dinislage/web2py
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7,543 Commits 18 Branches 72 Tags
1dea18b8a1bd6fbd64978d00a07dbdee451663f3
Commit Graph

5269 Commits

Author SHA1 Message Date
mdipierro 5a5c2b500a Merge pull request #1375 from niphlod/fix/1355 
fixes #1355
 2016-07-01 01:56:02 -05:00
Th3R3p0 d95acb6897 Fixed open redirect security vulnerability. The previous filter searched for two forward slashes "//" in the "_next” parameter and if the two forward slashes were found it would check the URI and determine if the hostname matched the hostname of the web server. If not, it would change the next variable to the None. However, browsers don't require two forward slashes. As a feature, browsers accept typos such as http:google.com or http:/google.com and redirect to http://google.com. This can be used to leverage an open redirect attack even with the current filter. This commit fixes the open redirect vulnerability in the _next get parameter. Thanks to jnbrex for helping debug/write the patch for this vulnerability. 2016-06-30 17:24:47 -04:00
Alex Artigues f87c3e260c Fix next redirect if only one / exists 2016-06-29 20:54:13 -04:00
niphlod 9c8db3f65a corner case - fixes #1363 2016-06-28 23:52:28 +02:00
niphlod 0708dd36e7 fixes #1331 (just rocket, really) 2016-06-28 22:00:57 +02:00
niphlod 5e0a53f4c2 fixes #1347 2016-06-28 21:49:23 +02:00
niphlod 4966466509 fixes #1354 2016-06-28 21:46:07 +02:00
niphlod a96f137e03 fixes #1355 2016-06-28 21:43:31 +02:00
ilvalle 4cdcf8eae0 Since py2.7 compile() supports Win and Mac newlines. Also input in 'exec' mode does not have to end in a newline anymore. 2016-06-28 19:58:25 +02:00
ilvalle ea337e07d0 p3 fixes in applications 2016-06-28 19:58:20 +02:00
ilvalle f343fab528 py3 fixes for admin app 2016-06-25 17:36:37 +02:00
ilvalle abf8d9fb27 fix compiled app in py3 2016-06-25 13:27:35 +02:00
ilvalle 8aecaf4514 PY3 fixes and added tests for gluon/admin.py 2016-06-24 22:54:56 +02:00
ilvalle 61795bc65e enabled test_web.py in PY3 2016-06-22 19:07:58 +02:00
ilvalle 3270d39596 py3 fixed http.to 2016-06-21 22:24:33 +02:00
ilvalle 476db87335 updated pysimplesoap to current master 2016-06-21 21:25:30 +02:00
ilvalle d9c7953147 updated user_agent_parser to 1.7.8, fix webclient 2016-06-19 11:49:16 +02:00
mdipierro 0dbd2ea6e5 added quote_template 2016-06-18 10:46:46 -05:00
mdipierro e33dd01516 DAL v16.06.09 2016-06-18 08:50:56 -05:00
mdipierro 45a376eee9 added extra_mssql_models.py, thanks Kyle Flanagan 2016-06-18 08:12:01 -05:00
mdipierro ce3f5fbff2 Merge pull request #1365 from niphlod/feature/scheduler_crontab 
repeats via cronline expression
 2016-06-18 07:49:08 -05:00
mdipierro 338ca6ba5c Merge pull request #1361 from ilvalle/py3_fixes_step2 
few py3 fixes
 2016-06-18 07:48:39 -05:00
niphlod 6bb255286a repeats via cronline expression 2016-06-15 21:32:51 +02:00
ilvalle 2aeb063890 enabled test_appadmin, fix markmin2html, fix main.py 2016-06-15 20:17:58 +02:00
Oscar Fonts 11fec25927 Don't truncate texts on SQLFORM.grid HTML Export 2016-06-14 11:06:14 +02:00
ilvalle 48209f5bdf fix compileapp 2016-06-13 20:20:49 +02:00
ilvalle 34f753be56 fix languages 2016-06-13 20:20:49 +02:00
ilvalle a27f6f88ef fix serializers, websocket_messaging 2016-06-13 20:20:49 +02:00
ilvalle ab2cdd595b fix utils 2016-06-13 20:20:49 +02:00
ilvalle 7259516627 fix tools 2016-06-13 20:20:44 +02:00
ilvalle 180ada57da fix request.json, close #1337 2016-06-13 18:00:14 +02:00
Oscar Fonts 8fdedb7018 Add maxtextlenth option to SQLFORM.grid HTML exporter 2016-06-13 12:17:45 +02:00
mdipierro a18e0e489f why is session.forget not callable in tests? 2016-06-12 21:08:33 -05:00
mdipierro dfb0129f09 do not forget a missing session 2016-06-12 20:55:16 -05:00
mdipierro cadb130518 fixed expose tests 2016-06-12 20:27:20 -05:00
mdipierro f4a353960b merged conflicts 2016-06-12 19:59:58 -05:00
Chen Rotem Levy 9877ad5155 fix in_base for base='/' 
If the base directory already ends with '/' the test failed.

It failed because we added an extra '/' to make sure that '/foobar' is
not under '/foo', so ask '/foobar/'.startswith('/foo/').

Whoever when we have the base already start with '/' we might test:
'/foo/bar/'.startwith('/foo//'), and give a false negative.  We
shouldn't have this case, because we normalized the path, but in the
case of the root directory ('/') even a normalized path ends with '/',
and thus when base='/' this function failed.

Some re-factoring was needed to make this base testable.
 2016-06-11 12:19:16 +03:00
Chen Rotem Levy e020395bdc apply pull request #1313 
This should have resolved security issue#1261 -- gluon.tools.Expose
symlinks, however it does not deal well with the case where the base
exposed directory is '/'
 2016-06-11 11:20:23 +03:00
ilvalle 1f013d76f3 minor few fix 2016-06-10 14:14:40 +02:00
ilvalle 3103226686 revert fcgi changes 2016-06-10 14:14:39 +02:00
mdipierro 15a26c00b1 Merge pull request #1352 from zvolsky/_revert_wiki 
revert wiki to earlier (properly working) state
 2016-06-07 20:36:52 -05:00
ilvalle fd850ab46f fix validators, updated gluon/contrib/ipaddr 2016-06-07 19:50:49 +02:00
zvolsky 225a286162 revert wiki to earlier (properly working) state 2016-06-07 15:10:03 +02:00
zvolsky 876508a227 grid: custom representation of None value, in view 2016-06-06 12:43:11 +02:00
zvolsky 0c52f2a561 grid: custom representation of None value 2016-06-06 12:25:06 +02:00
ilvalle 92374741ff fix rewrite, enabled test_router & test_routes 2016-06-04 17:42:36 +02:00
ilvalle 71ba0e515f updated portalocker, few py3 syntax/import fix 2016-06-04 14:07:42 +02:00
ilvalle dcd24cf88c Updated fpdf to the last version (py3 compatible), fix contrib/appconfig 2016-06-04 09:23:31 +02:00
ilvalle 2f7d76769c typo in globals 2016-06-03 23:44:45 +02:00
mdipierro 154073c3a6 Merge pull request #1341 from nextghost/master 
Ignore internal attributes when checking whether new session was changed
 2016-06-03 10:04:00 -05:00