e47b50421e
Version 1.1
2015-12-31 12:51:23 +01:00
e7ce00d54f
Style
2015-12-31 12:49:41 +01:00
95fe2b6824
Merge pull request #345 from cdpb/master
...
add improved docker version
2015-12-31 11:59:09 +01:00
b484d42547
Merge pull request #335 from Kozea/permissions
...
Use the first matching section for getting rights
2015-12-31 11:30:29 +01:00
365e35cdba
add improved docker version
2015-12-28 19:17:30 +01:00
20960bee84
Merge pull request #339 from Unrud/patch-2
...
Improve daemonization
2015-12-24 16:00:39 +01:00
18c88642fb
Merge pull request #343 from Unrud/paths
...
Secure path handling
2015-12-24 15:48:14 +01:00
0f9a38eba7
Test with Python 3.5
2015-12-24 15:22:48 +01:00
eed37792ae
Convert filesystem paths safely to paths
...
This only becomes a problem if the OS/filesystem
allows / in filenames or . respectively
.. as filenames.
2015-12-24 14:39:29 +01:00
bcaf452e51
Convert component names safely to filenames
...
Component names are controlled by the user and
without this checks access to arbitrary files is
possible if the multifilesystem backend is used.
2015-12-24 14:39:29 +01:00
b4b3d51f33
Convert paths safely to file system paths
...
With the old implementation on Windows a path like
"/c:/file/ignore" got converted to "c:\file" and
allowed access to files outside of FOLDER
2015-12-24 14:39:29 +01:00
6b7e79a368
Use sanitize_path instead of normpath
...
See a7b47f075499a1e1b40539bc1fa872a3ab77a204
The check for "." is now needless because the sane
path is always absolute.
```path.replace(os.sep, "/")``` is only relevant
for the (multi)filesystem backend and should be
there.
2015-12-24 14:39:24 +01:00
1ad994cadf
Move sanitize_path into pathutils.py
2015-12-24 14:39:15 +01:00
ed44830447
Error message if path not starting with prefix
...
Before the program crashed implicitly
2015-12-24 14:32:21 +01:00
780cecc0f2
Always sanitize request URI
...
Do no rely on the HTTP server
2015-12-24 14:32:21 +01:00
ee095a463d
Improve URI sanitation
...
The old implementation failed to sanitize URIs
like ".", "..", "../.." or "//"
2015-12-24 14:32:21 +01:00
c217e5d2ff
Merge pull request #342 from Unrud/handler
...
Introduce naming scheme for request handlers
2015-12-24 10:21:13 +01:00
592537e37c
Introduce naming scheme for request handlers
...
The do_ prefix and upper case name allows easy
distinction between methods that handle requests
and other methods.
Without this distinction an attacker could
call arbitrary methods.
Currently there is no method that matches the
argument count, but that's easy to miss when new
methods are added.
2015-12-24 07:22:55 +01:00
1109973a92
Merge pull request #341 from Unrud/patch-4
...
Prevent "regex injection"
2015-12-23 12:09:00 +01:00
4bfe7c9f79
Prevent "regex injection"
...
If an attacker is able to authenticate with a user name like .* he can bypass limitations imposed by "owner_write" and "owner_only".
2015-12-23 07:05:20 +01:00
c7fe4777b1
Merge pull request #340 from Unrud/patch-3
...
Improve regex for Well-Known URIs
2015-12-22 15:01:21 +01:00
7cb31fe22b
Improve regex for Well-Known URIs
...
Example to show the problem:
/Xwell-known/carddavXX
2015-12-22 12:44:19 +01:00
367ca6fcbf
Replace standard file descriptors of daemon
...
Overwriting ```sys.stdout``` and ```sys.stderr``` is not sufficient.
(e.g. the logger still uses the old file descriptors)
2015-12-22 08:50:16 +01:00
ecb8ad747e
Decouple the daemon from its parent environment
2015-12-22 08:50:16 +01:00
3a9238f670
Check and create PID file in a race-free manner
2015-12-22 08:50:16 +01:00
0a09804821
Close PID file
2015-12-22 08:49:58 +01:00
53c3113b44
Merge pull request #337 from Unrud/patch-1
...
Assign new items to correct key
2015-12-10 11:05:59 +01:00
80ecae40cb
Assign new items to correct key
2015-12-10 09:46:38 +01:00
e807c3d35b
Use the first matching section for getting rights
2015-12-03 15:22:12 +01:00
9875db9a6c
Add md5 and bcrypt as available encryptions methods for htpasswd in config file
2015-10-21 02:09:11 +02:00
7b82121c12
Encode message and committer for git commits ( fix #313 )
2015-09-22 11:01:33 +02:00
6babebd315
Version 1.0.1
2015-09-21 12:14:51 +02:00
231cdec476
Update development status
2015-09-14 11:55:49 +02:00
377762e23c
Version 1.0
2015-09-14 11:49:34 +02:00
f112a9b390
Merge pull request #305 from untitaker/database-props
...
Don't discard PROPPATCH on empty collections.
2015-08-28 11:26:10 +02:00
57b1ccdea5
Fix crash on empty values
2015-08-21 20:11:44 +02:00
213cb40480
Don't discard PROPPATCH on empty collections.
2015-08-21 20:08:56 +02:00
90f4b48f98
Merge pull request #236 from untitaker/multifilesystem_fixes
...
Improve errorhandling in multifilesystem
2015-08-21 16:58:26 +02:00
d300949fe8
Improve errorhandling in multifilesystem
...
If the collection doesn't exist yet, OSError(2, 'No such file or
directory') is raised.
https://travis-ci.org/untitaker/vdirsyncer/jobs/42540595
2015-08-21 16:17:00 +02:00
ce9fd74d98
Merge pull request #260 from deronnax/not_found_instead_of_gone
...
change GET response from GONE to NOT FOUND when item is not found
2015-08-21 15:34:59 +02:00
634c3c6e3e
Merge pull request #304 from singpolyma/pam-service
...
Use PAM service
2015-08-12 10:27:55 +02:00
2de4f53fc3
Use PAM service
...
This allows authentication types to be customised for radicale.
2015-08-11 16:46:46 -05:00
b4438d25f7
Cosmetics in htpasswd
2015-07-29 14:00:49 +02:00
3b520a966b
Merge pull request #297 from jgehrcke/feature/md5apr1bcrypt
...
Implement MD5-APR1 and BCRYPT for htpasswd auth
2015-07-29 13:52:57 +02:00
3abbdcf671
htpasswd.py: add optional MD5-APR1 and BCRYPT support via passlib.
...
- Update docstring for optional MD5-APR1/BCRYPT support via passlib.
- Support the "md5" and "bcrypt" htpasswd_encryption config values.
- Conditionally import the required passlib components if either
"md5" or "bcrypt" is requested in the configuration file.
- Test bcrypt backend availability upon import.
- First define verification functions, then conditionally import
external dependencies.
- Consolidate: use context manager for reading credential file.
- Consolidate: save one call to strip() while parsing.
- Consolidate: break long lines, clarify comments and docstrings.
- Consolidate: use verification function mapping for improving maintainability.
2015-07-29 13:12:18 +02:00
1c39c75c6b
Remove Pypy from travis
2015-07-24 16:28:43 +02:00
3f3d0e8945
Remove Pypy from tox
2015-07-24 16:25:01 +02:00
22a356bd06
Merge branch 'master' of github.com:Kozea/radicale
2015-07-24 16:01:38 +02:00
8604593512
Fix many tests and database storage
2015-07-24 16:01:03 +02:00
459b02c9a4
Fix some tests
2015-07-24 14:23:11 +02:00