| changeset | e4191aa7b402 |
|---|---|
| branch | default |
| bookmark | |
| tag | tip |
| user | John Rouillard <rouilj@ieee.org> |
| description | doc: issue2551415 correct doc for change input->input_payload in 2.5 the rest interface changed a variable name from input to input_payload. An earlier commit changed the rest docs. This commit adds an item for it to the upgrading 2.4.0->2.5.0 section. Also cross reference added to the rest docs with the updated examples. |
| files | doc/rest.txt doc/upgrading.txt |
| changeset | 792eb77554fb |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | doc: fixed a short header marker. |
| files | doc/installation.txt |
| changeset | 13732c1d8392 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | bug: fix typing for pre 3.9 python. when I added basic typing to logcontext.py I used a spec unsupported in 3.8and earlier. |
| files | roundup/logcontext.py |
| changeset | 909cf30c01c1 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | doc: rename input in examples to input_payload the variable input shadows the built-in function input(). |
| files | doc/rest.txt |
| changeset | 9c3ec0a5c7fc |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | chore: remove __future print_funcion from code. Not needed as of Python 3. |
| files | detectors/irker.py roundup/admin.py roundup/backends/portalocker.py roundup/cgi/TAL/talgettext.py roundup/cgi/cgitb.py roundup/cgi/engine_jinja2.py roundup/date.py roundup/dehtml.py roundup/demo.py roundup/dist/command/build.py |
| changeset | 395c258636ad |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | doc: update CHANGES.txt for roundup.cgi |
| files | CHANGES.txt |
| changeset | 646ba821f63e |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | feat: add TIMING option, python install dir setting, more cleanups Add commented out sys.path.append(...) for user to change location of roundup libraries. Add TIMING global to control output of timing information. Some more ruff cleanups and remove from __future__ import print_function. This is Python 3 for pete's sake. |
| files | frontends/roundup.cgi |
| changeset | 19670ecbad82 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | doc: add doc for scgi with althttpd web server. |
| files | CHANGES.txt doc/installation.txt |
| changeset | 5fbf6451a782 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | bug: harden header/environment values for roundup-server and cgi If the environment (cgi) or header variables (server) have values with characters outside of the printable ascii range (chr(32-126)), return HTTP 400 error. This is overly strict but nothing that Roundup looks at requires a larger range. When deploying with wsgi and Zope, server software should verify proper values. This fix was riggered by the waitress wsgi server bug: https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4 which was caused by incorrect validation of header values resulting in a the proxy and waitress having different interpretations of what the header meant. My testing of the roundup.cgi script is to use a cgi->wsgi wrapper and run it under wsgi (using waitress). I need to try it under a real server that can run cgi. It looks like python http.server --cgi is missing definitions of HTTP_HOST and other required CGI variables. That's probably why the --cgi option was removed, but it leaves me without a good way to test. Maybe https://github.com/mdklatt/pytest-cgi could be used to test that front end? Arguably CGI is old, but cheap hosting still allows it. |
| files | CHANGES.txt frontends/roundup.cgi roundup/cgi/client.py roundup/scripts/roundup_server.py |
| changeset | f80c566f5726 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | feat: improve store_trace_reason with extract parameter store_trace_reason() used embedded code to extract reason based on the location passed to the function. This change adds support for extract keyword that is a Python expression eval'ed when the underlying function/method is called. All callers now set the extract parameter. The prior embedded code has been removed from store_trace_reason(). Failure to eval the expression results in an roundup.logcontext error severity log. Also updated docs. Also replaced env['REQUEST_URI'] with env['PATH_INFO'] for web based entry points as REQUEST_URI isn't documented as a required key and some other front end (e.g. zope, cgi) might not supply this. |
| files | roundup/admin.py roundup/cgi/client.py roundup/cgi/wsgi_handler.py roundup/logcontext.py roundup/mailgw.py roundup/scripts/roundup_xmlrpc_server.py |
| changeset | dd0445649244 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | bug(perf): put legacy '_file' last in tuple to speed up match |
| files | roundup/cgi/client.py |
| changeset | 98fb176224fc |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | bug(perf): move import tempfile to top of file |
| files | roundup/cgi/client.py |
| changeset | 92aecf6c5c09 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | bug: remove exec that re-raises exception for python 2 (hexora) Eliminate code path for python 2 when handling an unexpected exception. It exec'ed code to reraise exception. Python 2 not supported anymore. |
| files | roundup/cgi/client.py |
| changeset | ee17f62c8341 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | bug: improve security of eval'ed of session database data. (hexora) Hexora flagged: eval(res[0]) where res[0] is a stored repr of a dictionary. Change these to safe_eval(s) s=res[0] using: eval(s, {'__builtins__': {}}, {}) to wipe all functions and variable references inside the eval. This may be breakable however it's better than it was. There is one place where a username (set by user) is stored as a value, but the username rules prohibit ' or " from being present. Also a repr("us'er") is properly quoted and safe_eval(repr({'user': 'us\'r'})) is properly round tripped. |
| files | CHANGES.txt roundup/backends/sessions_rdbms.py |
| changeset | dbe30d5032b8 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | doc: move OAUTH settings together, add set-value and OAUTH docs |
| files | roundup/scripts/roundup_mailgw.py |
| changeset | 06fd452534d0 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | merge heads |
| files |
| changeset | 2c59d8deb653 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | bug: set minimum level for docker requirements.txt packages Choose minimum versions that do not have outstanding CVE's. |
| files | scripts/Docker/requirements.txt |
| changeset | e920db4d00d3 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | build(deps): bump codecov/codecov-action from 5.5.3 to 6.0.0 #87 |
| files | .github/workflows/ci-test.yml |
| changeset | 98011edc6c60 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | refactor: remove duplicate code block Had the same code inside two different if statements. Replaced with 'if X in [ a, b ] ' and only one copy of the code. |
| files | roundup/password.py test/test_security.py |
| changeset | 05e21949657a |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | doc: inplace db migration; replace [database] with [rdbms] Document inplace tracker migration using exporttable and importtable. I just tested it with anydbm and sqlite. Also directions included old name for [rdbms] section of config.ini file. Fixed it and said old version of roundup may have a [database] section. |
| files | CHANGES.txt doc/admin_guide.txt |
| changeset | c9bb470e6d38 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | doc: update admonintion to past tense Also remove some rationale as it's no longer important. |
| files | website/www/index.txt |
| changeset | 695399dea532 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | doc: provide card look for "sections" on features page. Make each section on the features page look like a raised card. Note the sections aren't headers 8-(. The markup is: .. container:: card **pseudo header** - list stuff .. container:: card I can't put: pseudo header ============= in there even though each card is its own section. I would like to have real headers for them (allow text->speech and othr devices easiera access). Starting a header in column 1 seems to be a requirement of the syntax 8-(. |
| files | doc/_static/style.css doc/features.txt website/www/_static/style.css |
| changeset | e738377b4ffe |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | feature: add detector that prevents file content changes by Admin and other users. New detector and upgrading announcement. Also example of stripping content editing from the User role. |
| files | CHANGES.txt detectors/README.txt detectors/immutable_file_contents.py doc/upgrading.txt |
| changeset | 1ffa1f42e1da |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | refactor: rework mime type comparison and clean code rest.py: accept application/* as match for application/json in non /binary_context rest path. allow defining default mime type to return when file/message is missing mime type. Make it a class variable to it can be changed from text/plain to text/markdown or whatever. extract code from determine_output_format() to create create_valid_content_types() method which returns a list of matching mime types for a given type/subtype. Eliminate mostly duplicate return statements by introducing a variable to specify valid mime types in error message. rest_common.py: Fix error messages that now return application/* as valid mime type. CHANGES.txt upgrading.txt rest.txt: top level notes and corrections. Also correct rst syntax on earlier change. |
| files | CHANGES.txt doc/rest.txt doc/upgrading.txt roundup/rest.py test/rest_common.py |
| changeset | a4f017ae1477 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | perf: dereference methods before using in loop I have a few comprehensions where I use self.FsValue and self.json_dict. Assign self.X to a variable and use the variable in the comprehension. This may provide a little speedup since the lookup is done once. |
| files | roundup/rest.py |
| changeset | 7a7f6ee0a09e |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | bug: import/importables fail to set newid correctly. Looks like I broke import when I was fixing a scandir issue. Overindented a couple of lines. This prevented the next used id from being set properly. It also resulted in wierd output when importing (bunches of newlines). Also fixed the two export/import tests to verify the new nextid for all the classes is equal or higher than the old one. Ideally they should be equal, but there is a bug somewhere where we get a double increment in the export/import cycle dropping a number or two. |
| files | CHANGES.txt roundup/admin.py test/db_test_base.py |
| changeset | e8d1da6e3571 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | bug: fix traceback in roundup-admin init with bad config values initialize accepts setting values for config.ini file settings. If they are not valid, you got a python traceback. ConfigurationError exceptions are now trapped. The admin.py's usageError_feedback method is used to inform the user. Also the feedback message now starts with a newline making it easier to read by separating it from command that caused the issue. |
| files | CHANGES.txt roundup/admin.py |
| changeset | 4d09c8046cde |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | build(deps): bump anchore/scan-action from 7.3.2 to 7.4.0 #86 |
| files | .github/workflows/anchore.yml |
| changeset | f676eda10c20 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | build(deps): bump codecov/codecov-action from 5.5.2 to 5.5.3 #85 |
| files | .github/workflows/ci-test.yml |
| changeset | 6783a7f2b5e1 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | bug: fix replacement for param writer_name -> writer correctly. Use the html4css1 writer for now. If you use the html5_polyglot you end up with: <main> processed rst </main> rather than (html4css1 writer's): <div class="document"> processed rst </div> there can only be one <main> per document. Each message must not be inside a <main> tag. I could string munge the main tag to a div. But that's ugly. The correct way is to subclass html5_polyglot and override the HTMLTrnslator::documenttag_args replacing {'tagname': 'main'} with {'tagname': 'div', "CLASS": "document"} or something similar. That's a change for another time. |
| files | roundup/cgi/templating.py |