2d4817841f
Allow for firstname and lastname in verify_email message
2016-11-01 11:31:01 +01:00
40d6a72b90
fixes #1455
2016-09-21 22:35:04 +02:00
fe058bf817
fixed auth.add_membership succeeding with invalid group_id/user_id
2016-08-17 17:17:34 -04:00
0528a347b3
Updated pyDAL to 16.08
2016-08-13 15:38:55 +02:00
35eaba1096
removed duplicated code, using pydal's _compat.py
2016-08-01 03:39:22 -05:00
cae10a68c0
fixed most of py3 warnings, output is much cleaner this way
2016-07-18 23:45:28 +02:00
0c4d254a9c
Changed tuple to list
...
The comparison between parts[1:3] and ('', host) would return false because a list and a tuple were being compared.
2016-07-01 13:26:23 -04:00
d9c2f778ee
fixed auth next open redirect
2016-07-01 02:22:15 -05:00
d95acb6897
Fixed open redirect security vulnerability. The previous filter searched for two forward slashes "//" in the "_next” parameter and if the two forward slashes were found it would check the URI and determine if the hostname matched the hostname of the web server. If not, it would change the next variable to the None. However, browsers don't require two forward slashes. As a feature, browsers accept typos such as http:google.com or http:/google.com and redirect to http://google.com . This can be used to leverage an open redirect attack even with the current filter. This commit fixes the open redirect vulnerability in the _next get parameter. Thanks to jnbrex for helping debug/write the patch for this vulnerability.
2016-06-30 17:24:47 -04:00
f87c3e260c
Fix next redirect if only one / exists
2016-06-29 20:54:13 -04:00
48209f5bdf
fix compileapp
2016-06-13 20:20:49 +02:00
7259516627
fix tools
2016-06-13 20:20:44 +02:00
a18e0e489f
why is session.forget not callable in tests?
2016-06-12 21:08:33 -05:00
dfb0129f09
do not forget a missing session
2016-06-12 20:55:16 -05:00
f4a353960b
merged conflicts
2016-06-12 19:59:58 -05:00
9877ad5155
fix in_base for base='/'
...
If the base directory already ends with '/' the test failed.
It failed because we added an extra '/' to make sure that '/foobar' is
not under '/foo', so ask '/foobar/'.startswith('/foo/').
Whoever when we have the base already start with '/' we might test:
'/foo/bar/'.startwith('/foo//'), and give a false negative. We
shouldn't have this case, because we normalized the path, but in the
case of the root directory ('/') even a normalized path ends with '/',
and thus when base='/' this function failed.
Some re-factoring was needed to make this base testable.
2016-06-11 12:19:16 +03:00
e020395bdc
apply pull request #1313
...
This should have resolved security issue#1261 -- gluon.tools.Expose
symlinks, however it does not deal well with the case where the base
exposed directory is '/'
2016-06-11 11:20:23 +03:00
225a286162
revert wiki to earlier (properly working) state
2016-06-07 15:10:03 +02:00
db8306b5c4
fix iteritems, enabled test_cache & test_dal for 3.5
2016-06-02 17:21:36 +02:00
a1fd92b7f8
updated imports in tests
2016-06-02 14:28:21 +02:00
67f85fd631
allow token renewal with http authorization header.
2016-05-31 23:55:58 +02:00
9b9ed0ad0f
running lib2to3.fixes.fix_funcattrs
2016-05-29 08:31:20 +02:00
35900da19b
running lib2to3.fixes.fix_except
2016-05-29 08:31:19 +02:00
d22222ebea
running lib2to3.fixes.fix_reduce
2016-05-29 08:31:19 +02:00
95c1a734d1
fix wrong reference to request out of current namespace
2016-05-27 00:23:25 +02:00
be1845ad83
Merge pull request #1327 from leonelcamara/ditch26
...
Ditch python2.6
2016-05-11 01:35:52 -05:00
a9ee9a6b58
remove simplejson
2016-05-11 00:47:23 +01:00
7d48d6ba03
removed logging leftover
2016-05-10 01:35:22 +02:00
2c26a8c33a
make allows_jwt a real decorator. Tests included!
2016-05-10 00:50:33 +02:00
85819a5f83
Merge pull request #1299 from BuhtigithuB/improve/auth-tests
...
New Auth tests
2016-04-17 21:27:35 -05:00
2f0de8d8a0
New Auth tests & del_membership('role') api harmonization
2016-04-17 11:35:17 -04:00
92b3c8f777
New Auth tests
2016-04-16 19:35:06 -04:00
d622a8aa66
New test suite for prettydate() + fix wrong number of days for month
2016-04-16 14:54:34 -04:00
f109be363d
Enhancement tools.py PEP8
2016-04-14 11:17:27 -04:00
b5c8b3ad25
closes #1286
2016-04-12 15:10:14 +01:00
83cf098c07
fixed stupid.css and impersonate
2016-04-09 10:30:31 -05:00
e1aefa2307
Merge pull request #1275 from BuhtigithuB/Improve/gluon-tools-py
...
PEP8 Recaptcha/2 docstring
2016-04-08 23:35:10 -05:00
1d21f45e3e
PEP8 Recaptcha/2 docstring
2016-04-07 10:19:57 -04:00
e0d86462c8
New logout_bare() for shell logout and refactor test using it
2016-04-06 22:46:24 -04:00
2ffdb716cd
Fix #1267 cas_login
2016-04-06 17:06:23 +02:00
e0eb425223
Little improvement of tools.py
2016-03-31 16:25:55 -04:00
bd6115ad62
fixed Host header vulnerability #1196
2016-03-21 01:15:46 -05:00
e8c0e0df92
#1192 again, going it the way Anthony suggests
2016-03-19 13:24:06 -05:00
7f9262f8f8
partially addressed issue #1192 , comments there
2016-03-19 13:10:23 -05:00
c81f1fd6c8
reverting previous commit
2016-03-14 12:34:09 -05:00
f15dd4b6e5
fixed #1204 , updating session when add_membership
2016-03-14 12:32:34 -05:00
e9e61cbca4
fixed #1213 , custom password field name
2016-03-14 12:27:37 -05:00
9a079e092f
fixed typo in auth
2016-02-26 14:24:21 -06:00
218817753a
myconf.take, myconf.get
2016-02-26 14:20:18 -06:00
ba2cb811be
Changes encoding of text and subject on Mail.send()
...
On the previous commit we changed text and subject from unicode
to str. After a better solution from @cassiobotaro, we're using
unicode again, selecting the encoding as the one passed via encoding
parameter.
2016-01-07 14:59:58 -02:00
Mathieu Clabaut