Commit Graph

490 Commits

Author SHA1 Message Date
Martin Zimmermann
cbee3f7b2e clarify copyright headers 2013-12-18 16:21:35 +01:00
Martin Zimmermann
ecfaf9828e add faq.rst 2013-12-18 16:20:52 +01:00
Martin Zimmermann
1153b9cf6e extend API documentation 2013-12-18 14:14:37 +01:00
Martin Zimmermann
a728d3e32d add doctest for IPv6 mapped IPv4 addresses 2013-12-18 13:08:57 +01:00
Martin Zimmermann
26b9088c9d add coverage target to Makefile 2013-12-18 13:08:57 +01:00
Martin Zimmermann
2a86b46893 add test for disqus import 2013-12-18 13:08:54 +01:00
Martin Zimmermann
f81b955aa5 use SHA1 instead of MD5 to verify comment owner 2013-12-18 13:01:09 +01:00
Martin Zimmermann
29a825b575 remove unused utility functions 2013-12-18 13:01:05 +01:00
Martin Zimmermann
8bf9b1145a add link to supervisor init script, close #47 2013-12-18 11:59:49 +01:00
Martin Zimmermann
cc1ccfd70d change project status from alpha to beta 2013-12-17 13:43:02 +01:00
Martin Zimmermann
65f260d0ba show session-key on application startup
Maybe useful to see that it really changes if unset. Also reduced key
size to 16 bytes form /dev/urandom (cosmetic reason, still enough).
2013-12-17 13:40:32 +01:00
Martin Zimmermann
a4213e4304 update docstrings for isso.db 2013-12-17 13:30:37 +01:00
Martin Zimmermann
c99fe3d583 remove unused SQLite3.mode attribute 2013-12-17 13:18:43 +01:00
Martin Zimmermann
7255e01375 replace isso module with isso.run 2013-12-16 15:42:43 +01:00
Martin Zimmermann
fcd0a01de3 make_app uses threading.Lock now by default
Uses keyword arguments to use multiprocessing or uwsgi mixin. This
fixes an issue on exotic *BSDs such as NetBSD where Python comes not
with inter-process semaphores (issue 3307):

     mod_wsgi (pid=14365): Target WSGI script '/var/www/vhosts/my.hostname.org/htdocs/isso.wsgi' cannot be loaded as Python module.
     mod_wsgi (pid=14365): Exception occurred processing WSGI script '/var/www/vhosts/my.hostname.org/htdocs/isso.wsgi'.
     Traceback (most recent call last):
       File "/var/www/vhosts/my.hostname.org/htdocs/isso.wsgi", line 8, in <module>
         application = make_app(Config.load("/var/www/vhosts/my.hostname.org/htdocs/isso.cfg"))
       File "/usr/pkg/lib/python2.7/site-packages/isso/__init__.py", line 155, in make_app
         isso = App(conf)
       File "/usr/pkg/lib/python2.7/site-packages/isso/__init__.py", line 91, in __init__
         super(Isso, self).__init__(conf)
       File "/usr/pkg/lib/python2.7/site-packages/isso/core.py", line 223, in __init__
         self.lock = multiprocessing.Lock()
       File "/usr/pkg/lib/python2.7/multiprocessing/__init__.py", line 175, in Lock
         from multiprocessing.synchronize import Lock
       File "/usr/pkg/lib/python2.7/multiprocessing/synchronize.py", line 59, in <module>
         " function, see issue 3770.")
     ImportError: This platform lacks a functioning sem_open implementation, therefore, the required synchronization primitives needed will not function, see issue 3770.
2013-12-16 15:40:18 +01:00
Martin Zimmermann
a7375e8016 Back to development: 0.7 2013-12-16 11:59:33 +01:00
Martin Zimmermann
0f39d17843 Preparing release 0.6 2013-12-16 11:59:29 +01:00
Martin Zimmermann
9db762ad5e italian translation by alzeco 2013-12-12 17:30:40 +01:00
Martin Zimmermann
525b2db6f1 fix french pluralization 2013-12-12 17:29:26 +01:00
Martin Zimmermann
150726df13 Merge branch 'feature/27', override thread id 2013-12-12 13:07:57 +01:00
Martin Zimmermann
bcb60c4e74 add documentation 2013-12-12 13:07:44 +01:00
Martin Zimmermann
77df31d06f override thread discovery with data-isso-id="...", close #27 2013-12-12 13:04:29 +01:00
Martin Zimmermann
79112940e6 reduce heading size in comments, fix #26 2013-12-12 12:10:50 +01:00
Martin Zimmermann
c5daa66c82 remove old CSS rule 2013-12-12 12:10:02 +01:00
Martin Zimmermann
0152e627ea use apache lexer and add recipe for session key generation 2013-12-12 11:52:05 +01:00
Martin Zimmermann
f0be9e9655 add latest work to changelog 2013-12-12 11:44:34 +01:00
Martin Zimmermann
336ca3ffe7 add deployment docs for mod_wsgi 2013-12-12 11:28:30 +01:00
Martin Zimmermann
ba03f0105d generate CSS for docs properly 2013-12-11 15:40:46 +01:00
Martin Zimmermann
8169b30c04 add isso.svg 2013-12-11 15:30:22 +01:00
Martin Zimmermann
75dd18ece4 add favicon.ico 2013-12-11 15:30:10 +01:00
Martin Zimmermann
dcbe282c34 rm extras/multi-site.rst, already in configuration/setup.rst 2013-12-09 12:07:36 +01:00
Martin Zimmermann
990688f6e0 Merge branch 'fix/multsite' 2013-12-08 19:20:46 +01:00
Martin Zimmermann
adc722359d move application export to isso.run
When using Gunicorn or uWSGI to run `isso.dispatch` it would
automatically initialize and a default Isso instance (and cause
several logging messages), although never used.

If you use uWSGI or Gunicorn, you have to change the module from
`isso` to `isso.run`.
2013-12-08 19:15:08 +01:00
Martin Zimmermann
b15f17738e isso.dispatch now dispatches multiple sites based on relative URLs
The previous approach using a custom X-Custom header did work for the
client-side, but not for activation and deletion links. Now, you need
to add a `name = foo` option to the general section. `isso.dispatch`
then binds this configuration to /foo and can distinguish all API
calls without a special HTTP header.
2013-12-08 19:09:56 +01:00
Martin Zimmermann
ac74418179 move dispatch into isso package 2013-12-08 17:41:07 +01:00
Martin Zimmermann
ebad039d0e Merge pull request #43 from FedericoCeratto/patch-1
Create example.conf
2013-12-08 08:25:06 -08:00
Federico Ceratto
9f40ba848d Create example.conf
Example configuration with comments
2013-12-08 15:58:19 +00:00
Martin Zimmermann
982316c04b show PHP #vulnerability versus Python 2013-12-07 23:50:48 +01:00
Martin Zimmermann
fc984bb656 add Date header, close #42 2013-12-07 13:17:56 +01:00
Martin Zimmermann
232e2fb474 another approach to fix #40 (return 403 on false Content-Type)
When an attacker uses a <form> to downvote a comment, the browser
*should* add a `Content-Type: ...` header with three possible values:

    * application/x-www-form-urlencoded
    * multipart/form-data
    * text/plain

If the header is not sent or requests `application/json`, the
request is not forged (XHR is restricted by CORS separately).
2013-12-04 23:36:48 +01:00
Martin Zimmermann
1db06bbf39 Revert "HTTP Origin is only sent on cross-origin requests in Firefox"
Revert "use Referer instead of Origin when using IE"
Revert "fix unittests"
Revert "check if Origin matches Host to mitigate CSRF, part of #40"

This reverts commit 9376511485c70deaf908aa67bcdc8f0c9a0b003e.
This reverts commit 9a03cca793.
This reverts commit 4c16ba76cc.
This reverts commit 32e4b70510.
2013-12-04 17:09:22 +01:00
Martin Zimmermann
b839b2be31 HTTP Origin is only sent on cross-origin requests in Firefox
Therefore, only raise Forbidden if Origin (or Referer for MSIE) is sent
(which is a protected header and all modern browsers (except IE)).

Also add a basic unit test which asserts the failure for false origins.
2013-12-04 17:09:22 +01:00
Martin Zimmermann
8802b73b52 Merge pull request #41 from spk/blank
Add check with blank text
2013-12-03 23:52:16 -08:00
Laurent Arnoud
02db978308 Add check with blank text 2013-12-04 00:35:09 +01:00
Martin Zimmermann
7d64d84d9d write contribute section 2013-12-02 14:26:12 +01:00
Martin Zimmermann
6f504ee8f5 show modal dialog before delete or activate comments, close #36
The URL sent in the email returns a short HTML document where
JS creates a modal dialog. If continued, the browser sends a
POST request to the same URL.
2013-12-02 13:07:11 +01:00
Martin Zimmermann
83b48d5db6 use el.getAttribute instead of el.dataset to support IE10 m( 2013-12-02 12:14:26 +01:00
Martin Zimmermann
59b70e7109 Merge branch 'fix/csrf', closes #40 2013-12-02 12:13:42 +01:00
Martin Zimmermann
9a03cca793 use Referer instead of Origin when using IE
* IE10 (and 11) do not send HTTP_ORIGIN when requesting a URL no in
    the same origin, although recommended by WHATWG [1]
  * if IE10 is used, use the referer. If this header is supressed by the
    user, it won't work (and I don't care).

IE10 needs to die, seriously:

> We have a long-standing interoperability difference with other browsers
> where we treat different ports as same-origin whereas other browsers
> treat them as cross-origin.

via https://connect.microsoft.com/IE/feedback/details/781303/origin-header-is-not-added-to-cors-requests-to-same-domain-but-different-port

[1] http://tools.ietf.org/html/draft-abarth-origin-09
2013-12-02 12:12:21 +01:00
Martin Zimmermann
4c16ba76cc fix unittests 2013-12-01 13:40:11 +01:00