arno/isso
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
361 Commits 14 Branches 38 Tags 5.8 MiB
75dd18ece4
Commit Graph

361 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Martin Zimmermann
75dd18ece4 add favicon.ico 2013-12-11 15:30:10 +01:00
Martin Zimmermann
dcbe282c34 rm extras/multi-site.rst, already in configuration/setup.rst 2013-12-09 12:07:36 +01:00
Martin Zimmermann
990688f6e0 Merge branch 'fix/multsite' 2013-12-08 19:20:46 +01:00
Martin Zimmermann
adc722359d move application export to isso.run 
When using Gunicorn or uWSGI to run `isso.dispatch` it would
automatically initialize and a default Isso instance (and cause
several logging messages), although never used.

If you use uWSGI or Gunicorn, you have to change the module from
`isso` to `isso.run`.
 2013-12-08 19:15:08 +01:00
Martin Zimmermann
b15f17738e isso.dispatch now dispatches multiple sites based on relative URLs 
The previous approach using a custom X-Custom header did work for the
client-side, but not for activation and deletion links. Now, you need
to add a `name = foo` option to the general section. `isso.dispatch`
then binds this configuration to /foo and can distinguish all API
calls without a special HTTP header.
 2013-12-08 19:09:56 +01:00
Martin Zimmermann
ac74418179 move dispatch into isso package 2013-12-08 17:41:07 +01:00
Martin Zimmermann
ebad039d0e Merge pull request #43 from FedericoCeratto/patch-1 
Create example.conf
 2013-12-08 08:25:06 -08:00
Federico Ceratto
9f40ba848d Create example.conf 
Example configuration with comments
 2013-12-08 15:58:19 +00:00
Martin Zimmermann
982316c04b show PHP #vulnerability versus Python 2013-12-07 23:50:48 +01:00
Martin Zimmermann
fc984bb656 add Date header, close #42 2013-12-07 13:17:56 +01:00
Martin Zimmermann
232e2fb474 another approach to fix #40 (return 403 on false Content-Type) 
When an attacker uses a <form> to downvote a comment, the browser
*should* add a `Content-Type: ...` header with three possible values:

    * application/x-www-form-urlencoded
    * multipart/form-data
    * text/plain

If the header is not sent or requests `application/json`, the
request is not forged (XHR is restricted by CORS separately).
 2013-12-04 23:36:48 +01:00
Martin Zimmermann
1db06bbf39 Revert "HTTP Origin is only sent on cross-origin requests in Firefox" 
Revert "use Referer instead of Origin when using IE"
Revert "fix unittests"
Revert "check if Origin matches Host to mitigate CSRF, part of #40"

This reverts commit 9376511485c70deaf908aa67bcdc8f0c9a0b003e.
This reverts commit 9a03cca793.
This reverts commit 4c16ba76cc.
This reverts commit 32e4b70510.
 2013-12-04 17:09:22 +01:00
Martin Zimmermann
b839b2be31 HTTP Origin is only sent on cross-origin requests in Firefox 
Therefore, only raise Forbidden if Origin (or Referer for MSIE) is sent
(which is a protected header and all modern browsers (except IE)).

Also add a basic unit test which asserts the failure for false origins.
 2013-12-04 17:09:22 +01:00
Martin Zimmermann
8802b73b52 Merge pull request #41 from spk/blank 
Add check with blank text
 2013-12-03 23:52:16 -08:00
Laurent Arnoud
02db978308 Add check with blank text 2013-12-04 00:35:09 +01:00
Martin Zimmermann
7d64d84d9d write contribute section 2013-12-02 14:26:12 +01:00
Martin Zimmermann
6f504ee8f5 show modal dialog before delete or activate comments, close #36 
The URL sent in the email returns a short HTML document where
JS creates a modal dialog. If continued, the browser sends a
POST request to the same URL.
 2013-12-02 13:07:11 +01:00
Martin Zimmermann
83b48d5db6 use el.getAttribute instead of el.dataset to support IE10 m( 2013-12-02 12:14:26 +01:00
Martin Zimmermann
59b70e7109 Merge branch 'fix/csrf', closes #40 2013-12-02 12:13:42 +01:00
Martin Zimmermann
9a03cca793 use Referer instead of Origin when using IE 
* IE10 (and 11) do not send HTTP_ORIGIN when requesting a URL no in
    the same origin, although recommended by WHATWG [1]
  * if IE10 is used, use the referer. If this header is supressed by the
    user, it won't work (and I don't care).

IE10 needs to die, seriously:

> We have a long-standing interoperability difference with other browsers
> where we treat different ports as same-origin whereas other browsers
> treat them as cross-origin.

via https://connect.microsoft.com/IE/feedback/details/781303/origin-header-is-not-added-to-cors-requests-to-same-domain-but-different-port

[1] http://tools.ietf.org/html/draft-abarth-origin-09
 2013-12-02 12:12:21 +01:00
Martin Zimmermann
4c16ba76cc fix unittests 2013-12-01 13:40:11 +01:00
Martin Zimmermann
32e4b70510 check if Origin matches Host to mitigate CSRF, part of #40 2013-12-01 13:40:08 +01:00
Martin Zimmermann
b0ecc9c16a add reason for SQLite 2013-11-29 23:09:22 +01:00
Martin Zimmermann
6e31111554 add application object into ns only when using uwsgi and gunicorn 2013-11-29 14:22:21 +01:00
Martin Zimmermann
baabd30e74 more descriptive logging 2013-11-29 14:21:43 +01:00
Martin Zimmermann
a6f54f0191 wat 2013-11-25 17:16:58 +01:00
Martin Zimmermann
c2291c1121 fix links to PyPi and GitHub 2013-11-25 17:06:26 +01:00
Martin Zimmermann
90468cbc27 simplify nosetest usage 2013-11-25 17:02:15 +01:00
Martin Zimmermann
ce950259b4 show traceback when smtp connection failed 2013-11-25 17:02:04 +01:00
Martin Zimmermann
350cf406c2 remove installation and configuration from README 2013-11-25 17:00:36 +01:00
Martin Zimmermann
a045c963bd Merge branch 'feature/gunicorn' 2013-11-25 16:57:45 +01:00
Martin Zimmermann
706186acd8 Merge branch 'feature/docs' 2013-11-25 16:57:35 +01:00
Martin Zimmermann
b79ac583e8 use sphinx for documentation 2013-11-25 16:57:18 +01:00
Martin Zimmermann
896b4f5e33 support for gunicorn (and other pre-forking wsgi servers) 2013-11-25 13:51:11 +01:00
Martin Zimmermann
aa65873fa6 uWSGI works also with multiprocessing.Lock 2013-11-25 13:50:43 +01:00
Martin Zimmermann
6405f258f3 replace nested middleware calls with reduce and partials 2013-11-25 13:38:51 +01:00
Martin Zimmermann
c9c0df229a Merge branch 'feature/info' 2013-11-21 11:17:24 +01:00
Martin Zimmermann
1541cc90a9 Merge branch 'fix/notify-links' 2013-11-21 11:17:18 +01:00
Martin Zimmermann
8dac5375b6 add /info view for debugging purposes 2013-11-21 11:09:33 +01:00
Martin Zimmermann
5449b0cea4 add route for comment activation 2013-11-21 10:17:42 +01:00
Martin Zimmermann
63a7df1099 translate deletion and activation links 2013-11-21 10:17:29 +01:00
Martin Zimmermann
e77ae273f4 replace Jenkins with Travis Build Status 2013-11-18 12:49:24 +01:00
Martin Zimmermann
c84d75582f add Travis CI configuration 2013-11-18 12:41:45 +01:00
Martin Zimmermann
b3d6215d2b fix unittest for werkzeug==0.8 2013-11-18 12:40:27 +01:00
Martin Zimmermann
c2a0331dbd remove indexserver from tox.ini (use PyPi instead) 2013-11-18 12:12:26 +01:00
Martin Zimmermann
598b08bd1c add russian translation 
http://docs.translatehouse.org/projects/localization-guide/en/latest/l10n/pluralforms.html
 2013-11-18 11:00:33 +01:00
Martin Zimmermann
653ac0b6a2 Back to development: 0.6 2013-11-17 15:54:51 +01:00
Martin Zimmermann
f9507a3eec Preparing release 0.5 2013-11-17 15:54:20 +01:00
Martin Zimmermann
8196f3f465 remove unnecessary imports 2013-11-17 15:49:25 +01:00
Martin Zimmermann
17aa3e6fc5 use english text for mail notifications 2013-11-17 15:44:40 +01:00