Table of Contents
Welcome to Rice 2.5.11!
This release consists of a number of security fixes to both the KNS as well as KRAD, including the following:
Cross-Site Request Forgery (CSRF) protection added to the KNS
Cross-Site Request Forgery (CSRF) protection added to the KRAD platform
Fixed a number of XSS vulnerabilities in the KNS and KRAD
Depending on your use of the KNS and/or KRAD this may be a drop-in replacement. However see below for information on potential impact related to the CSRF implementation.
Kuali Rice 2.5.11 can be downloaded from the Rice website at http://kuali.org/rice/download.
There are three different distributions of Rice available: source, binary and server. Please read the Installation Guide for more details on each of these distributions.
Applications can also consume Rice from the maven site at http://search.maven.org/#search|ga|1|org.kuali.rice.
API Documentation can be found at http://site.kuali.org/rice/2.5.11/apidocs/index.html
Formal documentation can be found at http://site.kuali.org/rice/2.5.11/reference/html/index.html. This documentation is still in the process of review and update which will continue through subsequent releases, so please follow the notes in each document to report any outdated information.
If you encounter any difficulty, please don't hesitate to contact the Rice team on
our public collaboration mailing list at <rice.collab@kuali.org>
.
Please indicate that you are using the 2.5.11 version of Rice.
This release implements CSRF protection within the KNS. For most standard uses of the framework, no action
will be required since the fix for this issue has been incorporated into the KNS's page.tag
library.
However, if you are using the KNS with custom JSP pages or HTML and have custom <form>
elements
then you will need to ensure that you are submitting a hidden form input field that contains the CSRF token.
The CSRF token is stored in the session in an attribute called csrfSessionToken
. There is a
new TAG library in the set of KNS tags called "csrf" which will insert the hidden form field and can be used as
follows:
<kul:csrf/>
This simply resolves to the following HTML:
<input type="hidden" name="csrfToken" value="${sessionScope.csrfSessionToken}"/>
This release implements CSRF protection within KRAD. For most standard uses of the framework, no action
will be required since the fix for this issue has been incorporated into KRAD's standard form.ftl
freemarker template. However, if you are using KRAD with custom freemarker pages and creating forms without
using the supplied KRAD UIF form component, then you will need to ensure that you are submitting a hidden form
input field that contains the CSRF token.
In order to do this, a custom freemarker template has been implemented that will insert the CSRF form field for you. It can be used as follows:
<@krad.csrfToken/>
This simply resolves to the following:
<input type="hidden" name="csrfToken" value="${KualiForm.csrfToken!}"/>