<!DOCTYPE html>
<html>
<head>
</head>
<body style='font: 12pt Roboto, "DejaVu Sans", Arial; margin-left: 5px; margin-right: 5px;'>
<div id="entry">
<h1 style='font: 12pt Roboto, "DejaVu Sans", Arial; display:block; background: #c0cf88; border-bottom: solid 3px #573; padding: 5px; margin-top: 0px; color: #573;'><a href="https://kallithea-scm.org/repos/kallithea/changeset/9a02f9ef28d7955ea8681b1985e9df59732898df" style="text-decoration: none; font-weight: bold; color: #573;">utils: make API key generator more random The API key generator abused temporary filenames in what seems to be an attempt of creating keys that unambiguousl...</a></h1>
<div id="body">
kiilerix committed on 2015-07-07 00:09:35<br />branch: stable<br />changeset: <a href="https://kallithea-scm.org/repos/kallithea/changeset/9a02f9ef28d7955ea8681b1985e9df59732898df">9a02f9ef</a><pre>utils: make API key generator more random
The API key generator abused temporary filenames in what seems to be an attempt
of creating keys that unambiguously specified the user and thus were unique
across users. A final hashing did however remove that property.
More importantly, tempfile is not documented to use secure random numbers ...
and it only uses 6 characters, giving approximately 36 bits of entropy.
Instead, use the cryptographically secure os.urandom directly to generate keys
with the same length but with the full 160 bits of entropy.
Reported and fixed by Andrew Bartlett.
M kallithea/controllers/admin/my_account.py (1 lines added, 1 lines removed)
M kallithea/controllers/admin/users.py (1 lines added, 1 lines removed)
M kallithea/lib/dbmigrate/schema/db_1_2_0.py (1 lines added, 1 lines removed)
M kallithea/lib/utils2.py (6 lines added, 16 lines removed)
M kallithea/model/api_key.py (1 lines added, 1 lines removed)
M kallithea/model/user.py (2 lines added, 2 lines removed)
M kallithea/tests/functional/test_login.py (1 lines added, 1 lines removed)</pre>
</div>
</div>
</div>
</body>
</html>
<!DOCTYPE html>
<html>
<head>
</head>
<body style='font: 12pt Roboto, "DejaVu Sans", Arial; margin-left: 5px; margin-right: 5px;'>
<div id="entry">
<h1 style='font: 12pt Roboto, "DejaVu Sans", Arial; display:block; background: #c0cf88; border-bottom: solid 3px #573; padding: 5px; margin-top: 0px; color: #573;'><a href="https://kallithea-scm.org/repos/kallithea/changeset/c0da0ef508da341b376b522cb1e14a7e49858055" style="text-decoration: none; font-weight: bold; color: #573;">auth: only API keys with 40 alpha-numeric characters are valid This makes it easy to disable API keys in the database without violating the uniqueness const...</a></h1>
<div id="body">
kiilerix committed on 2015-07-07 00:09:35<br />branch: stable<br />changeset: <a href="https://kallithea-scm.org/repos/kallithea/changeset/c0da0ef508da341b376b522cb1e14a7e49858055">c0da0ef5</a><pre>auth: only API keys with 40 alpha-numeric characters are valid
This makes it easy to disable API keys in the database without violating the
uniqueness constraint, using something like:
UPDATE users SET api_key='-'||api_key;
UPDATE user_api_keys SET api_key='-'||api_key;
M kallithea/model/db.py (3 lines added, 0 lines removed)
M kallithea/tests/functional/test_login.py (2 lines added, 0 lines removed)</pre>
</div>
</div>
</div>
</body>
</html>
<!DOCTYPE html>
<html>
<head>
</head>
<body style='font: 12pt Roboto, "DejaVu Sans", Arial; margin-left: 5px; margin-right: 5px;'>
<div id="entry">
<h1 style='font: 12pt Roboto, "DejaVu Sans", Arial; display:block; background: #c0cf88; border-bottom: solid 3px #573; padding: 5px; margin-top: 0px; color: #573;'><a href="https://kallithea-scm.org/repos/kallithea/changeset/c9cfaeb1cdfe5b1e3e8c326881e47aa08b0e23f3" style="text-decoration: none; font-weight: bold; color: #573;">tooltips: fix unsafe insertion of userdata into the DOM as html This fixes js injection in the admin journal ... and probably also in other places. Tooltip...</a></h1>
<div id="body">
kiilerix committed on 2015-07-07 00:09:35<br />branch: stable<br />changeset: <a href="https://kallithea-scm.org/repos/kallithea/changeset/c9cfaeb1cdfe5b1e3e8c326881e47aa08b0e23f3">c9cfaeb1</a><pre>tooltips: fix unsafe insertion of userdata into the DOM as html
This fixes js injection in the admin journal ... and probably also in other places.
Tooltips are used both with hardcoded strings (which is safe and simple) and
with user provided strings wrapped in html formatting (which requires careful
escaping before being put into the DOM as html). The templating will
automatically take care of one level of escaping, but here it requires two
levels to do it correctly ... and that was not always done correctly.
Instead, by default, just insert it into the DOM as text, not as html.
The few places where we know the tooltip contains safe html are handled
specially - the element is given the safe-html-title class. That is the case in
file annotation and in display of tip revision in repo lists.
M kallithea/lib/helpers.py (3 lines added, 3 lines removed)
M kallithea/public/js/base.js (10 lines added, 4 lines removed)
M kallithea/templates/data_table/_dt_elements.html (1 lines added, 1 lines removed)</pre>
</div>
</div>
</div>
</body>
</html>
<!DOCTYPE html>
<html>
<head>
</head>
<body style='font: 12pt Roboto, "DejaVu Sans", Arial; margin-left: 5px; margin-right: 5px;'>
<div id="entry">
<h1 style='font: 12pt Roboto, "DejaVu Sans", Arial; display:block; background: #c0cf88; border-bottom: solid 3px #573; padding: 5px; margin-top: 0px; color: #573;'><a href="https://kallithea-scm.org/repos/kallithea/changeset/9d87b8d5ba00b8625ec4c21adfa604c5caf8bd96" style="text-decoration: none; font-weight: bold; color: #573;">auth: ignore permissions from in-active user groups (Issue #138) Tests by Thomas De Schampheleire. Additionally, rename the unused and seemingly search-rep...</a></h1>
<div id="body">
kiilerix committed on 2015-07-07 00:19:55<br />branch: stable<br />changeset: <a href="https://kallithea-scm.org/repos/kallithea/changeset/9d87b8d5ba00b8625ec4c21adfa604c5caf8bd96">9d87b8d5</a><pre>auth: ignore permissions from in-active user groups (Issue #138)
Tests by Thomas De Schampheleire.
Additionally, rename the unused and seemingly search-replace-massacred
function revokehas_permrevoke_permgrant_perm_perm into revoke_perm.
M kallithea/lib/auth.py (12 lines added, 0 lines removed)
M kallithea/model/user_group.py (1 lines added, 1 lines removed)
M kallithea/tests/models/test_permissions.py (214 lines added, 0 lines removed)</pre>
</div>
</div>
</div>
</body>
</html>
<!DOCTYPE html>
<html>
<head>
</head>
<body style='font: 12pt Roboto, "DejaVu Sans", Arial; margin-left: 5px; margin-right: 5px;'>
<div id="entry">
<h1 style='font: 12pt Roboto, "DejaVu Sans", Arial; display:block; background: #c0cf88; border-bottom: solid 3px #573; padding: 5px; margin-top: 0px; color: #573;'><a href="https://kallithea-scm.org/repos/kallithea/changeset/8aad6a32473927b298312a6a7c60a7a683f5ffd5" style="text-decoration: none; font-weight: bold; color: #573;">permissions: clarify what the default options actually mean</a></h1>
<div id="body">
kiilerix committed on 2015-07-07 00:25:54<br />branch: stable<br />changeset: <a href="https://kallithea-scm.org/repos/kallithea/changeset/8aad6a32473927b298312a6a7c60a7a683f5ffd5">8aad6a32</a><pre>permissions: clarify what the default options actually mean
M kallithea/model/db.py (26 lines added, 26 lines removed)
M kallithea/templates/admin/permissions/permissions_globals.html (12 lines added, 8 lines removed)</pre>
</div>
</div>
</div>
</body>
</html>
<!DOCTYPE html>
<html>
<head>
</head>
<body style='font: 12pt Roboto, "DejaVu Sans", Arial; margin-left: 5px; margin-right: 5px;'>
<div id="entry">
<h1 style='font: 12pt Roboto, "DejaVu Sans", Arial; display:block; background: #c0cf88; border-bottom: solid 3px #573; padding: 5px; margin-top: 0px; color: #573;'><a href="https://kallithea-scm.org/repos/kallithea/changeset/6620542597d36b4a3977cda971957da8d7f0b583" style="text-decoration: none; font-weight: bold; color: #573;">api: check repo create permissions for update_repo and fork_repo as for create-repo Close loophole for creating repos everywhere. Tests by Thomas De Schamp...</a></h1>
<div id="body">
kiilerix committed on 2015-07-07 00:25:59<br />branch: stable<br />changeset: <a href="https://kallithea-scm.org/repos/kallithea/changeset/6620542597d36b4a3977cda971957da8d7f0b583">66205425</a><pre>api: check repo create permissions for update_repo and fork_repo as for create-repo
Close loophole for creating repos everywhere.
Tests by Thomas De Schampheleire.
M docs/api/api.rst (3 lines added, 2 lines removed)
M kallithea/controllers/api/api.py (8 lines added, 0 lines removed)
M kallithea/tests/api/api_base.py (64 lines added, 0 lines removed)</pre>
</div>
</div>
</div>
</body>
</html>
<!DOCTYPE html>
<html>
<head>
</head>
<body style='font: 12pt Roboto, "DejaVu Sans", Arial; margin-left: 5px; margin-right: 5px;'>
<div id="entry">
<h1 style='font: 12pt Roboto, "DejaVu Sans", Arial; display:block; background: #c0cf88; border-bottom: solid 3px #573; padding: 5px; margin-top: 0px; color: #573;'><a href="https://kallithea-scm.org/repos/kallithea/changeset/0b7b52bfaf5dcfa5db2d3fd850f72cd911eac424" style="text-decoration: none; font-weight: bold; color: #573;">api: make update_repo check permissions to check owner like create_repo does Close loophole for reassigning repository owners. Test by Thomas De Schamphele...</a></h1>
<div id="body">
kiilerix committed on 2015-07-07 00:25:59<br />branch: stable<br />changeset: <a href="https://kallithea-scm.org/repos/kallithea/changeset/0b7b52bfaf5dcfa5db2d3fd850f72cd911eac424">0b7b52bf</a><pre>api: make update_repo check permissions to check owner like create_repo does
Close loophole for reassigning repository owners.
Test by Thomas De Schampheleire.
M kallithea/controllers/api/api.py (6 lines added, 0 lines removed)
M kallithea/tests/api/api_base.py (16 lines added, 0 lines removed)</pre>
</div>
</div>
</div>
</body>
</html>
<!DOCTYPE html>
<html>
<head>
</head>
<body style='font: 12pt Roboto, "DejaVu Sans", Arial; margin-left: 5px; margin-right: 5px;'>
<div id="entry">
<h1 style='font: 12pt Roboto, "DejaVu Sans", Arial; display:block; background: #c0cf88; border-bottom: solid 3px #573; padding: 5px; margin-top: 0px; color: #573;'><a href="https://kallithea-scm.org/repos/kallithea/changeset/2906653151bfa0b44ec76c03a47888959e1666be" style="text-decoration: none; font-weight: bold; color: #573;">release: update version number to 0.2.2</a></h1>
<div id="body">
kiilerix committed on 2015-07-13 14:55:49<br />branch: stable<br />changeset: <a href="https://kallithea-scm.org/repos/kallithea/changeset/2906653151bfa0b44ec76c03a47888959e1666be">29066531</a><pre>release: update version number to 0.2.2
M kallithea/__init__.py (1 lines added, 1 lines removed)</pre>
</div>
</div>
</div>
</body>
</html>
<!DOCTYPE html>
<html>
<head>
</head>
<body style='font: 12pt Roboto, "DejaVu Sans", Arial; margin-left: 5px; margin-right: 5px;'>
<div id="entry">
<h1 style='font: 12pt Roboto, "DejaVu Sans", Arial; display:block; background: #c0cf88; border-bottom: solid 3px #573; padding: 5px; margin-top: 0px; color: #573;'><a href="https://kallithea-scm.org/repos/kallithea/changeset/14f488a5dc4ca6647bc6acf12534fd137e968aa8" style="text-decoration: none; font-weight: bold; color: #573;">i18n: synchronised translations from the development branch * updated the translation template * updated translation for Hungarian * updated translation ...</a></h1>
<div id="body">
andrewsh committed on 2015-07-12 16:40:19<br />branch: stable<br />tag: 0.2.2<br />changeset: <a href="https://kallithea-scm.org/repos/kallithea/changeset/14f488a5dc4ca6647bc6acf12534fd137e968aa8">14f488a5</a><pre>i18n: synchronised translations from the development branch
* updated the translation template
* updated translation for Hungarian
* updated translation for Russian
* updated translation for French
* added translation for Belarusian
* updated translation for German
* updated translation for Dutch (Belgium)
A kallithea/i18n/be/LC_MESSAGES/kallithea.po (5924 lines added, 0 lines removed)
Changeset was too big and was cut off...</pre>
</div>
</div>
</div>
</body>
</html>
<!DOCTYPE html>
<html>
<head>
</head>
<body style='font: 12pt Roboto, "DejaVu Sans", Arial; margin-left: 5px; margin-right: 5px;'>
<div id="entry">
<h1 style='font: 12pt Roboto, "DejaVu Sans", Arial; display:block; background: #c0cf88; border-bottom: solid 3px #573; padding: 5px; margin-top: 0px; color: #573;'><a href="https://kallithea-scm.org/repos/kallithea/changeset/1e48181921049f588899f8cc48d5bdf36114b138" style="text-decoration: none; font-weight: bold; color: #573;">Added tag 0.2.2 for changeset 14f488a5dc4c</a></h1>
<div id="body">
kiilerix committed on 2015-07-13 15:14:31<br />branch: stable<br />tag: tip<br />changeset: <a href="https://kallithea-scm.org/repos/kallithea/changeset/1e48181921049f588899f8cc48d5bdf36114b138">1e481819</a><pre>Added tag 0.2.2 for changeset 14f488a5dc4c
M .hgtags (1 lines added, 0 lines removed)</pre>
</div>
</div>
</div>
</body>
</html>