.apache.org/~frankbille/releases/apache-wicket-1.3.0-rc2/di<http://people.apache.org/%7Efrankbille/releases/apache-wicket-1.3.0-rc2/di> > > st/<http://people.apache.org/%7Efrankbille/releases/apache-wicket-1.3.0- > > rc2/dist/> > > > > > > and here you can find the maven repo: > > > > > http://people.apache.org/~frankbille/releases/apache-wicket-1.3.0-rc2/m2<http://people.apache.org/%7Efrankbille/releases/apache-wicket-1.3.0-rc2/m2> > > -repo/<http://people.apache.org/%7Efrankbille/releases/apache-wicket-1.3 > > .0-rc2/m2-repo/> > > > > > > and here I have uploaded the RAT logs: > > > > > http://people.apache.org/~frankbille/releases/apache-wicket-1.3.0-rc2<http://people.apache.org/%7Efrankbille/releases/apache-wicket-1.3.0-rc2> > <ht > > tp://people.apache.org/%7Efrankbille/releases/apache-wicket-1.3.0-rc2> > > > > > > [ ] Release Apache Wicket 1.3.0-rc2 > > > [ ] Don't release, because... > > > > > > > > > Regards > > > Frank > > > > > > [1]: http://code.google.com/p/arat/ > > > [2]: http://svn.apache.org/repos/asf/wicket/common/KEYS > > > > > >
