Commit Graph

401 Commits

Author SHA1 Message Date
Martin Zimmermann
232e2fb474 another approach to fix #40 (return 403 on false Content-Type)
When an attacker uses a <form> to downvote a comment, the browser
*should* add a `Content-Type: ...` header with three possible values:

    * application/x-www-form-urlencoded
    * multipart/form-data
    * text/plain

If the header is not sent or requests `application/json`, the
request is not forged (XHR is restricted by CORS separately).
2013-12-04 23:36:48 +01:00
Martin Zimmermann
1db06bbf39 Revert "HTTP Origin is only sent on cross-origin requests in Firefox"
Revert "use Referer instead of Origin when using IE"
Revert "fix unittests"
Revert "check if Origin matches Host to mitigate CSRF, part of #40"

This reverts commit 9376511485c70deaf908aa67bcdc8f0c9a0b003e.
This reverts commit 9a03cca793.
This reverts commit 4c16ba76cc.
This reverts commit 32e4b70510.
2013-12-04 17:09:22 +01:00
Martin Zimmermann
b839b2be31 HTTP Origin is only sent on cross-origin requests in Firefox
Therefore, only raise Forbidden if Origin (or Referer for MSIE) is sent
(which is a protected header and all modern browsers (except IE)).

Also add a basic unit test which asserts the failure for false origins.
2013-12-04 17:09:22 +01:00
Martin Zimmermann
8802b73b52 Merge pull request #41 from spk/blank
Add check with blank text
2013-12-03 23:52:16 -08:00
Laurent Arnoud
02db978308 Add check with blank text 2013-12-04 00:35:09 +01:00
Martin Zimmermann
7d64d84d9d write contribute section 2013-12-02 14:26:12 +01:00
Martin Zimmermann
6f504ee8f5 show modal dialog before delete or activate comments, close #36
The URL sent in the email returns a short HTML document where
JS creates a modal dialog. If continued, the browser sends a
POST request to the same URL.
2013-12-02 13:07:11 +01:00
Martin Zimmermann
83b48d5db6 use el.getAttribute instead of el.dataset to support IE10 m( 2013-12-02 12:14:26 +01:00
Martin Zimmermann
59b70e7109 Merge branch 'fix/csrf', closes #40 2013-12-02 12:13:42 +01:00
Martin Zimmermann
9a03cca793 use Referer instead of Origin when using IE
* IE10 (and 11) do not send HTTP_ORIGIN when requesting a URL no in
    the same origin, although recommended by WHATWG [1]
  * if IE10 is used, use the referer. If this header is supressed by the
    user, it won't work (and I don't care).

IE10 needs to die, seriously:

> We have a long-standing interoperability difference with other browsers
> where we treat different ports as same-origin whereas other browsers
> treat them as cross-origin.

via https://connect.microsoft.com/IE/feedback/details/781303/origin-header-is-not-added-to-cors-requests-to-same-domain-but-different-port

[1] http://tools.ietf.org/html/draft-abarth-origin-09
2013-12-02 12:12:21 +01:00
Martin Zimmermann
4c16ba76cc fix unittests 2013-12-01 13:40:11 +01:00
Martin Zimmermann
32e4b70510 check if Origin matches Host to mitigate CSRF, part of #40 2013-12-01 13:40:08 +01:00
Martin Zimmermann
b0ecc9c16a add reason for SQLite 2013-11-29 23:09:22 +01:00
Martin Zimmermann
6e31111554 add application object into ns only when using uwsgi and gunicorn 2013-11-29 14:22:21 +01:00
Martin Zimmermann
baabd30e74 more descriptive logging 2013-11-29 14:21:43 +01:00
Martin Zimmermann
a6f54f0191 wat 2013-11-25 17:16:58 +01:00
Martin Zimmermann
c2291c1121 fix links to PyPi and GitHub 2013-11-25 17:06:26 +01:00
Martin Zimmermann
90468cbc27 simplify nosetest usage 2013-11-25 17:02:15 +01:00
Martin Zimmermann
ce950259b4 show traceback when smtp connection failed 2013-11-25 17:02:04 +01:00
Martin Zimmermann
350cf406c2 remove installation and configuration from README 2013-11-25 17:00:36 +01:00
Martin Zimmermann
a045c963bd Merge branch 'feature/gunicorn' 2013-11-25 16:57:45 +01:00
Martin Zimmermann
706186acd8 Merge branch 'feature/docs' 2013-11-25 16:57:35 +01:00
Martin Zimmermann
b79ac583e8 use sphinx for documentation 2013-11-25 16:57:18 +01:00
Martin Zimmermann
896b4f5e33 support for gunicorn (and other pre-forking wsgi servers) 2013-11-25 13:51:11 +01:00
Martin Zimmermann
aa65873fa6 uWSGI works also with multiprocessing.Lock 2013-11-25 13:50:43 +01:00
Martin Zimmermann
6405f258f3 replace nested middleware calls with reduce and partials 2013-11-25 13:38:51 +01:00
Martin Zimmermann
c9c0df229a Merge branch 'feature/info' 2013-11-21 11:17:24 +01:00
Martin Zimmermann
1541cc90a9 Merge branch 'fix/notify-links' 2013-11-21 11:17:18 +01:00
Martin Zimmermann
8dac5375b6 add /info view for debugging purposes 2013-11-21 11:09:33 +01:00
Martin Zimmermann
5449b0cea4 add route for comment activation 2013-11-21 10:17:42 +01:00
Martin Zimmermann
63a7df1099 translate deletion and activation links 2013-11-21 10:17:29 +01:00
Martin Zimmermann
e77ae273f4 replace Jenkins with Travis Build Status 2013-11-18 12:49:24 +01:00
Martin Zimmermann
c84d75582f add Travis CI configuration 2013-11-18 12:41:45 +01:00
Martin Zimmermann
b3d6215d2b fix unittest for werkzeug==0.8 2013-11-18 12:40:27 +01:00
Martin Zimmermann
c2a0331dbd remove indexserver from tox.ini (use PyPi instead) 2013-11-18 12:12:26 +01:00
Martin Zimmermann
598b08bd1c add russian translation
http://docs.translatehouse.org/projects/localization-guide/en/latest/l10n/pluralforms.html
2013-11-18 11:00:33 +01:00
Martin Zimmermann
653ac0b6a2 Back to development: 0.6 2013-11-17 15:54:51 +01:00
Martin Zimmermann
f9507a3eec Preparing release 0.5 2013-11-17 15:54:20 +01:00
Martin Zimmermann
8196f3f465 remove unnecessary imports 2013-11-17 15:49:25 +01:00
Martin Zimmermann
17aa3e6fc5 use english text for mail notifications 2013-11-17 15:44:40 +01:00
Martin Zimmermann
97cc894d8c update changelog 2013-11-17 12:20:03 +01:00
Martin Zimmermann
60d15e0f41 fix unittest 2013-11-17 11:57:48 +01:00
Martin Zimmermann
b9158a660c move SocketHTTPServer to isso/wsgi.py 2013-11-17 11:57:41 +01:00
Martin Zimmermann
96f29e1cc5 add query parameter to build status to hopefully avoid caching 2013-11-17 11:31:51 +01:00
Martin Zimmermann
9c94e66702 add fr.js to i18n module, appendum to #38 2013-11-17 11:28:24 +01:00
Martin Zimmermann
aeb7c35d8f override useragent's language with data-isso-lang 2013-11-17 11:27:48 +01:00
Martin Zimmermann
2e9c21db15 add X-Origin to GET requests, so isso.dispatch works on a single host 2013-11-17 11:16:46 +01:00
Martin Zimmermann
8a408aea1d reST is hard 2013-11-17 00:43:01 +01:00
Martin Zimmermann
6f66960df8 add an isso.dispatch module to support multiple sites, #34 2013-11-17 00:35:32 +01:00
Martin Zimmermann
b21e216b06 mv app/fancy to /app/lib/fancy 2013-11-16 23:41:52 +01:00