Mercurial > p > roundup > code
comparison roundup/configuration.py @ 4088:34434785f308
Plug a number of security holes:
- EditCSV and ExportCSV altered to include permission checks
- HTTP POST required on actions which alter data
- HTML file uploads served as application/octet-stream
- New item action reject creation of new users
- Item retirement was not being controlled
Additionally include documentation of the changes and modify affected tests.
| author | Richard Jones <richard@users.sourceforge.net> |
|---|---|
| date | Thu, 12 Mar 2009 02:25:03 +0000 |
| parents | e039f3cbbb96 |
| children | 88af08f8666f |
comparison
equal
deleted
inserted
replaced
| 4087:1d0d1921f083 | 4088:34434785f308 |
|---|---|
| 549 "If this option is not set, the language is determined\n" | 549 "If this option is not set, the language is determined\n" |
| 550 "by OS environment variable LANGUAGE, LC_ALL, LC_MESSAGES,\n" | 550 "by OS environment variable LANGUAGE, LC_ALL, LC_MESSAGES,\n" |
| 551 "or LANG, in that order of preference."), | 551 "or LANG, in that order of preference."), |
| 552 )), | 552 )), |
| 553 ("web", ( | 553 ("web", ( |
| 554 (BooleanOption, "allow_html_file", "no", | |
| 555 "Setting this option enables Roundup to serve uploaded HTML\n" | |
| 556 "file content *as HTML*. This is a potential security risk\n" | |
| 557 "and is therefore disabled by default. Set to 'yes' if you\n" | |
| 558 "trust *all* users uploading content to your tracker."), | |
| 554 (BooleanOption, 'http_auth', "yes", | 559 (BooleanOption, 'http_auth', "yes", |
| 555 "Whether to use HTTP Basic Authentication, if present.\n" | 560 "Whether to use HTTP Basic Authentication, if present.\n" |
| 556 "Roundup will use either the REMOTE_USER or HTTP_AUTHORIZATION\n" | 561 "Roundup will use either the REMOTE_USER or HTTP_AUTHORIZATION\n" |
| 557 "variables supplied by your web server (in that order).\n" | 562 "variables supplied by your web server (in that order).\n" |
| 558 "Set this option to 'no' if you do not wish to use HTTP Basic\n" | 563 "Set this option to 'no' if you do not wish to use HTTP Basic\n" |