arno/isso
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
374 Commits 14 Branches 38 Tags 5.8 MiB
2e24d0dadd
Commit Graph

374 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Martin Zimmermann
2e24d0dadd update changelog 2013-12-16 11:58:34 +01:00
Martin Zimmermann
9db762ad5e italian translation by alzeco 2013-12-12 17:30:40 +01:00
Martin Zimmermann
525b2db6f1 fix french pluralization 2013-12-12 17:29:26 +01:00
Martin Zimmermann
150726df13 Merge branch 'feature/27', override thread id 2013-12-12 13:07:57 +01:00
Martin Zimmermann
bcb60c4e74 add documentation 2013-12-12 13:07:44 +01:00
Martin Zimmermann
77df31d06f override thread discovery with data-isso-id="...", close #27 2013-12-12 13:04:29 +01:00
Martin Zimmermann
79112940e6 reduce heading size in comments, fix #26 2013-12-12 12:10:50 +01:00
Martin Zimmermann
c5daa66c82 remove old CSS rule 2013-12-12 12:10:02 +01:00
Martin Zimmermann
0152e627ea use apache lexer and add recipe for session key generation 2013-12-12 11:52:05 +01:00
Martin Zimmermann
f0be9e9655 add latest work to changelog 2013-12-12 11:44:34 +01:00
Martin Zimmermann
336ca3ffe7 add deployment docs for mod_wsgi 2013-12-12 11:28:30 +01:00
Martin Zimmermann
ba03f0105d generate CSS for docs properly 2013-12-11 15:40:46 +01:00
Martin Zimmermann
8169b30c04 add isso.svg 2013-12-11 15:30:22 +01:00
Martin Zimmermann
75dd18ece4 add favicon.ico 2013-12-11 15:30:10 +01:00
Martin Zimmermann
dcbe282c34 rm extras/multi-site.rst, already in configuration/setup.rst 2013-12-09 12:07:36 +01:00
Martin Zimmermann
990688f6e0 Merge branch 'fix/multsite' 2013-12-08 19:20:46 +01:00
Martin Zimmermann
adc722359d move application export to isso.run 
When using Gunicorn or uWSGI to run `isso.dispatch` it would
automatically initialize and a default Isso instance (and cause
several logging messages), although never used.

If you use uWSGI or Gunicorn, you have to change the module from
`isso` to `isso.run`.
 2013-12-08 19:15:08 +01:00
Martin Zimmermann
b15f17738e isso.dispatch now dispatches multiple sites based on relative URLs 
The previous approach using a custom X-Custom header did work for the
client-side, but not for activation and deletion links. Now, you need
to add a `name = foo` option to the general section. `isso.dispatch`
then binds this configuration to /foo and can distinguish all API
calls without a special HTTP header.
 2013-12-08 19:09:56 +01:00
Martin Zimmermann
ac74418179 move dispatch into isso package 2013-12-08 17:41:07 +01:00
Martin Zimmermann
ebad039d0e Merge pull request #43 from FedericoCeratto/patch-1 
Create example.conf
 2013-12-08 08:25:06 -08:00
Federico Ceratto
9f40ba848d Create example.conf 
Example configuration with comments
 2013-12-08 15:58:19 +00:00
Martin Zimmermann
982316c04b show PHP #vulnerability versus Python 2013-12-07 23:50:48 +01:00
Martin Zimmermann
fc984bb656 add Date header, close #42 2013-12-07 13:17:56 +01:00
Martin Zimmermann
232e2fb474 another approach to fix #40 (return 403 on false Content-Type) 
When an attacker uses a <form> to downvote a comment, the browser
*should* add a `Content-Type: ...` header with three possible values:

    * application/x-www-form-urlencoded
    * multipart/form-data
    * text/plain

If the header is not sent or requests `application/json`, the
request is not forged (XHR is restricted by CORS separately).
 2013-12-04 23:36:48 +01:00
Martin Zimmermann
1db06bbf39 Revert "HTTP Origin is only sent on cross-origin requests in Firefox" 
Revert "use Referer instead of Origin when using IE"
Revert "fix unittests"
Revert "check if Origin matches Host to mitigate CSRF, part of #40"

This reverts commit 9376511485c70deaf908aa67bcdc8f0c9a0b003e.
This reverts commit 9a03cca793.
This reverts commit 4c16ba76cc.
This reverts commit 32e4b70510.
 2013-12-04 17:09:22 +01:00
Martin Zimmermann
b839b2be31 HTTP Origin is only sent on cross-origin requests in Firefox 
Therefore, only raise Forbidden if Origin (or Referer for MSIE) is sent
(which is a protected header and all modern browsers (except IE)).

Also add a basic unit test which asserts the failure for false origins.
 2013-12-04 17:09:22 +01:00
Martin Zimmermann
8802b73b52 Merge pull request #41 from spk/blank 
Add check with blank text
 2013-12-03 23:52:16 -08:00
Laurent Arnoud
02db978308 Add check with blank text 2013-12-04 00:35:09 +01:00
Martin Zimmermann
7d64d84d9d write contribute section 2013-12-02 14:26:12 +01:00
Martin Zimmermann
6f504ee8f5 show modal dialog before delete or activate comments, close #36 
The URL sent in the email returns a short HTML document where
JS creates a modal dialog. If continued, the browser sends a
POST request to the same URL.
 2013-12-02 13:07:11 +01:00
Martin Zimmermann
83b48d5db6 use el.getAttribute instead of el.dataset to support IE10 m( 2013-12-02 12:14:26 +01:00
Martin Zimmermann
59b70e7109 Merge branch 'fix/csrf', closes #40 2013-12-02 12:13:42 +01:00
Martin Zimmermann
9a03cca793 use Referer instead of Origin when using IE 
* IE10 (and 11) do not send HTTP_ORIGIN when requesting a URL no in
    the same origin, although recommended by WHATWG [1]
  * if IE10 is used, use the referer. If this header is supressed by the
    user, it won't work (and I don't care).

IE10 needs to die, seriously:

> We have a long-standing interoperability difference with other browsers
> where we treat different ports as same-origin whereas other browsers
> treat them as cross-origin.

via https://connect.microsoft.com/IE/feedback/details/781303/origin-header-is-not-added-to-cors-requests-to-same-domain-but-different-port

[1] http://tools.ietf.org/html/draft-abarth-origin-09
 2013-12-02 12:12:21 +01:00
Martin Zimmermann
4c16ba76cc fix unittests 2013-12-01 13:40:11 +01:00
Martin Zimmermann
32e4b70510 check if Origin matches Host to mitigate CSRF, part of #40 2013-12-01 13:40:08 +01:00
Martin Zimmermann
b0ecc9c16a add reason for SQLite 2013-11-29 23:09:22 +01:00
Martin Zimmermann
6e31111554 add application object into ns only when using uwsgi and gunicorn 2013-11-29 14:22:21 +01:00
Martin Zimmermann
baabd30e74 more descriptive logging 2013-11-29 14:21:43 +01:00
Martin Zimmermann
a6f54f0191 wat 2013-11-25 17:16:58 +01:00
Martin Zimmermann
c2291c1121 fix links to PyPi and GitHub 2013-11-25 17:06:26 +01:00
Martin Zimmermann
90468cbc27 simplify nosetest usage 2013-11-25 17:02:15 +01:00
Martin Zimmermann
ce950259b4 show traceback when smtp connection failed 2013-11-25 17:02:04 +01:00
Martin Zimmermann
350cf406c2 remove installation and configuration from README 2013-11-25 17:00:36 +01:00
Martin Zimmermann
a045c963bd Merge branch 'feature/gunicorn' 2013-11-25 16:57:45 +01:00
Martin Zimmermann
706186acd8 Merge branch 'feature/docs' 2013-11-25 16:57:35 +01:00
Martin Zimmermann
b79ac583e8 use sphinx for documentation 2013-11-25 16:57:18 +01:00
Martin Zimmermann
896b4f5e33 support for gunicorn (and other pre-forking wsgi servers) 2013-11-25 13:51:11 +01:00
Martin Zimmermann
aa65873fa6 uWSGI works also with multiprocessing.Lock 2013-11-25 13:50:43 +01:00
Martin Zimmermann
6405f258f3 replace nested middleware calls with reduce and partials 2013-11-25 13:38:51 +01:00
Martin Zimmermann
c9c0df229a Merge branch 'feature/info' 2013-11-21 11:17:24 +01:00