Re: [oxid-dev-general] Security improvement: Dynamic security token check

Tomas Liubinas Thu, 25 Sep 2014 07:36:32 -0700

Hi,

Just a short note. There are some but no major changes in templates.  No major 
changes required because:


1.       Stoken check in important forms (checkout process, user information 
changes) has already been implemented in earlier versions, the changes in 
current release applies only to not as important forms (newsletter 
subscription, notice list, wishlist, to basket forms).

2.       In forms in templates there is already hidden sid 
getter[{$oViewConf->getHiddenSid()}]  included which generates hidden sid 
element. The same getter now generates also stoken hidden element. Therefore it 
would be included in many forms withouth template changes.

Regards
Tomas Liubinas

From: [email protected] 
[mailto:[email protected]] On Behalf Of Joscha Krug | 
marmalade GmbH
Sent: Thursday, September 25, 2014 5:10 PM
To: [email protected]
Subject: Re: [oxid-dev-general] Security improvement: Dynamic security token 
check

Hello Marco,

Thanks for the information!

Could someone from the devs explain the background? This will not be so easy to 
implement automaticly as i affects a lot of templates.

Best regards,

Joscha

//---------

Joscha Krug
marmalade GmbH

www.marmalade.de<http://www.marmalade.de/>
[email protected]<mailto:[email protected]>

Leibnizstr.25
39104 Magdeburg
GERMANY

phone: +49 (0) 391 / 559 22 104
fax:      +49 (0) 391 / 559 22 106
Am 25.09.2014 16:01, schrieb Marco Steinhaeuser:

Hi everybody,



just added an important section to the release notes of the upcoming OXID eShop 
version 4.9/5.2: The dynamic security token parameter check was expanded to all 
forms and action URLs. This is important for you to know especially if you're 
running functions like to_basket etc...



Read more about it here:

http://wiki.oxidforge.org/Downloads/4.9.0_5.2.0#Security_improvement:_Dynamic_security_token_check



Please head back for any questions about it and the other stuff at this release 
notes page.



Best regards!

Marco

_______________________________________________

dev-general mailing list

[email protected]<mailto:[email protected]>

http://dir.gmane.org/gmane.comp.php.oxid.general

_______________________________________________
dev-general mailing list
[email protected]
http://dir.gmane.org/gmane.comp.php.oxid.general

Re: [oxid-dev-general] Security improvement: Dynamic security token check

Reply via email to