Martin Zimmermann
75dd18ece4
add favicon.ico
2013-12-11 15:30:10 +01:00
Martin Zimmermann
dcbe282c34
rm extras/multi-site.rst, already in configuration/setup.rst
2013-12-09 12:07:36 +01:00
Martin Zimmermann
990688f6e0
Merge branch 'fix/multsite'
2013-12-08 19:20:46 +01:00
Martin Zimmermann
adc722359d
move application export to isso.run
...
When using Gunicorn or uWSGI to run `isso.dispatch` it would
automatically initialize and a default Isso instance (and cause
several logging messages), although never used.
If you use uWSGI or Gunicorn, you have to change the module from
`isso` to `isso.run`.
2013-12-08 19:15:08 +01:00
Martin Zimmermann
b15f17738e
isso.dispatch now dispatches multiple sites based on relative URLs
...
The previous approach using a custom X-Custom header did work for the
client-side, but not for activation and deletion links. Now, you need
to add a `name = foo` option to the general section. `isso.dispatch`
then binds this configuration to /foo and can distinguish all API
calls without a special HTTP header.
2013-12-08 19:09:56 +01:00
Martin Zimmermann
ac74418179
move dispatch into isso package
2013-12-08 17:41:07 +01:00
Martin Zimmermann
ebad039d0e
Merge pull request #43 from FedericoCeratto/patch-1
...
Create example.conf
2013-12-08 08:25:06 -08:00
Federico Ceratto
9f40ba848d
Create example.conf
...
Example configuration with comments
2013-12-08 15:58:19 +00:00
Martin Zimmermann
982316c04b
show PHP #vulnerability versus Python
2013-12-07 23:50:48 +01:00
Martin Zimmermann
fc984bb656
add Date header, close #42
2013-12-07 13:17:56 +01:00
Martin Zimmermann
232e2fb474
another approach to fix #40 (return 403 on false Content-Type)
...
When an attacker uses a <form> to downvote a comment, the browser
*should* add a `Content-Type: ...` header with three possible values:
* application/x-www-form-urlencoded
* multipart/form-data
* text/plain
If the header is not sent or requests `application/json`, the
request is not forged (XHR is restricted by CORS separately).
2013-12-04 23:36:48 +01:00
Martin Zimmermann
1db06bbf39
Revert "HTTP Origin is only sent on cross-origin requests in Firefox"
...
Revert "use Referer instead of Origin when using IE"
Revert "fix unittests"
Revert "check if Origin matches Host to mitigate CSRF, part of #40 "
This reverts commit 9376511485c70deaf908aa67bcdc8f0c9a0b003e.
This reverts commit 9a03cca793
.
This reverts commit 4c16ba76cc
.
This reverts commit 32e4b70510
.
2013-12-04 17:09:22 +01:00
Martin Zimmermann
b839b2be31
HTTP Origin is only sent on cross-origin requests in Firefox
...
Therefore, only raise Forbidden if Origin (or Referer for MSIE) is sent
(which is a protected header and all modern browsers (except IE)).
Also add a basic unit test which asserts the failure for false origins.
2013-12-04 17:09:22 +01:00
Martin Zimmermann
8802b73b52
Merge pull request #41 from spk/blank
...
Add check with blank text
2013-12-03 23:52:16 -08:00
Laurent Arnoud
02db978308
Add check with blank text
2013-12-04 00:35:09 +01:00
Martin Zimmermann
7d64d84d9d
write contribute section
2013-12-02 14:26:12 +01:00
Martin Zimmermann
6f504ee8f5
show modal dialog before delete or activate comments, close #36
...
The URL sent in the email returns a short HTML document where
JS creates a modal dialog. If continued, the browser sends a
POST request to the same URL.
2013-12-02 13:07:11 +01:00
Martin Zimmermann
83b48d5db6
use el.getAttribute instead of el.dataset to support IE10 m(
2013-12-02 12:14:26 +01:00
Martin Zimmermann
59b70e7109
Merge branch 'fix/csrf', closes #40
2013-12-02 12:13:42 +01:00
Martin Zimmermann
9a03cca793
use Referer instead of Origin when using IE
...
* IE10 (and 11) do not send HTTP_ORIGIN when requesting a URL no in
the same origin, although recommended by WHATWG [1]
* if IE10 is used, use the referer. If this header is supressed by the
user, it won't work (and I don't care).
IE10 needs to die, seriously:
> We have a long-standing interoperability difference with other browsers
> where we treat different ports as same-origin whereas other browsers
> treat them as cross-origin.
via https://connect.microsoft.com/IE/feedback/details/781303/origin-header-is-not-added-to-cors-requests-to-same-domain-but-different-port
[1] http://tools.ietf.org/html/draft-abarth-origin-09
2013-12-02 12:12:21 +01:00
Martin Zimmermann
4c16ba76cc
fix unittests
2013-12-01 13:40:11 +01:00
Martin Zimmermann
32e4b70510
check if Origin matches Host to mitigate CSRF, part of #40
2013-12-01 13:40:08 +01:00
Martin Zimmermann
b0ecc9c16a
add reason for SQLite
2013-11-29 23:09:22 +01:00
Martin Zimmermann
6e31111554
add application object into ns only when using uwsgi and gunicorn
2013-11-29 14:22:21 +01:00
Martin Zimmermann
baabd30e74
more descriptive logging
2013-11-29 14:21:43 +01:00
Martin Zimmermann
a6f54f0191
wat
2013-11-25 17:16:58 +01:00
Martin Zimmermann
c2291c1121
fix links to PyPi and GitHub
2013-11-25 17:06:26 +01:00
Martin Zimmermann
90468cbc27
simplify nosetest usage
2013-11-25 17:02:15 +01:00
Martin Zimmermann
ce950259b4
show traceback when smtp connection failed
2013-11-25 17:02:04 +01:00
Martin Zimmermann
350cf406c2
remove installation and configuration from README
2013-11-25 17:00:36 +01:00
Martin Zimmermann
a045c963bd
Merge branch 'feature/gunicorn'
2013-11-25 16:57:45 +01:00
Martin Zimmermann
706186acd8
Merge branch 'feature/docs'
2013-11-25 16:57:35 +01:00
Martin Zimmermann
b79ac583e8
use sphinx for documentation
2013-11-25 16:57:18 +01:00
Martin Zimmermann
896b4f5e33
support for gunicorn (and other pre-forking wsgi servers)
2013-11-25 13:51:11 +01:00
Martin Zimmermann
aa65873fa6
uWSGI works also with multiprocessing.Lock
2013-11-25 13:50:43 +01:00
Martin Zimmermann
6405f258f3
replace nested middleware calls with reduce and partials
2013-11-25 13:38:51 +01:00
Martin Zimmermann
c9c0df229a
Merge branch 'feature/info'
2013-11-21 11:17:24 +01:00
Martin Zimmermann
1541cc90a9
Merge branch 'fix/notify-links'
2013-11-21 11:17:18 +01:00
Martin Zimmermann
8dac5375b6
add /info view for debugging purposes
2013-11-21 11:09:33 +01:00
Martin Zimmermann
5449b0cea4
add route for comment activation
2013-11-21 10:17:42 +01:00
Martin Zimmermann
63a7df1099
translate deletion and activation links
2013-11-21 10:17:29 +01:00
Martin Zimmermann
e77ae273f4
replace Jenkins with Travis Build Status
2013-11-18 12:49:24 +01:00
Martin Zimmermann
c84d75582f
add Travis CI configuration
2013-11-18 12:41:45 +01:00
Martin Zimmermann
b3d6215d2b
fix unittest for werkzeug==0.8
2013-11-18 12:40:27 +01:00
Martin Zimmermann
c2a0331dbd
remove indexserver from tox.ini (use PyPi instead)
2013-11-18 12:12:26 +01:00
Martin Zimmermann
598b08bd1c
add russian translation
...
http://docs.translatehouse.org/projects/localization-guide/en/latest/l10n/pluralforms.html
2013-11-18 11:00:33 +01:00
Martin Zimmermann
653ac0b6a2
Back to development: 0.6
2013-11-17 15:54:51 +01:00
Martin Zimmermann
f9507a3eec
Preparing release 0.5
2013-11-17 15:54:20 +01:00
Martin Zimmermann
8196f3f465
remove unnecessary imports
2013-11-17 15:49:25 +01:00
Martin Zimmermann
17aa3e6fc5
use english text for mail notifications
2013-11-17 15:44:40 +01:00