Guillaume Ayoub
e34d9eeaff
Merge pull request #375 from untitaker/old-packages
...
Remove old packages
2016-04-08 12:08:46 +02:00
Markus Unterwaditzer
ecd9922445
Remove old packages
2016-04-07 19:43:02 +02:00
Guillaume Ayoub
54dee0c7c4
Clean tests
2016-04-07 19:25:10 +02:00
Guillaume Ayoub
595e2329ea
Don't create collections on GET requests
2016-04-07 19:03:27 +02:00
Guillaume Ayoub
1001bcb676
Remove extra auth, rights and storage modules
2016-04-07 19:02:52 +02:00
Guillaume Ayoub
1c4acc44a8
Merge pull request #373 from binor/patch-1
...
Add ca-certs to fix problem collecting bcrypt
2016-04-04 22:49:27 +02:00
binor
725b1b41be
Add ca-certs to fix problem collecting bcrypt
2016-04-04 21:14:26 +02:00
Guillaume Ayoub
fa9fd2becc
Merge pull request #370 from cdpb/master
...
docker image - remove python2 support
2016-04-02 13:27:16 +02:00
cdpb
91a5a82c80
remove python2 support
2016-04-02 10:35:39 +02:00
Guillaume Ayoub
287ef6caa2
Don't launch tests on Travis with Python 2 anymore
2016-03-31 19:59:52 +02:00
Guillaume Ayoub
434cb533e9
Remove Python 2 support
2016-03-31 19:57:40 +02:00
Guillaume Ayoub
fa4eaef08e
Merge pull request #353 from Unrud/patch-7
...
Integrated server without busy waiting
2016-03-31 19:24:43 +02:00
Guillaume Ayoub
f27ed8e6ff
Merge pull request #363 from igogold/readonly-collections
...
Fix privilege set for read only collection
2016-03-31 19:23:47 +02:00
Guillaume Ayoub
63f8b36df3
Merge pull request #368 from cdpb/master
...
move base image to alpine
2016-03-31 19:22:13 +02:00
cdpb
5ec5b75558
move base image to alpine
2016-03-28 10:51:36 +02:00
Guillaume Ayoub
2ea35a2fc3
Merge pull request #209 from vuntz/no-autocreate-multifilesystem
...
Do not autocreate .props files for multifilesystem backend
2016-03-10 18:48:29 +01:00
igogold
aa04aa04b7
Fix privilege set for read only collection
2016-03-04 11:05:13 +05:00
Unrud
bbe71c1ad1
Integrated server without threads and busy waiting
2016-01-27 07:17:38 +01:00
Guillaume Ayoub
3a4184d1ab
Merge pull request #351 from Unrud/patch-6
...
Quick fix for multifilesystem
2016-01-15 10:54:47 +01:00
Guillaume Ayoub
060d265129
Merge branch 'master' of github.com:Kozea/radicale
2016-01-15 10:51:24 +01:00
Guillaume Ayoub
9a2668e425
Fix the Collection._parse docstring
2016-01-15 10:50:36 +01:00
Unrud
a55cff8eb6
Also remove items from the collections itself
2016-01-15 01:13:18 +01:00
Unrud
5081fcbcd1
Use component names to filter duplicates
2016-01-15 01:09:43 +01:00
Guillaume Ayoub
9bc8635bdf
Merge pull request #350 from Unrud/patch-5
...
Repair "head" request
2016-01-15 00:00:33 +01:00
Unrud
6be7dab03f
Correct function name
2016-01-14 23:07:53 +01:00
Guillaume Ayoub
f8b068e9fe
Version 1.1.1
2016-01-07 23:31:19 +01:00
Guillaume Ayoub
83304c1378
Stupid me, that was PEP 20 (fix 347 for Python 2 too)
2016-01-06 21:44:20 +01:00
Guillaume Ayoub
620d9f8316
Readability counts - PEP8™ ( fix #347 )
2016-01-06 20:19:12 +01:00
Guillaume Ayoub
e47b50421e
Version 1.1
2015-12-31 12:51:23 +01:00
Guillaume Ayoub
e7ce00d54f
Style
2015-12-31 12:49:41 +01:00
Guillaume Ayoub
95fe2b6824
Merge pull request #345 from cdpb/master
...
add improved docker version
2015-12-31 11:59:09 +01:00
Guillaume Ayoub
b484d42547
Merge pull request #335 from Kozea/permissions
...
Use the first matching section for getting rights
2015-12-31 11:30:29 +01:00
cdpb
365e35cdba
add improved docker version
2015-12-28 19:17:30 +01:00
Guillaume Ayoub
20960bee84
Merge pull request #339 from Unrud/patch-2
...
Improve daemonization
2015-12-24 16:00:39 +01:00
Guillaume Ayoub
18c88642fb
Merge pull request #343 from Unrud/paths
...
Secure path handling
2015-12-24 15:48:14 +01:00
Guillaume Ayoub
0f9a38eba7
Test with Python 3.5
2015-12-24 15:22:48 +01:00
Unrud
eed37792ae
Convert filesystem paths safely to paths
...
This only becomes a problem if the OS/filesystem
allows / in filenames or . respectively
.. as filenames.
2015-12-24 14:39:29 +01:00
Unrud
bcaf452e51
Convert component names safely to filenames
...
Component names are controlled by the user and
without this checks access to arbitrary files is
possible if the multifilesystem backend is used.
2015-12-24 14:39:29 +01:00
Unrud
b4b3d51f33
Convert paths safely to file system paths
...
With the old implementation on Windows a path like
"/c:/file/ignore" got converted to "c:\file" and
allowed access to files outside of FOLDER
2015-12-24 14:39:29 +01:00
Unrud
6b7e79a368
Use sanitize_path instead of normpath
...
See a7b47f075499a1e1b40539bc1fa872a3ab77a204
The check for "." is now needless because the sane
path is always absolute.
```path.replace(os.sep, "/")``` is only relevant
for the (multi)filesystem backend and should be
there.
2015-12-24 14:39:24 +01:00
Unrud
1ad994cadf
Move sanitize_path into pathutils.py
2015-12-24 14:39:15 +01:00
Unrud
ed44830447
Error message if path not starting with prefix
...
Before the program crashed implicitly
2015-12-24 14:32:21 +01:00
Unrud
780cecc0f2
Always sanitize request URI
...
Do no rely on the HTTP server
2015-12-24 14:32:21 +01:00
Unrud
ee095a463d
Improve URI sanitation
...
The old implementation failed to sanitize URIs
like ".", "..", "../.." or "//"
2015-12-24 14:32:21 +01:00
Guillaume Ayoub
c217e5d2ff
Merge pull request #342 from Unrud/handler
...
Introduce naming scheme for request handlers
2015-12-24 10:21:13 +01:00
Unrud
592537e37c
Introduce naming scheme for request handlers
...
The do_ prefix and upper case name allows easy
distinction between methods that handle requests
and other methods.
Without this distinction an attacker could
call arbitrary methods.
Currently there is no method that matches the
argument count, but that's easy to miss when new
methods are added.
2015-12-24 07:22:55 +01:00
Guillaume Ayoub
1109973a92
Merge pull request #341 from Unrud/patch-4
...
Prevent "regex injection"
2015-12-23 12:09:00 +01:00
Unrud
4bfe7c9f79
Prevent "regex injection"
...
If an attacker is able to authenticate with a user name like .* he can bypass limitations imposed by "owner_write" and "owner_only".
2015-12-23 07:05:20 +01:00
Guillaume Ayoub
c7fe4777b1
Merge pull request #340 from Unrud/patch-3
...
Improve regex for Well-Known URIs
2015-12-22 15:01:21 +01:00
Unrud
7cb31fe22b
Improve regex for Well-Known URIs
...
Example to show the problem:
/Xwell-known/carddavXX
2015-12-22 12:44:19 +01:00