Commit Graph

766 Commits

Author SHA1 Message Date
Martin Zimmermann
0152e627ea use apache lexer and add recipe for session key generation 2013-12-12 11:52:05 +01:00
Martin Zimmermann
f0be9e9655 add latest work to changelog 2013-12-12 11:44:34 +01:00
Martin Zimmermann
336ca3ffe7 add deployment docs for mod_wsgi 2013-12-12 11:28:30 +01:00
Martin Zimmermann
ba03f0105d generate CSS for docs properly 2013-12-11 15:40:46 +01:00
Martin Zimmermann
8169b30c04 add isso.svg 2013-12-11 15:30:22 +01:00
Martin Zimmermann
75dd18ece4 add favicon.ico 2013-12-11 15:30:10 +01:00
Martin Zimmermann
dcbe282c34 rm extras/multi-site.rst, already in configuration/setup.rst 2013-12-09 12:07:36 +01:00
Martin Zimmermann
990688f6e0 Merge branch 'fix/multsite' 2013-12-08 19:20:46 +01:00
Martin Zimmermann
adc722359d move application export to isso.run
When using Gunicorn or uWSGI to run `isso.dispatch` it would
automatically initialize and a default Isso instance (and cause
several logging messages), although never used.

If you use uWSGI or Gunicorn, you have to change the module from
`isso` to `isso.run`.
2013-12-08 19:15:08 +01:00
Martin Zimmermann
b15f17738e isso.dispatch now dispatches multiple sites based on relative URLs
The previous approach using a custom X-Custom header did work for the
client-side, but not for activation and deletion links. Now, you need
to add a `name = foo` option to the general section. `isso.dispatch`
then binds this configuration to /foo and can distinguish all API
calls without a special HTTP header.
2013-12-08 19:09:56 +01:00
Martin Zimmermann
ac74418179 move dispatch into isso package 2013-12-08 17:41:07 +01:00
Martin Zimmermann
ebad039d0e Merge pull request #43 from FedericoCeratto/patch-1
Create example.conf
2013-12-08 08:25:06 -08:00
Federico Ceratto
9f40ba848d Create example.conf
Example configuration with comments
2013-12-08 15:58:19 +00:00
Martin Zimmermann
982316c04b show PHP #vulnerability versus Python 2013-12-07 23:50:48 +01:00
Martin Zimmermann
fc984bb656 add Date header, close #42 2013-12-07 13:17:56 +01:00
Martin Zimmermann
232e2fb474 another approach to fix #40 (return 403 on false Content-Type)
When an attacker uses a <form> to downvote a comment, the browser
*should* add a `Content-Type: ...` header with three possible values:

    * application/x-www-form-urlencoded
    * multipart/form-data
    * text/plain

If the header is not sent or requests `application/json`, the
request is not forged (XHR is restricted by CORS separately).
2013-12-04 23:36:48 +01:00
Martin Zimmermann
1db06bbf39 Revert "HTTP Origin is only sent on cross-origin requests in Firefox"
Revert "use Referer instead of Origin when using IE"
Revert "fix unittests"
Revert "check if Origin matches Host to mitigate CSRF, part of #40"

This reverts commit 9376511485c70deaf908aa67bcdc8f0c9a0b003e.
This reverts commit 9a03cca793.
This reverts commit 4c16ba76cc.
This reverts commit 32e4b70510.
2013-12-04 17:09:22 +01:00
Martin Zimmermann
b839b2be31 HTTP Origin is only sent on cross-origin requests in Firefox
Therefore, only raise Forbidden if Origin (or Referer for MSIE) is sent
(which is a protected header and all modern browsers (except IE)).

Also add a basic unit test which asserts the failure for false origins.
2013-12-04 17:09:22 +01:00
Martin Zimmermann
8802b73b52 Merge pull request #41 from spk/blank
Add check with blank text
2013-12-03 23:52:16 -08:00
Laurent Arnoud
02db978308 Add check with blank text 2013-12-04 00:35:09 +01:00
Martin Zimmermann
7d64d84d9d write contribute section 2013-12-02 14:26:12 +01:00
Martin Zimmermann
6f504ee8f5 show modal dialog before delete or activate comments, close #36
The URL sent in the email returns a short HTML document where
JS creates a modal dialog. If continued, the browser sends a
POST request to the same URL.
2013-12-02 13:07:11 +01:00
Martin Zimmermann
83b48d5db6 use el.getAttribute instead of el.dataset to support IE10 m( 2013-12-02 12:14:26 +01:00
Martin Zimmermann
59b70e7109 Merge branch 'fix/csrf', closes #40 2013-12-02 12:13:42 +01:00
Martin Zimmermann
9a03cca793 use Referer instead of Origin when using IE
* IE10 (and 11) do not send HTTP_ORIGIN when requesting a URL no in
    the same origin, although recommended by WHATWG [1]
  * if IE10 is used, use the referer. If this header is supressed by the
    user, it won't work (and I don't care).

IE10 needs to die, seriously:

> We have a long-standing interoperability difference with other browsers
> where we treat different ports as same-origin whereas other browsers
> treat them as cross-origin.

via https://connect.microsoft.com/IE/feedback/details/781303/origin-header-is-not-added-to-cors-requests-to-same-domain-but-different-port

[1] http://tools.ietf.org/html/draft-abarth-origin-09
2013-12-02 12:12:21 +01:00
Martin Zimmermann
4c16ba76cc fix unittests 2013-12-01 13:40:11 +01:00
Martin Zimmermann
32e4b70510 check if Origin matches Host to mitigate CSRF, part of #40 2013-12-01 13:40:08 +01:00
Martin Zimmermann
b0ecc9c16a add reason for SQLite 2013-11-29 23:09:22 +01:00
Martin Zimmermann
6e31111554 add application object into ns only when using uwsgi and gunicorn 2013-11-29 14:22:21 +01:00
Martin Zimmermann
baabd30e74 more descriptive logging 2013-11-29 14:21:43 +01:00
Martin Zimmermann
a6f54f0191 wat 2013-11-25 17:16:58 +01:00
Martin Zimmermann
c2291c1121 fix links to PyPi and GitHub 2013-11-25 17:06:26 +01:00
Martin Zimmermann
90468cbc27 simplify nosetest usage 2013-11-25 17:02:15 +01:00
Martin Zimmermann
ce950259b4 show traceback when smtp connection failed 2013-11-25 17:02:04 +01:00
Martin Zimmermann
350cf406c2 remove installation and configuration from README 2013-11-25 17:00:36 +01:00
Martin Zimmermann
a045c963bd Merge branch 'feature/gunicorn' 2013-11-25 16:57:45 +01:00
Martin Zimmermann
706186acd8 Merge branch 'feature/docs' 2013-11-25 16:57:35 +01:00
Martin Zimmermann
b79ac583e8 use sphinx for documentation 2013-11-25 16:57:18 +01:00
Martin Zimmermann
896b4f5e33 support for gunicorn (and other pre-forking wsgi servers) 2013-11-25 13:51:11 +01:00
Martin Zimmermann
aa65873fa6 uWSGI works also with multiprocessing.Lock 2013-11-25 13:50:43 +01:00
Martin Zimmermann
6405f258f3 replace nested middleware calls with reduce and partials 2013-11-25 13:38:51 +01:00
Martin Zimmermann
c9c0df229a Merge branch 'feature/info' 2013-11-21 11:17:24 +01:00
Martin Zimmermann
1541cc90a9 Merge branch 'fix/notify-links' 2013-11-21 11:17:18 +01:00
Martin Zimmermann
8dac5375b6 add /info view for debugging purposes 2013-11-21 11:09:33 +01:00
Martin Zimmermann
5449b0cea4 add route for comment activation 2013-11-21 10:17:42 +01:00
Martin Zimmermann
63a7df1099 translate deletion and activation links 2013-11-21 10:17:29 +01:00
Martin Zimmermann
e77ae273f4 replace Jenkins with Travis Build Status 2013-11-18 12:49:24 +01:00
Martin Zimmermann
c84d75582f add Travis CI configuration 2013-11-18 12:41:45 +01:00
Martin Zimmermann
b3d6215d2b fix unittest for werkzeug==0.8 2013-11-18 12:40:27 +01:00
Martin Zimmermann
c2a0331dbd remove indexserver from tox.ini (use PyPi instead) 2013-11-18 12:12:26 +01:00