[development] Slight API change in 4.6.10 and 4.7.4

James Gilliland neclimdul at gmail.com
Thu Oct 19 19:42:44 UTC 2006


On 10/19/06, Rob Barreca <rob at electronicinsight.com> wrote:
>
> Heine Deelstra wrote:
> > The 4.6.10 and 4.7.4 releases saw the addition of a new default form
> > field to protect against cross site request forgeries.
> >
> > 2. 4.7 modules and themes that rely on a defined set of form fields to
> > be present
> To me, this just means any form 'myform' that has defined a
> theme_myform() function which DOESN'T have a form_render($form); at the
> end of it will need to be updated. IIRC there are probably not too many
> modules which do that. Am I correct there? So I think the small breakage
> is outweighed by the improved security.


Yeah... those where my thoughs after reading the upgrade post.  Actually it
was more like "Wasn't that something we where suppose to be doing anyways?"
I do have a better idea of why there was a token now though.

While breaking things this is really just bringing contrib module developers
into line with core requirements where before they could get away with not
doing it correctly.  232That seems fair, though I don't think anyone will
argue that they wished this had happened in the initial release.

That's life and nothing short of more eyes going over the code for security
issues is going to help that. Don't look at me like that Gerhard, I'm not
complaining or volunteering. ;)   And more eyes is the driving idea behind
open source so I think we're working in the right direction there even if we
are short staffed.

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/development/attachments/20061019/3d48b8cd/attachment.htm 


More information about the development mailing list