dinislage/web2py
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6,918 Commits 18 Branches 72 Tags
116a7ff006be84df97a58f529e086122e84b4ecc
Commit Graph

552 Commits

Author SHA1 Message Date
mdipierro 35eaba1096 removed duplicated code, using pydal's _compat.py 2016-08-01 03:39:22 -05:00
niphlod cae10a68c0 fixed most of py3 warnings, output is much cleaner this way 2016-07-18 23:45:28 +02:00
Jason Bohrer 0c4d254a9c Changed tuple to list 
The comparison between parts[1:3] and ('', host) would return false because a list and a tuple were being compared.
 2016-07-01 13:26:23 -04:00
mdipierro d9c2f778ee fixed auth next open redirect 2016-07-01 02:22:15 -05:00
Th3R3p0 d95acb6897 Fixed open redirect security vulnerability. The previous filter searched for two forward slashes "//" in the "_next” parameter and if the two forward slashes were found it would check the URI and determine if the hostname matched the hostname of the web server. If not, it would change the next variable to the None. However, browsers don't require two forward slashes. As a feature, browsers accept typos such as http:google.com or http:/google.com and redirect to http://google.com. This can be used to leverage an open redirect attack even with the current filter. This commit fixes the open redirect vulnerability in the _next get parameter. Thanks to jnbrex for helping debug/write the patch for this vulnerability. 2016-06-30 17:24:47 -04:00
Alex Artigues f87c3e260c Fix next redirect if only one / exists 2016-06-29 20:54:13 -04:00
ilvalle 48209f5bdf fix compileapp 2016-06-13 20:20:49 +02:00
ilvalle 7259516627 fix tools 2016-06-13 20:20:44 +02:00
mdipierro a18e0e489f why is session.forget not callable in tests? 2016-06-12 21:08:33 -05:00
mdipierro dfb0129f09 do not forget a missing session 2016-06-12 20:55:16 -05:00
mdipierro f4a353960b merged conflicts 2016-06-12 19:59:58 -05:00
Chen Rotem Levy 9877ad5155 fix in_base for base='/' 
If the base directory already ends with '/' the test failed.

It failed because we added an extra '/' to make sure that '/foobar' is
not under '/foo', so ask '/foobar/'.startswith('/foo/').

Whoever when we have the base already start with '/' we might test:
'/foo/bar/'.startwith('/foo//'), and give a false negative.  We
shouldn't have this case, because we normalized the path, but in the
case of the root directory ('/') even a normalized path ends with '/',
and thus when base='/' this function failed.

Some re-factoring was needed to make this base testable.
 2016-06-11 12:19:16 +03:00
Chen Rotem Levy e020395bdc apply pull request #1313 
This should have resolved security issue#1261 -- gluon.tools.Expose
symlinks, however it does not deal well with the case where the base
exposed directory is '/'
 2016-06-11 11:20:23 +03:00
zvolsky 225a286162 revert wiki to earlier (properly working) state 2016-06-07 15:10:03 +02:00
ilvalle db8306b5c4 fix iteritems, enabled test_cache & test_dal for 3.5 2016-06-02 17:21:36 +02:00
ilvalle a1fd92b7f8 updated imports in tests 2016-06-02 14:28:21 +02:00
Michele Comitini 67f85fd631 allow token renewal with http authorization header. 2016-05-31 23:55:58 +02:00
ilvalle 9b9ed0ad0f running lib2to3.fixes.fix_funcattrs 2016-05-29 08:31:20 +02:00
ilvalle 35900da19b running lib2to3.fixes.fix_except 2016-05-29 08:31:19 +02:00
ilvalle d22222ebea running lib2to3.fixes.fix_reduce 2016-05-29 08:31:19 +02:00
Michele Comitini 95c1a734d1 fix wrong reference to request out of current namespace 2016-05-27 00:23:25 +02:00
mdipierro be1845ad83 Merge pull request #1327 from leonelcamara/ditch26 
Ditch python2.6
 2016-05-11 01:35:52 -05:00
Leonel Câmara a9ee9a6b58 remove simplejson 2016-05-11 00:47:23 +01:00
Michele Comitini 7d48d6ba03 removed logging leftover 2016-05-10 01:35:22 +02:00
Michele Comitini 2c26a8c33a make allows_jwt a real decorator. Tests included! 2016-05-10 00:50:33 +02:00
mdipierro 85819a5f83 Merge pull request #1299 from BuhtigithuB/improve/auth-tests 
New Auth tests
 2016-04-17 21:27:35 -05:00
Hardirc 2f0de8d8a0 New Auth tests & del_membership('role') api harmonization 2016-04-17 11:35:17 -04:00
Hardirc 92b3c8f777 New Auth tests 2016-04-16 19:35:06 -04:00
Hardirc d622a8aa66 New test suite for prettydate() + fix wrong number of days for month 2016-04-16 14:54:34 -04:00
Richard Vézina f109be363d Enhancement tools.py PEP8 2016-04-14 11:17:27 -04:00
Leonel Câmara b5c8b3ad25 closes #1286 2016-04-12 15:10:14 +01:00
mdipierro 83cf098c07 fixed stupid.css and impersonate 2016-04-09 10:30:31 -05:00
mdipierro e1aefa2307 Merge pull request #1275 from BuhtigithuB/Improve/gluon-tools-py 
PEP8 Recaptcha/2 docstring
 2016-04-08 23:35:10 -05:00
Richard Vézina 1d21f45e3e PEP8 Recaptcha/2 docstring 2016-04-07 10:19:57 -04:00
Hardirc e0d86462c8 New logout_bare() for shell logout and refactor test using it 2016-04-06 22:46:24 -04:00
Massimiliano Belletti 2ffdb716cd Fix #1267 cas_login 2016-04-06 17:06:23 +02:00
Richard Vézina e0eb425223 Little improvement of tools.py 2016-03-31 16:25:55 -04:00
mdipierro bd6115ad62 fixed Host header vulnerability #1196 2016-03-21 01:15:46 -05:00
mdipierro e8c0e0df92 #1192 again, going it the way Anthony suggests 2016-03-19 13:24:06 -05:00
mdipierro 7f9262f8f8 partially addressed issue #1192, comments there 2016-03-19 13:10:23 -05:00
mdipierro c81f1fd6c8 reverting previous commit 2016-03-14 12:34:09 -05:00
mdipierro f15dd4b6e5 fixed #1204, updating session when add_membership 2016-03-14 12:32:34 -05:00
mdipierro e9e61cbca4 fixed #1213, custom password field name 2016-03-14 12:27:37 -05:00
mdipierro 9a079e092f fixed typo in auth 2016-02-26 14:24:21 -06:00
mdipierro 218817753a myconf.take, myconf.get 2016-02-26 14:20:18 -06:00
rafaelol ba2cb811be Changes encoding of text and subject on Mail.send() 
On the previous commit we changed text and subject from unicode
to str. After a better solution from @cassiobotaro, we're using
unicode again, selecting the encoding as the one passed via encoding
parameter.
 2016-01-07 14:59:58 -02:00
rafaelol 6a7c0525f5 Fix bug on Mail.send() when text or input are Unicode 
On PR #964 @matclab forced the encoding of both subject and
text variables to unicode.

After merging it, matclab realized that when we send Unicode
text to the method it raises an exception and asked if he should
change the commit. Unfortunately this thing was kept untouched.

This problem exists because we previously encode the unicode variables
to utf-8 (for instance here https://github.com/web2py/web2py/blob/master/gluon/tools.py#L478-L481) and then force again to unicode. This piece of code shows what happens:

```
>>> a = u'áéí'
>>> a
u'\xe1\xe9\xed'
>>> b = a.encode('utf-8')
>>> b
'\xc3\xa1\xc3\xa9\xc3\xad'
>>> unicode(a)
u'\xe1\xe9\xed'
>>> unicode(b)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
UnicodeDecodeError: 'ascii' codec can't decode byte 0xc3 in position 0: ordinal not in range(128)
```

If we force to str, just like @matclab suggested, we solve this issue.
 2016-01-07 11:47:29 -02:00
niphlod d57428e8f0 fixes #1156 and other few issues 2016-01-01 20:48:55 +01:00
niphlod d4bca008a8 better docstrings 2015-12-30 14:55:37 +01:00
niphlod e94946d3d5 bultin constant time checking 
- if hmac.compare_digest is there, we should use it instead of our own
fallback.
- jwt handler has been updated to use utils.compare (reported in
#web2py-users)
- includes the same mods as https://github.com/web2py/web2py/pull/1146
 2015-12-30 10:37:14 +01:00