2.9.4

Merge branch 'master' of github.com:web2py/web2py
Merge pull request #387 from apa-1/master
2014-03-04 22:42:22 -06:00 · 2014-03-04 22:40:00 -06:00 · 2014-03-04 22:39:40 -06:00 · 2014-03-04 22:33:50 -06:00 · 2014-03-04 22:28:35 -06:00 · 2014-03-04 13:10:08 -05:00
10 changed files with 83 additions and 73 deletions
--- a/5
+++ b/5
@@ -1,8 +1,9 @@
-## 2.9.1
+## 2.9.1 - 2.9.3

 - jquery 1.11
 - codemirror 3.21, thanks Paolo Valleri
- fixed a security issue with sessions in database
+- fixed security issue with sessions in database, thanks Nathan Humphreys
+- fixed security issue with persistant data in session, thanks Kiran
 - fixed security issue with redirect after expired login, thanks André Kablu
 - cleaner DAL and rname integration, thanks niphlod and Michele
 - added mongodb and imap tests for dal, thanks Alan
--- a/2
+++ b/2
@@ -30,7 +30,7 @@ update:
 	echo "remember that pymysql was tweaked"
 src:
 	### Use semantic versioning
-	echo 'Version 2.9.2-stable+timestamp.'`date +%Y.%m.%d.%H.%M.%S` > VERSION
+	echo 'Version 2.9.4-stable+timestamp.'`date +%Y.%m.%d.%H.%M.%S` > VERSION
 	### rm -f all junk files
 	make clean
 	### clean up baisc apps
--- a/2
+++ b/2
@@ -1 +1 @@
-Version 2.9.2-stable+timestamp.2014.03.02.17.46.39
+Version 2.9.4-stable+timestamp.2014.03.04.22.40.54
--- a/applications/admin/static/js/web2py.js
+++ b/applications/admin/static/js/web2py.js
@@ -75,8 +75,8 @@
       * this over and over... all will be bound to the document
       */
      /*adds btn class to buttons*/
-      $('button', target).addClass('btn').addClass('btn-default');
-      $('form input[type="submit"], form input[type="button"]', target).addClass('btn').addClass('btn-default');
+      $('button', target).addClass('btn');
+      $('form input[type="submit"], form input[type="button"]', target).addClass('btn');
      /* javascript for PasswordWidget*/
      $('input[type=password][data-w2p_entropy]', target).each(function () {
        web2py.validate_entropy($(this));
--- a/applications/examples/static/js/web2py.js
+++ b/applications/examples/static/js/web2py.js
@@ -75,8 +75,8 @@
       * this over and over... all will be bound to the document
       */
      /*adds btn class to buttons*/
-      $('button', target).addClass('btn').addClass('btn-default');
-      $('form input[type="submit"], form input[type="button"]', target).addClass('btn').addClass('btn-default');
+      $('button', target).addClass('btn');
+      $('form input[type="submit"], form input[type="button"]', target).addClass('btn');
      /* javascript for PasswordWidget*/
      $('input[type=password][data-w2p_entropy]', target).each(function () {
        web2py.validate_entropy($(this));
--- a/applications/welcome/views/default/index.html
+++ b/applications/welcome/views/default/index.html
@@ -1,50 +1,35 @@
-{{left_sidebar_enabled,right_sidebar_enabled=False,('message' in globals())}}
-{{extend 'layout.html'}}
-
-{{block head}}
-<style>
-#w2padmin-btn {margin:30px 0 30px 0;}
-</style>
-{{end head}}
-
-{{if 'message' in globals():}}
-<h2>{{=message}}</h2>
-<p class="lead">{{=T('How did you get here?')}}</p>
-<ol>
-    <li>{{=T('You are successfully running web2py')}}</li>
-    <li>{{=XML(T('You visited the url %s', A(request.env.path_info,_href=request.env.path_info)))}}</li>
-    <li>{{=XML(T('Which called the function %s located in the file %s',
-            (A(request.function+'()',_href='#'),
-                A('web2py/applications/%(application)s/controllers/%(controller)s.py'%request,
-                    _href=URL('admin','default','peek', args=(request.application,'controllers',request.controller+'.py'))))))}}</li>
-    <li>{{=XML(T('The output of the file is a dictionary that was rendered by the view %s',
-            A('web2py/applications/%(application)s/views/%(controller)s/index.html'%request,
-                _href=URL('admin','default','peek',args=(request.application,'views',request.controller,'index.html')))))}}</li>
-    <li>{{=T('You can modify this application and adapt it to your needs')}}</li>
-</ol>
-{{elif 'content' in globals():}}
-{{=content}}
-{{else:}}
-{{=BEAUTIFY(response._vars)}}
-{{pass}}
-
-{{block right_sidebar}}
-<button id="w2padmin-btn" class="btn btn-primary btn-lg btn-block">
-    <i class="glyphicon glyphicon-cog"></i> {{=T("Administrative Interface")}}</button>
-<div class="panel panel-info">
-    <div class="panel-heading">{{=T("Don't know what to do?")}}</div>
-    <ul class="list-group">
-      <li class="list-group-item">{{=A(T("Online examples"), _href=URL('examples','default','index'))}}</li>
-      <li class="list-group-item"><a href="http://web2py.com">web2py.com</a></li>
-      <li class="list-group-item"><a href="http://web2py.com/book">{{=T('Documentation')}}</a></li>
-    </ul>
-</div>
-{{end}}
-
-{{block page_js}}
-<script>
-    $('#w2padmin-btn').click(function() {
-       window.location = "{{=URL('admin','default','index')}}";
-    });
-</script>
-{{end}}
+{{left_sidebar_enabled,right_sidebar_enabled=False,('message' in globals())}}
+{{extend 'layout.html'}}
+
+{{if 'message' in globals():}}
+<h3>{{=message}}</h3>
+
+<h4>{{=T('How did you get here?')}}</h4>
+<ol>
+  <li>{{=T('You are successfully running web2py')}}</li>
+  <li>{{=XML(T('You visited the url %s', A(request.env.path_info,_href=request.env.path_info)))}}</li>
+  <li>{{=XML(T('Which called the function %s located in the file %s',
+             (A(request.function+'()',_href='#'),
+              A('web2py/applications/%(application)s/controllers/%(controller)s.py'%request,
+               _href=URL('admin','default','peek', args=(request.application,'controllers',request.controller+'.py'))))))}}</li>
+  <li>{{=XML(T('The output of the file is a dictionary that was rendered by the view %s',
+           A('web2py/applications/%(application)s/views/%(controller)s/index.html'%request,
+           _href=URL('admin','default','peek',args=(request.application,'views',request.controller,'index.html')))))}}</li>
+  <li>{{=T('You can modify this application and adapt it to your needs')}}</li>
+</ol>
+{{elif 'content' in globals():}}
+{{=content}}
+{{else:}}
+{{=BEAUTIFY(response._vars)}}
+{{pass}}
+
+{{block right_sidebar}}
+{{=A(T("Administrative Interface"), _href=URL('admin','default','index'), _class='btn',
+     _style='margin-top: 1em;')}}
+<h6>{{=T("Don't know what to do?")}}</h6>
+<ul>
+  <li>{{=A(T("Online examples"), _href=URL('examples','default','index'))}}</li>
+  <li><a href="http://web2py.com">web2py.com</a></li>
+  <li><a href="http://web2py.com/book">{{=T('Documentation')}}</a></li>
+</ul>
+{{end}}
--- a/gluon/contrib/gae_memcache.py
+++ b/gluon/contrib/gae_memcache.py
@@ -17,15 +17,19 @@ class MemcacheClient(object):

    client = Client()

-    def __init__(self, request):
+    def __init__(self, request, default_time_expire = 300):
        self.request = request
+        self.default_time_expire = default_time_expire

    def __call__(
        self,
        key,
        f,
-        time_expire=300,
+        time_expire=None,
    ):
+        if time_expire is None:
+            time_expire = self.default_time_expire
+
        key = '%s/%s' % (self.request.application, key)
        value = None
        obj = self.client.get(key)
--- a/gluon/contrib/memdb.py
+++ b/gluon/contrib/memdb.py
@@ -292,8 +292,11 @@ class Table(DALStorage):
    def __str__(self):
        return self._tablename

-    def __call__(self, id):
-        return self.get(id)
+    def __call__(self, id, **kwargs):
+        record = self.get(id)
+        if kwargs and any(record[key]!=kwargs[key] for key in kwargs):
+            return None
+        return record

 class Expression(object):

--- a/gluon/globals.py
+++ b/gluon/globals.py
@@ -887,6 +887,7 @@ class Session(Storage):
                        # Unpickle the data
                        session_data = cPickle.loads(row.session_data)
                        self.update(session_data)
+                        response.session_new = False
                    else:
                        record_id = None
                if record_id:
--- a/gluon/tools.py
+++ b/gluon/tools.py
@@ -278,7 +278,8 @@ class Mail(object):
        sender=None,
        encoding='utf-8',
        raw=False,
-        headers={}
+        headers={},
+        from_address=None
    ):
        """
        Sends an email using data specified in constructor
@@ -308,8 +309,9 @@ class Mail(object):
            encoding: encoding of all strings passed to this method (including
                      message bodies)
            headers: dictionary of headers to refine the headers just before
-                     sending mail, e.g. {'Return-Path' : 'bounces@example.org'}
-
+                     sending mail, e.g. {'X-Mailer' : 'web2py mailer'}
+            from_address: address to appear in the 'From:' header, this is not the
+                          envelope sender. If not specified the sender will be used
        Examples:

            #Send plain text message to single address:
@@ -655,7 +657,10 @@ class Mail(object):
            # no cryptography process as usual
            payload = payload_in

-        payload['From'] = encoded_or_raw(sender.decode(encoding))
+        if from_address:
+            payload['From'] = encoded_or_raw(from_address.decode(encoding))
+        else:
+            payload['From'] = encoded_or_raw(sender.decode(encoding))
        origTo = to[:]
        if to:
            payload['To'] = encoded_or_raw(', '.join(to).decode(encoding))
@@ -1153,16 +1158,27 @@ class Auth(object):
        self.user_groups = auth and auth.user_groups or {}
        if secure:
            request.requires_https()
-        if auth and auth.last_visit and auth.last_visit + \
-                datetime.timedelta(days=0, seconds=auth.expiration) > request.now:
-            self.user = auth.user
-            # this is a trick to speed up sessions
-            if (request.now - auth.last_visit).seconds > (auth.expiration / 10):
-                auth.last_visit = request.now
+        now = request.now        
+        # if we have auth info
+        #    if not expired it, used it
+        #    if expired, clear the session
+        # else, only clear auth info in the session
+        if auth:
+            delta = datetime.timedelta(days=0, seconds=auth.expiration)
+            if auth.last_visit and auth.last_visit + delta > now:
+                self.user = auth.user
+                # this is a trick to speed up sessions to avoid many writes
+                if (now - auth.last_visit).seconds > (auth.expiration / 10):
+                    auth.last_visit = request.now
+            else:
+                self.user = None
+                if session.auth:
+                    del session.auth
+                session.renew(clear_session=True)                
        else:
            self.user = None
            if session.auth:
-                del session.auth
+                del session.auth            
        # ## what happens after login?

        url_index = URL(controller, 'index')
Author	SHA1	Message	Date
mdipierro	1abdf72a04	2.9.4	2014-03-04 22:42:22 -06:00
mdipierro	7c536b66d0	Merge branch 'master' of github.com:web2py/web2py	2014-03-04 22:40:00 -06:00
mdipierro	cc1c019216	Merge pull request #387 from apa-1/master Added 'from_address' to allow for separation of 'envelope sender' and 'f...	2014-03-04 22:39:40 -06:00
mdipierro	d20f231b34	fixed memdb anc session issue 1885	2014-03-04 22:33:50 -06:00
mdipierro	8b03bf5fd9	fixed gae_memacache issue 1887, thanks mjwatson	2014-03-04 22:28:35 -06:00
alex	af4025731a	Added 'from_address' to allow for separation of 'envelope sender' and 'from' in email	2014-03-04 13:10:08 -05:00
mdipierro	77bbb405fb	2.9.3	2014-03-03 08:50:52 -06:00
mdipierro	7592cd2fe0	always reset the session when auth session expires	2014-03-03 08:44:02 -06:00
mdipierro	c5b996c8b1	fixed problem with too many sessions	2014-03-03 08:14:36 -06:00
mdipierro	ae0749d6b8	reverted some bs3 changes	2014-03-03 08:13:37 -06:00