[pLog-svn] r7110 - plog/branches/lifetype-1.2/plugins plugins/branches/lifetype-1.2
jondaley at devel.lifetype.net
jondaley at devel.lifetype.net
Thu Jan 13 17:25:07 EST 2011
Author: jondaley
Date: 2011-01-13 17:25:07 -0500 (Thu, 13 Jan 2011)
New Revision: 7110
Added:
plog/branches/lifetype-1.2/plugins/csrf/
Removed:
plugins/branches/lifetype-1.2/csrf/
Log:
This plugin should be installed by default. For 2.0, more work should be done on this, namely:
1. Make the token generation more random, maybe a user configurable value in the config.php file?
2. Maybe use a blacklist instead of a whitelist?
3. Don't ever add a token to a remote URL (if I remember right, that isn't happening now, but
if we switch to a blacklist model, that might be more of an issue)
4. Plugins aren't included right now, and so any plugin that uses a GET URL that points to a
core action will fail. This includes the moderate plugin, which is the only one I've noticed
myself, but it has a workaround, where you can use the regular comment section to mark
moderated comments as spam.
More information about the pLog-svn
mailing list