Kuali Rice 2.3.11 Release Notes

Released: 07-22-2016


Table of Contents

Overview
Release Highlights
Download
Documentation
Contact
Impacting Changes
CSRF Protection for KNS Applications
CSRF Protection for KRAD Applications

Overview

Welcome to Rice 2.3.11!

Release Highlights

This release consists of a number of security fixes to both the KNS as well as KRAD, including the following:

  • Cross-Site Request Forgery (CSRF) protection added to the KNS

  • Cross-Site Request Forgery (CSRF) protection added to the KRAD platform

  • Fixed a number of XSS vulnerabilities in the KNS and KRAD

Depending on your use of the KNS and/or KRAD this may be a drop-in replacement. However see below for information on potential impact related to the CSRF implementation.

Download

Kuali Rice 2.3.11 can be downloaded from the Rice website at http://kuali.org/rice/download.

There are three different distributions of Rice available: source, binary and server. Please read the Installation Guide for more details on each of these distributions.

Applications can also consume Rice from the maven site at http://search.maven.org/#search|ga|1|org.kuali.rice.

Documentation

API Documentation can be found at http://site.kuali.org/rice/2.3.11/apidocs/index.html

Formal documentation can be found at http://site.kuali.org/rice/2.3.11/reference/html/index.html. This documentation is still in the process of review and update which will continue through subsequent releases, so please follow the notes in each document to report any outdated information.

Contact

If you encounter any difficulty, please don't hesitate to contact the Rice team on our public collaboration mailing list at . Please indicate that you are using the 2.3.11 version of Rice.

Impacting Changes

CSRF Protection for KNS Applications

This release implements CSRF protection within the KNS. For most standard uses of the framework, no action will be required since the fix for this issue has been incorporated into the KNS's page.tag library. However, if you are using the KNS with custom JSP pages or HTML and have custom <form> elements then you will need to ensure that you are submitting a hidden form input field that contains the CSRF token.

The CSRF token is stored in the session in an attribute called csrfSessionToken. There is a new TAG library in the set of KNS tags called "csrf" which will insert the hidden form field and can be used as follows:

<kul:csrf/>

This simply resolves to the following HTML:

<input type="hidden" name="csrfToken" value="${sessionScope.csrfSessionToken}"/>

CSRF Protection for KRAD Applications

This release implements CSRF protection within KRAD. For most standard uses of the framework, no action will be required since the fix for this issue has been incorporated into KRAD's standard form.ftl freemarker template. However, if you are using KRAD with custom freemarker pages and creating forms without using the supplied KRAD UIF form component, then you will need to ensure that you are submitting a hidden form input field that contains the CSRF token.

In order to do this, a custom freemarker template has been implemented that will insert the CSRF form field for you. It can be used as follows:

<@krad.csrfToken/>

This simply resolves to the following:

<input type="hidden" name="csrfToken" value="${KualiForm.csrfToken!}"/>