Table of Contents
Welcome to Rice 2.1.15!
This release consists of a number of security fixes to the KNS, including the following:
Cross-Site Request Forgery (CSRF) protection added to the KNS
Fixed a number of XSS vulnerabilities in the KNS
Upgraded commons-fileupload to version 1.3.2
Depending on your use of the KNS this may be a drop-in replacement. However see below for information on potential impact related to the CSRF implementation.
You will also want to be sure that if you have established dependencies in your own project to commons-fileupload that you upgrade those as well. The specific vulnerability in commons-fileupload is detailed here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092
Kuali Rice 2.1.15 can be downloaded from the Rice website at http://kuali.org/rice/download.
There are three different distributions of Rice available: source, binary and server. Please read the Installation Guide for more details on each of these distributions.
Applications can also consume Rice from the maven site at http://search.maven.org/#search|ga|1|org.kuali.rice.
API Documentation can be found at http://site.kuali.org/rice/2.1.15/apidocs/index.html
Formal documentation can be found at http://site.kuali.org/rice/2.1.15/reference/html/index.html. This documentation is still in the process of review and update which will continue through subsequent releases, so please follow the notes in each document to report any outdated information.
If you encounter any difficulty, please don't hesitate to contact the Rice team on
our public collaboration mailing list at <rice.collab@kuali.org>
.
Please indicate that you are using the 2.1.15 version of Rice.
This release implements CSRF protection within the KNS. For most standard uses of the framework, no action
will be required since the fix for this issue has been incorporated into the KNS's page.tag
library.
However, if you are using the KNS with custom JSP pages or HTML and have custom <form>
elements
then you will need to ensure that you are submitting a hidden form input field that contains the CSRF token.
The CSRF token is stored in the session in an attribute called csrfSessionToken
. There is a
new TAG library in the set of KNS tags called "csrf" which will insert the hidden form field and can be used as
follows:
<kul:csrf/>
This simply resolves to the following HTML:
<input type="hidden" name="csrfToken" value="${sessionScope.csrfSessionToken}"/>