Hi list,
tl;dr: If you use a fixed length buffer to store edit tokens, you'll
need to update your code.
I'm planning to +2 https://gerrit.wikimedia.org/r/#/c/156336/ in the
next day or so. That provides for two hardening measures:
* Tokens can be time limited. By default they won't be, but this
On Mon, Oct 20, 2014 at 1:38 PM, Chris Steipp cste...@wikimedia.org wrote:
* Tokens can be time limited. By default they won't be, but this puts
the plumbing in place if it makes sense to do that on any token checks
in the future.
* The tokens returned in a request will change on each request.
On Mon, Oct 20, 2014 at 11:00 AM, Zack Weinberg za...@cmu.edu wrote:
On Mon, Oct 20, 2014 at 1:38 PM, Chris Steipp cste...@wikimedia.org wrote:
* Tokens can be time limited. By default they won't be, but this puts
the plumbing in place if it makes sense to do that on any token checks
in the
On Mon, Oct 20, 2014 at 3:34 PM, Chris Steipp cste...@wikimedia.org wrote:
On Mon, Oct 20, 2014 at 11:00 AM, Zack Weinberg za...@cmu.edu wrote:
1) Since this is changing anyway, it would be a good time to make the
token size and structure independent of whether the user is logged on
or not.