Mercurial > p > roundup > code
diff doc/customizing.txt @ 4088:34434785f308
Plug a number of security holes:
- EditCSV and ExportCSV altered to include permission checks
- HTTP POST required on actions which alter data
- HTML file uploads served as application/octet-stream
- New item action reject creation of new users
- Item retirement was not being controlled
Additionally include documentation of the changes and modify affected tests.
| author | Richard Jones <richard@users.sourceforge.net> |
|---|---|
| date | Thu, 12 Mar 2009 02:25:03 +0000 |
| parents | be9122d753c5 |
| children | 72463e22640d |
line wrap: on
line diff
--- a/doc/customizing.txt Tue Mar 10 21:01:20 2009 +0000 +++ b/doc/customizing.txt Thu Mar 12 02:25:03 2009 +0000 @@ -181,6 +181,12 @@ LC_MESSAGES, or LANG, in that order of preference. Section **web** + allow_html_file -- ``no`` + Setting this option enables Roundup to serve uploaded HTML + file content *as HTML*. This is a potential security risk + and is therefore disabled by default. Set to 'yes' if you + trust *all* users uploading content to your tracker. + http_auth -- ``yes`` Whether to use HTTP Basic Authentication, if present. Roundup will use either the REMOTE_USER or HTTP_AUTHORIZATION