kallithea Changelog · Silverwing's Lair

Changelog - showing 100 out of 553 revisions

Branch filter:

Brandon Jones	b4dd4c16c12d	9 years ago	middleware: replace references to Errormator with AppEnlight. middleware: replace references to Errormator with AppEnlight. Errormator has been rebranded as AppEnlight a while back. Errormator is no longer available. This is just a trivial rename that can't make things worse.
Anton Shestakov	cc21a2b86a30	9 years ago	docs: update links to Mercurial's website and wiki docs: update links to Mercurial's website and wiki Also Mercurial itself is not a coding standard, so add possessive suffix.
Mads Kiilerich	110dcae69d7d	10 years ago	protocols: fix assertion error when accessing repositories with "permanent" urls (Issue #202 ) protocols: fix assertion error when accessing repositories with "permanent" urls (Issue #202) I am not aware of any good way to test this, so it is tested with a Mercurial only hack.
Mads Kiilerich	6754597990cb	10 years ago	api: fix forking of repos in repo groups (Issue #210 ) api: fix forking of repos in repo groups (Issue #210) Patch by Alexandre Beaulieu.
Mads Kiilerich	ffe4d5060d91	10 years ago	api: avoid duplicating group name when updating repo (Issue #37 ) api: avoid duplicating group name when updating repo (Issue #37) The api incorrectly passed repo.repo_name as repo_name, and the model update function incorrectly always required repo_name.
Mads Kiilerich	34ef164e0635	10 years ago	dbmigrate: fix migration step of missing ldap settings - use defaults (Issue #217 )
Mads Kiilerich	10a5a5f1bdf6	10 years ago	release: update contributors list
Andrew Shadura	f40905c3257c	10 years ago	Added tag 0.3.2 for changeset a84d40e9481f Added tag 0.3.2 for changeset a84d40e9481f Added signature for changeset a84d40e9481f
Andrew Shadura	a84d40e9481f	10 years ago	release: 0.3.2 0.3.2
Søren Løvborg	9b74296e6af6	10 years ago	auth: further sanitize requests to prevent GET CSRF (CVE-2016-3691) auth: further sanitize requests to prevent GET CSRF (CVE-2016-3691) Routes allows GET requests to override the HTTP method, which breaks the Kallithea CSRF protection (which only applies to POST requests). This commit blocks such GET request, preventing CSRF attacks.
Søren Løvborg	81057be7a5c1	10 years ago	auth: properly invoke PermFunctions (CVE-2016-3114) auth: properly invoke PermFunctions (CVE-2016-3114) This fixes a vulnerability that allowed logged-in users to edit or delete open pull requests associated with any repository to which they had read access, plus a related vulnerability allowing logged-in users to delete any comment from any repository, provided they could determine the comment ID and had read access to just one repository.
domruf	93b512845dab	10 years ago	changelog: fix range selection from changelog in git repos (Issue #190 ) changelog: fix range selection from changelog in git repos (Issue #190) The Mercurial backend can handle short revision ids so the problem does not occur with hg repositories. Git needs the full hash.
domruf	8a9d93838882	10 years ago	vcs: fix repo size calculation vcs: fix repo size calculation tip.walk already 'dives into' the dirs - don't do that twice.
domruf	43d23fa871d8	10 years ago	tests: add repository size tests
Mads Kiilerich	73493ddc8c9e	10 years ago	docs: fix typo
Mads Kiilerich	ac4daf775230	10 years ago	api: avoid sending double Content-Length header (Issue #201 ) api: avoid sending double Content-Length header (Issue #201) WSGI will take of Content-Length - handling it explicitly was misguided.
Mads Kiilerich	8c479b274e03	10 years ago	docs: improve mod_wsgi documentation (Issue #203 ) docs: improve mod_wsgi documentation (Issue #203) Based on feedback from Graham Dumpleton. * Recommend setting global Apache config WSGIRestrictEmbedded On * Don't set the default value for processes=1 - it has side effects * Use python-home instead of python-path * Fix confusing mentioning of root and clarify the use of specifying user and group * Include WSGIProcessGroup in configuration excerpt
Konstantin Veretennicov	2d89d49c30e8	10 years ago	docs: add notes about IIS, Windows Authentication and Mercurial docs: add notes about IIS, Windows Authentication and Mercurial (The original patch from Konstantin has been heavily copyedited and modified by Mads Kiilerich but is still [based on] Konstantin's feedback and contribution.)
Andrew Shadura	c92b6787c843	10 years ago	Added tag 0.3.1 for changeset 9bf8eb837e78 Added tag 0.3.1 for changeset 9bf8eb837e78 Added signature for changeset 9bf8eb837e78
Andrew Shadura	9bf8eb837e78	10 years ago	release: 0.3.1 0.3.1
Andrew Shadura	250f8150c4bb	10 years ago	docs: suggest using pip instead of setup.py develop
Andrew Shadura	7ef7536bf8e7	10 years ago	auth: support both old and new python-pam API auth: support both old and new python-pam API python-pam 1.8.* provides a new API replacing the previously available authenticate() function. The latest unreleased version brings it back, but until it's available, use a custom shim instead.
Mads Kiilerich	941548131765	10 years ago	setup: introduce requirements.txt for use as "pip install -r requirements.txt" as alternative to "setup.py develop"
Mads Kiilerich	12f1f5b1dcab	10 years ago	Update copyrights and contributors
Mads Kiilerich	4db2e72c35e4	10 years ago	users: fix crash when creating users with non ASCII characters users: fix crash when creating users with non ASCII characters This was already changed by the cleaned up on the default branch in 330c671dd451 but happened to also fix this issue on the stable branch.
Mads Kiilerich	5c7b177d70ff	10 years ago	copyright: 2016
Mads Kiilerich	9e53eb77287c	10 years ago	hg: support Mercurial 3.7.x hg: support Mercurial 3.7.x Testing and upgrade notes doesn't indicate problems.
Robert James Dennington	dba6c44f0a30	10 years ago	auth: Fix bug where usernames are not consistently capitalized when using crowd login auth: Fix bug where usernames are not consistently capitalized when using crowd login If you try to log in to Kallithea via the Crowd auth module then the capitalization of your username in Kallithea changes on every login based on how you capitalized it in the login form. E.g. Log in with "TestDude", username is entered as "TestDude" then log in again, but this time as "tesTduDe", and your username gets changed to "tesTduDe". etc. Fix for this is to use the 'name' field returned from Crowd when saving the username. This way the username is always capitalized identically to the record in Crowd.
Robert James Dennington	18c9eb22c29c	10 years ago	auth: Fix tomcat throwing '505 HTTP Version Not Supported' when trying to log in to Atlassian Crowd with usernames that contain spaces auth: Fix tomcat throwing '505 HTTP Version Not Supported' when trying to log in to Atlassian Crowd with usernames that contain spaces If you try to log in to Kallithea via the Crowd auth module, and the username contains a space, it fails. Tomcat on the Crowd server gives error '505 HTTP Version Not Supported'. Further investigation showed that the username was not being quoted. E.g. for the user 'test account', the REST URL should contain 'test%20account' but actually was containing 'test account'. When Tomcat received this HTTP request it interprets the word 'account' as the HTTP version because of the space. This obviously isn't a valid HTTP version. This bug is fixed by using urllib2.quote on the username to ensure that special characters are correctly quoted. After making that change on my local install, the user 'test account' was able to log in successfully.
Takumi IINO	044252c60f95	10 years ago	i18n: updated translation for Japanese i18n: updated translation for Japanese Currently translated at 93.3% (1057 of 1132 strings)
Takumi IINO	c3cc123ee187	10 years ago	i18n: updated translation for Japanese i18n: updated translation for Japanese Currently translated at 93.3% (1057 of 1132 strings)
Michal Čihař	43d831cea9a8	10 years ago	i18n: updated translation for Czech i18n: updated translation for Czech Currently translated at 3.3% (38 of 1132 strings)
Takumi IINO	72cd2748da02	10 years ago	i18n: updated translation for Japanese i18n: updated translation for Japanese Currently translated at 93.3% (1057 of 1132 strings)
Mads Kiilerich	964aa663deca	10 years ago	repos: fix crashes when repository name is unicode and can't be encoded with the current LANG
Mads Kiilerich	890189aa2bfe	10 years ago	middleware: decode the repo_name received from http header to unicode middleware: decode the repo_name received from http header to unicode The middlewares seemed to make the incorrect assumption that the headers contained unicode. Or to put it differently: They relied on the Python default encoding to be able to convert to unicode instead of using safe_unicode. It would thus fail if running with LANG=C. Instead, utilize that the header actually contains str_repo_name and explicitly decode that to unicode.
Mads Kiilerich	d5707598fd64	10 years ago	db: fix unknown exception type in commit error handling db: fix unknown exception type in commit error handling efce61aac33d was a blind fix. It failed because `from sqlalchemy import *` doesn't import exc and the new except clause would thus fail. It also failed because the session has to be rolled back after a commit failure. Now, rework it to fix these issues. Note that we are able to detect whether the commit failed for valid reasons ... but we can't use that information to much ...
Mads Kiilerich	2189802db18a	10 years ago	python: workaround Python 2.7.11 incompatibility in the celery dependency kombu
Mads Kiilerich	efce61aac33d	10 years ago	db: handle race when multiple threads add the same cache invalidation entry simultaneously (Issue #177 )
Mads Kiilerich	2bf5e8731154	10 years ago	git: fix parsing of git mode change + rename diffs git: fix parsing of git mode change + rename diffs Assume mode lines come first, like for hg diffs.
Mads Kiilerich	20699dd652ff	10 years ago	indexer: skip documents that can't be retrieved - probably because encoding issues (Issue #175 ) indexer: skip documents that can't be retrieved - probably because encoding issues (Issue #175) This doesn't fix the encoding issue but it makes it less fatal.
Mads Kiilerich	74e669d8a479	10 years ago	auth: fail pam and internal authentication attempts if no username is provided (Issue #180 ) auth: fail pam and internal authentication attempts if no username is provided (Issue #180) When the Mercurial client communicates with a server over HTTP, it will always first try to perform operations unauthenticated before providing credentials. Authentication attempts without credentials is usually pointless and will just slow operations down. Some authentication plugins (such as LDAP) already skipped these unauthenticated requests. Now, do the same for other authentication plugions. Other authentication plugins also skip if no password is provided ... but that doesn't seem necessary.
Jan Heylen	720339c9f81c	10 years ago	diff: get collapse target via .attr instead of .prop diff: get collapse target via .attr instead of .prop Commit 3f017db297c4 was not fully tested and broke collapse/expand of diffs on changesets. $button is not a link with a target and the target can thus not be retrieved with .prop('target'); $button is just a span that happens to have a custom attribute with the name 'target'. We thus revert back to the old way of retrieving it with .attr('target'). (It would perhaps be even better to use data attributes and name it data-target and use .data('target') ...)
Mads Kiilerich	1666c8c7d925	10 years ago	repo-scan: print status to stdout instead of logging it repo-scan: print status to stdout instead of logging it Don't mute command line output just because the .ini file not is verbose.
Mads Kiilerich	57bae44fd22e	10 years ago	docs: consistently use venv instead of pyenv
Mads Kiilerich	f3f06692cb7e	10 years ago	setup: support the Mercurial 3.6 series setup: support the Mercurial 3.6 series No significant API changes and testing doesn't show any problems. This upgrade enables use of bundle2 with generaldelta.
Takumi IINO	7425088bc4ff	10 years ago	gist: fix unicode file path handling
Mads Kiilerich	737c3704b44a	10 years ago	cleanup: fixes of checking for None cleanup: fixes of checking for None Don't update repoinfo for all repos if an invalid repo is specified.
Mads Kiilerich	b428b05e5cea	10 years ago	files: fix Selection Link for multi-line selections files: fix Selection Link for multi-line selections It broke in dacdea9fda2a when wrong casing in the translation lookup caused an undefined value which didn't show up in the UI and thus made the link unusable.
Takumi IINO	f569f44a8a89	10 years ago	i18n: some tweaks for i18n
Mads Kiilerich	92ebcf7d8042	10 years ago	auth_pam: fix crash caused by colliding variable names auth_pam: fix crash caused by colliding variable names Regression introduced in 03afa7766ac7.
Thomas De Schampheleire	03975e4a8532	10 years ago	branches: fix 'compare branches' button branches: fix 'compare branches' button Commit b0774d79c7c95ec14ec6d23389d85ed544dd4b50 broke the 'Compare branches' button on the repository branches page, when attempting to replace a Yahoo UI click handler with jQuery.
Thomas De Schampheleire	ae750b5d7de0	10 years ago	bookmarks: fix 'compare bookmarks' button bookmarks: fix 'compare bookmarks' button Commit b0774d79c7c95ec14ec6d23389d85ed544dd4b50 broke the 'Compare bookmarks' button on the repository bookmarks page, when attempting to replace a Yahoo UI click handler with jQuery.
Andrew Shadura	1c9c3b0f21ae	10 years ago	Added tag 0.3 for changeset 9b3e9e242f5c Added tag 0.3 for changeset 9b3e9e242f5c Added signature for changeset 9b3e9e242f5c
Andrew Shadura	9b3e9e242f5c	10 years ago	release: 0.3 0.3
Andrew Shadura	80b69729a0e2	10 years ago	scripts: allow signing with a different key set with EMAIL
Mads Kiilerich	84bb160aac6d	11 years ago	release: update contributors and copyrights
Mads Kiilerich	ef392737c203	11 years ago	auth: validate that the token protecting from CSRF attacks never is leaked auth: validate that the token protecting from CSRF attacks never is leaked This will partly give some protection if it should happen, partly make sure the leak doesn't go unnoticed but is found so it can be fixed.
Mads Kiilerich	1346754f1852	11 years ago	forms: don't use secure forms with authentication token for GET requests forms: don't use secure forms with authentication token for GET requests The token is secret and should never be used in forms posted with GET which are URL encoded. aef21d16a262 was too aggresive in using secure forms everywhere and did thus also incorrectly use them for forms posted with GET. Some token leakage was reported by Gjoko Krstic <gjoko@zeroscience.mk> of Zero Science Lab.
Søren Løvborg	38d1c99cd000	11 years ago	login: enhance came_from validation login: enhance came_from validation Drop urlparse and just validate that came_from is a RFC 3986 compliant path. This blocks an HTTP header injection vulnerability discovered by Gjoko Krstic <gjoko@zeroscience.mk> of Zero Science Lab (CVE-2015-5285)
Mads Kiilerich	092ea4d40d60	11 years ago	git: fix typo in error logging from 1ea1761bab12
Mads Kiilerich	4ca5818a2ff4	11 years ago	summary: add missing c.stats_percentage initialization that caused crash on empty repos
Mads Kiilerich	4e9f5ef98dc4	11 years ago	docs: mention that the optional dependencies psycopg2 and python-ldap also might be needed in the virtualenv
Mads Kiilerich	8c234ae2c258	11 years ago	docs: add advice of upgrading pip and setuptools in new virtualenvs docs: add advice of upgrading pip and setuptools in new virtualenvs Withtout this, the new virtualenv might have setuptools version 12 while the URLObject dependency mock fails because it requires setuptools>=17.1 .
Andrew Shadura	8a1166a465fe	11 years ago	i18n: fixup the Russian translation
Mads Kiilerich	fce926a9d7c7	11 years ago	scripts: move whitespacecleanup.sh to scripts/
Mads Kiilerich	bfa66e8887d7	11 years ago	hgignore: ignore `.cache/`, created by pytest 2.8 when writing `.cache/v/cache/lastfailed`
Mads Kiilerich	cb17acb443c0	11 years ago	javascript: fix missing variable declaration
Mads Kiilerich	1eeb3510917e	11 years ago	codemirror: remove the bad and hopefully unused CodeMirror.modeURL guessing codemirror: remove the bad and hopefully unused CodeMirror.modeURL guessing It should always be set in initCodeMirror before CodeMirror actually is used.
Christian Oyarzun	cf21a36ac3bb	11 years ago	codemirror: fix modeURL when using proxy prefix (Issue #160 ) codemirror: fix modeURL when using proxy prefix (Issue #160) Modified by Mads to use request.script_name instead of h.url().
Søren Løvborg	8ee17ef21796	11 years ago	login: use server-relative URLs in came_from correctly login: use server-relative URLs in came_from correctly Using h.url to combine came_from with query parameters caused the SCRIPT_NAME to incorrectly be prepended to came_from, even though it was already present. This was not a problem if the Kallithea instance was served directly from the server root ('/') as is common, but broke setups where Kallithea was served from a prefix.
Søren Løvborg	b537babcf966	11 years ago	login: include query parameters in came_from login: include query parameters in came_from The login controller uses the came_from query argument to determine the page to continue to after login. Previously, came_from specified only the URL path (obtained using h.url.current), and any URL query parameters were passed along as separate (additional) URL query parameters; to obtain the final redirect target, h.url was used to combine came_from with the request.GET. As of this changeset, came_from specifies both the URL path and query string (obtained using request.path_qs), which means that came_from can be used directly as the redirect target (as always, WebOb handles the task of expanding the server relative path to a fully qualified URL). The mangling of request.GET can also be removed. The login code appended arbitrary, user-supplied query parameters to URLs by calling the Routes URLGenerator (h.url) with user-supplied keyword arguments. This construct is unfortunate, since url only appends _unknown_ keyword arguments as query parameters, and the parameter names could overlap with known keyword arguments, possibly affecting the generated URL in various ways. This changeset removes this usage from the login code, but other instances remain. (In practice, the damage is apparently limited to causing an Internal Server Error when going to e.g. "/_admin/login?host=foo", since WebOb returns Unicode strings and URLGenerator only allows byte strings for these keyword arguments.)
Søren Løvborg	a0a9ae753cc4	11 years ago	login: simplify came_from validation login: simplify came_from validation Even though only server-relative came_from URLs were ever generated, the login controller allowed fully qualified URLs (URLs including scheme and server). To avoid an open HTTP redirect (CWE-601), the code included logic to prevent redirects to other servers. By requiring server-relative URLs, this logic can simply be removed. Note: SCRIPT_NAME is still not validated and it is thus possible to redirect from one app to another on the same netloc.
Mads Kiilerich	ad131f703996	11 years ago	login: make it clear that an invalid came_from is an invalid request
Mads Kiilerich	b98f4431671c	11 years ago	login: inline _redirect_to_origin login: inline _redirect_to_origin Refactor to simplify code and make next changes simpler. Let the controller handle came_from early and more explicit, thus simplifying the redirect flow.
Mads Kiilerich	d4f66ca15110	11 years ago	release: add scripts/make-release for automation of the release process
Mads Kiilerich	1ea1761bab12	11 years ago	git: fix reposcan failure when encountering git repositories on read-only filesystems
Mads Kiilerich	41fe196eeaf5	11 years ago	pull requests: fix incorrect display of pull requests without updates pull requests: fix incorrect display of pull requests without updates avail_revs would contain the top revision and thus not be empty even though no revs were available for update.
Mads Kiilerich	9416093966a0	11 years ago	pull requests: skip 'This pull request has already been merged' check for ranges; they have been "merged" to the ancestor from the beginning
Mads Kiilerich	0fa831892e32	11 years ago	changelog: add date tooltip to changelog, just as it is on the short changelog on the summary page
Mads Kiilerich	ae9ab4c92d46	11 years ago	setup: explicitly use python2 in examples in the documentation
Mads Kiilerich	c79e4f89bfd3	11 years ago	setup: monkey patch setuptools to make distutils set owner/group to root
Mads Kiilerich	e5078f5b46a7	11 years ago	comments: decrease #target comment margin size to compensate for 1 pixel wider yellow border
Mads Kiilerich	f24851239566	11 years ago	pull requests: blame the right user when an admin adds reviewers to other peoples PRs pull requests: blame the right user when an admin adds reviewers to other peoples PRs Don't send notifications from the PR owner.
Mads Kiilerich	e81498114bc8	11 years ago	comments: fix comment add button - it is only the button that should be clickable, not the containing div
Søren Løvborg	12b47803189f	11 years ago	cleanup: use example.com for tests and examples cleanup: use example.com for tests and examples example.com is explicitly reserved for this purpose. Using that means we won't accidentally hammer a real server or real email address if an example value escapes into the wild, e.g. in an automated test. The domain "kallithea.example.com" has been used throughout to refer to the example Kallithea server.
Søren Løvborg	2b2216e8af36	11 years ago	docs: update example output and example server configs docs: update example output and example server configs kallithea-api example output was not up-to-date, and the text was a little vague on whether you specify a hostname or a URL. The Nginx example config has been updated to assume a Kallithea backend server on localhost:5000, like the Apache example. The redundant ServerAlias option was removed from the Apache example.
Andrew Shadura	222a9f3d4023	11 years ago	notifications: ensure paginator's links remain correct after Mark All Read notifications: ensure paginator's links remain correct after Mark All Read Paginator is loaded together with the dynamic page content, so when it's generated, a wrong URL may be used for its links.
Robert Rauch	57caeb60c52b	11 years ago	docs: add documentation for setup with puppet docs: add documentation for setup with puppet Incorporates feedback from Branko Majic and Søren Løvborg.
Étienne Gilli	74fe92d7f5f3	11 years ago	i18n: updated translation for French i18n: updated translation for French Currently translated at 100.0% (1132 of 1132 strings)
Étienne Gilli	e4ab2f2c7e0c	11 years ago	i18n: updated translation for French i18n: updated translation for French Currently translated at 59.6% (675 of 1132 strings)
Robert Rauch	2105eb2b1d6c	11 years ago	i18n: updated translation for German i18n: updated translation for German Currently translated at 60.5% (680 of 1123 strings)
Michael Pohl	25886971a994	11 years ago	i18n: updated translation for German i18n: updated translation for German Currently translated at 59.7% (671 of 1123 strings)
Robert Rauch	98b7c332c9f2	11 years ago	i18n: updated translation for German i18n: updated translation for German Currently translated at 59.6% (670 of 1123 strings)
Andrew Shadura	da5de5692722	11 years ago	i18n: refresh POT, regenerate POs
Michael Pohl	cffe29ccb974	11 years ago	i18n: updated translation for German i18n: updated translation for German Currently translated at 57.7% (649 of 1123 strings)
Robert Rauch	5d018c2f439b	11 years ago	i18n: updated translation for German i18n: updated translation for German Currently translated at 57.7% (648 of 1123 strings)
Andrew Shadura	ef524d262737	11 years ago	i18n: updated translation for French i18n: updated translation for French Currently translated at 58.8% (661 of 1123 strings)
Mads Kiilerich	23f8f477ed35	11 years ago	release: set version number to 0.2.9 to hint that it is a 0.3 rc release: set version number to 0.2.9 to hint that it is a 0.3 rc I don't trust the rc numbering system in kallithea/__init__.py and how it interacts with pip versioning.
Mads Kiilerich	6f60bd9090b1	11 years ago	release: merge default to stable for 0.3
Mads Kiilerich	763dc7a96bae	11 years ago	gists: pass CSRF token when editing gists gists: pass CSRF token when editing gists check_revision was failing.