mirrors/Radicale
1
0
Fork 0
mirror of https://github.com/Kozea/Radicale.git synced 2025-04-04 05:37:37 +03:00
Code Issues Projects Releases Packages Wiki Activity
791 commits 5 branches 77 tags 7.2 MiB
Commit graph

791 commits

This branch
This branch
All branches
Author SHA1 Message Date
Unrud
6336ffba6e Bump version to 1.1.4 2017-06-25 10:11:03 +02:00
Guillaume Ayoub
0122d3ebd5 Remove duplicate import 2017-05-29 18:00:39 +02:00
Guillaume Ayoub
8b7c7ba214 Use shutil.move in export_storage 
os.rename doesn't work when the two folders are on different partitions. shutil.move calls os.rename when possible.
 2017-05-29 17:58:09 +02:00
Guillaume Ayoub
d5171958ff Version 1.1.3 2017-05-27 10:58:58 +02:00
Guillaume Ayoub
18647e2e84 Add a warning about auth not being proven to be secure 2017-05-27 10:49:05 +02:00
Guillaume Ayoub
c442fce012 Cosmetics 2017-05-26 11:21:06 +02:00
Guillaume Ayoub
3123d1aa8c Merge pull request #606 from Unrud/upgrade 
Export storage from Radicale 1.1.x for 2.0.0
 2017-05-26 11:14:19 +02:00
Unrud
ef6af374db Export storage from Radicale 1.1.x for 2.0.0 
Adds the command line argument ``--export-storage=FOLDER``.
Radicale reads all data from the configured storage backend and writes it to the folder **FOLDER** in a format that is compatible with the upcoming Radicale 2.0.0.
 2017-05-24 17:07:42 +02:00
Guillaume Ayoub
ee3cb8e8e6 Version 1.1.2 2017-04-19 14:05:48 +02:00
Guillaume Ayoub
190b1dd795 Random timer to avoid timing oracles and simple bruteforce attacks 
Important note: this is a security fix.
 2017-04-19 14:02:51 +02:00
Guillaume Ayoub
aef652fbe2 Remove trailing spaces 2016-07-07 14:48:47 +02:00
Guillaume Ayoub
22821cda75 Fix Python3 compatibility of ssha part of htpasswd 2016-07-07 14:47:28 +02:00
Guillaume Ayoub
3a4184d1ab Merge pull request #351 from Unrud/patch-6 
Quick fix for multifilesystem
 2016-01-15 10:54:47 +01:00
Guillaume Ayoub
060d265129 Merge branch 'master' of github.com:Kozea/radicale 2016-01-15 10:51:24 +01:00
Guillaume Ayoub
9a2668e425 Fix the Collection._parse docstring 2016-01-15 10:50:36 +01:00
Unrud
a55cff8eb6 Also remove items from the collections itself 2016-01-15 01:13:18 +01:00
Unrud
5081fcbcd1 Use component names to filter duplicates 2016-01-15 01:09:43 +01:00
Guillaume Ayoub
9bc8635bdf Merge pull request #350 from Unrud/patch-5 
Repair "head" request
 2016-01-15 00:00:33 +01:00
Unrud
6be7dab03f Correct function name 2016-01-14 23:07:53 +01:00
Guillaume Ayoub
f8b068e9fe Version 1.1.1 2016-01-07 23:31:19 +01:00
Guillaume Ayoub
83304c1378 Stupid me, that was PEP 20 (fix 347 for Python 2 too) 2016-01-06 21:44:20 +01:00
Guillaume Ayoub
620d9f8316 Readability counts - PEP8™ (fix #347) 2016-01-06 20:19:12 +01:00
Guillaume Ayoub
e47b50421e Version 1.1 2015-12-31 12:51:23 +01:00
Guillaume Ayoub
e7ce00d54f Style 2015-12-31 12:49:41 +01:00
Guillaume Ayoub
95fe2b6824 Merge pull request #345 from cdpb/master 
add improved docker version
 2015-12-31 11:59:09 +01:00
Guillaume Ayoub
b484d42547 Merge pull request #335 from Kozea/permissions 
Use the first matching section for getting rights
 2015-12-31 11:30:29 +01:00
cdpb
365e35cdba add improved docker version 2015-12-28 19:17:30 +01:00
Guillaume Ayoub
20960bee84 Merge pull request #339 from Unrud/patch-2 
Improve daemonization
 2015-12-24 16:00:39 +01:00
Guillaume Ayoub
18c88642fb Merge pull request #343 from Unrud/paths 
Secure path handling
 2015-12-24 15:48:14 +01:00
Guillaume Ayoub
0f9a38eba7 Test with Python 3.5 2015-12-24 15:22:48 +01:00
Unrud
eed37792ae Convert filesystem paths safely to paths 
This only becomes a problem if the OS/filesystem
allows / in filenames or . respectively
.. as filenames.
 2015-12-24 14:39:29 +01:00
Unrud
bcaf452e51 Convert component names safely to filenames 
Component names are controlled by the user and
without this checks access to arbitrary files is
possible if the multifilesystem backend is used.
 2015-12-24 14:39:29 +01:00
Unrud
b4b3d51f33 Convert paths safely to file system paths 
With the old implementation on Windows a path like
"/c:/file/ignore" got converted to "c:\file" and
allowed access to files outside of FOLDER
 2015-12-24 14:39:29 +01:00
Unrud
6b7e79a368 Use sanitize_path instead of normpath 
See a7b47f075499a1e1b40539bc1fa872a3ab77a204
The check for "." is now needless because the sane
path is always absolute.
```path.replace(os.sep, "/")``` is only relevant
for the (multi)filesystem backend and should be
there.
 2015-12-24 14:39:24 +01:00
Unrud
1ad994cadf Move sanitize_path into pathutils.py 2015-12-24 14:39:15 +01:00
Unrud
ed44830447 Error message if path not starting with prefix 
Before the program crashed implicitly
 2015-12-24 14:32:21 +01:00
Unrud
780cecc0f2 Always sanitize request URI 
Do no rely on the HTTP server
 2015-12-24 14:32:21 +01:00
Unrud
ee095a463d Improve URI sanitation 
The old implementation failed to sanitize URIs
like ".", "..", "../.." or "//"
 2015-12-24 14:32:21 +01:00
Guillaume Ayoub
c217e5d2ff Merge pull request #342 from Unrud/handler 
Introduce naming scheme for request handlers
 2015-12-24 10:21:13 +01:00
Unrud
592537e37c Introduce naming scheme for request handlers 
The do_ prefix and upper case name allows easy
distinction between methods that handle requests
and other methods.
Without this distinction an attacker could
call arbitrary methods.
Currently there is no method that matches the
argument count, but that's easy to miss when new
methods are added.
 2015-12-24 07:22:55 +01:00
Guillaume Ayoub
1109973a92 Merge pull request #341 from Unrud/patch-4 
Prevent "regex injection"
 2015-12-23 12:09:00 +01:00
Unrud
4bfe7c9f79 Prevent "regex injection" 
If an attacker is able to authenticate with a user name like .* he can bypass limitations imposed by "owner_write" and "owner_only".
 2015-12-23 07:05:20 +01:00
Guillaume Ayoub
c7fe4777b1 Merge pull request #340 from Unrud/patch-3 
Improve regex for Well-Known URIs
 2015-12-22 15:01:21 +01:00
Unrud
7cb31fe22b Improve regex for Well-Known URIs 
Example to show the problem:
/Xwell-known/carddavXX
 2015-12-22 12:44:19 +01:00
Unrud
367ca6fcbf Replace standard file descriptors of daemon 
Overwriting ```sys.stdout``` and ```sys.stderr``` is not sufficient.
(e.g. the logger still uses the old file descriptors)
 2015-12-22 08:50:16 +01:00
Unrud
ecb8ad747e Decouple the daemon from its parent environment 2015-12-22 08:50:16 +01:00
Unrud
3a9238f670 Check and create PID file in a race-free manner 2015-12-22 08:50:16 +01:00
Unrud
0a09804821 Close PID file 2015-12-22 08:49:58 +01:00
Guillaume Ayoub
53c3113b44 Merge pull request #337 from Unrud/patch-1 
Assign new items to correct key
 2015-12-10 11:05:59 +01:00
Unrud
80ecae40cb Assign new items to correct key 2015-12-10 09:46:38 +01:00