Kallithea 0.2.2

Andrew Shadura andrew at shadura.me
Tue Jul 14 05:02:20 EDT 2015 

Kallithea 0.2.2 has been released. Kallithea is a GPLv3 source code
management software for web-based hosting of Mercurial and Git
repositories.

This release is a stable bugfix release. It fixes issues we've
discovered since the release 0.2.1.

Important changes are security improvements which make permission checks
and authentication more robust.

Note that the global setting formerly known as 'Repository creation'
actually controls 'Top level repository creation' but also gives
permissions to create repositories everywhere through the API. It is
recommended to turn this setting off. Users will still be able to create
repositories in repository groups where they have admin rights (or write
access and 'Repository creation with group write access' is turned on).
This will be cleaned up in a future major release.

The cryptographic strength of the generated passwords and API keys has
been improved by using better randomness sources. Thanks to Andrew
Bartlett for reporting and fixing this.

API keys are now validated more strictly so API keys which are believed
to have been compromised can now disabled with:

    update users set api_key='-'||api_key;
    update user_api_keys set api_key='-'||api_key;

For more information, visit https://kallithea-scm.org/

The summary of the changes is below.

Security-related improvements:

 * 9a02f9ef28d7 utils: make API key generator more random
 * 3e81e6534cad auth: make random password generator more random
 * c0da0ef508da auth: only API keys with 40 alpha-numeric characters
   are valid
 * c9cfaeb1cdfe tooltips: fix unsafe insertion of userdata into the DOM
   as html
 * 9d87b8d5ba00 auth: ignore permissions from in-active user groups
   (Issue #138)
 * 6620542597d3 api: check repo create permissions for update_repo and
   fork_repo as for create-repo
 * 0b7b52bfaf5d api: make update_repo check permissions to check owner
   like create_repo does

Improvements:

 * 8aad6a324739 permissions: clarify what the default options actually
   mean
 * 539f3da5d965 css: make 'add comment' button look more like a button
   (Issue #77)
 * a06804c28d74 css: add text +/- markers to the diff to improve
   readability for colour blind (Issue #77)
 * 3a139a5500dd diff view: improve appearance of line numbers
 * 74b5e0318d4e compat: import defaultdict from collections so it works
   with sqlalchemy 0.8.0 which dropped the shim
 * 1e079752b756 privacy: on password reset, don't tell strangers if
   email is valid or not
 * 7eb5bbbfb8dd auth: reduce code duplication by removing
   generate_api_key implemented in utils2

Fixes:

 * 0e03fb3384df repos: fix superfluous escaping of urlified URLs in repo
   descriptions
 * 83e0a4ce1c07 files: fix invalid links to Last Revision
 * 50cf39fe8335 files: fix hiding of old content while reloading
 * 496bd1bc9a69 changeset: fix #target links to work first time - add
   hack to "reload" page when ready
 * 7aef2c2289c8 pullrequests: fix missing pager links in 'my
   pullrequests' overview
 * a9d2e2958514 pullrequests: fix incorrect References header in mails
   when adding reviewers to (new?) PRs
 * 1cc64983363a graph: fix infinitely narrow graph if there is less than
   one pixel available per branch
 * 85a6526a15a8 diff: fix display of overflow on very long lines that
   cannot be wrapped
 * 3e1afbd6055f helpers: Fix displayed author on changelog_summary_data
   when no email is set in commit author (Issue #137)
 * 5260517c2802 archive: fix archive failing first time on Windows -
   close file descriptor early

 * 588a160dbb9a comments: in the @mention parser, escape spaces in rst
   so they don't show up in HTML
 * 200f43d9c86d comments: fix comment preview line breaks after
   @mentions
 * beeb69476cc4 comments: don't eat character before @mention when
   rendering to rst
 * 9c067ee8d368 comments: fix 'add comment' malfunctioning after
   deleting comments
 * 58e4670c7902 comments: fix missing 'Loading' message
 * 9c067ee8d368 changeset comment: fix delete button issue

 * 2881dd265f21 templates: fix multiple binding of pager event handlers
   to avoid "leaks" and repeated page loads
 * 442d81c381dc settings: show bullet indicating the currently selected
   sub page
 * d9747a04c74a 67ffe5427fd5 api_keys: fix the 'New api key' label
   target so clicking the label focuses the input element

 * cb4e2b2be955 reposcan: fix infinite recursion - don't follow symlinks
   when scanning
 * 15ac6f39f963 middleware: apply HttpsFixup to Hg/Git operations too
   (Issue #132)
 * c44885d0e546 vcs: fix git on Windows - use better quoting of git
   commands (Issue #135)
 * 991308f49979 doc: remove extra scheme from Mergely License URL
 * a73f98871e2b contributors: update

-- 
Cheers,
  Andrew
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.sfconservancy.org/pipermail/kallithea-general/attachments/20150714/5f248c8f/attachment.sig>

More information about the kallithea-general mailing list