Files
@ 070b8c39736f
Branch filter:
Location: kallithea/scripts/make-release - annotation
070b8c39736f
2.4 KiB
text/plain
auth: only use X- headers instead of wsgi.url_scheme if explicitly told so in url_scheme_header - drop https_fixup setting
Before, several X- headers would be trusted to overrule the actual connection
protocol (http or https) seen by the Kallithea WSGI server. That was mainly
when https_fixup were set, but it incorrectly also kicked in if https_fixup or
use_htsts were configured. The ambiguity of which headers were used also made
it less reliable. The proxy server not only had to be configured to set one of
the headers correctly, it also had to make sure other headers were not passed
on from the client. It would thus in some cases be possible for clients to fake
the connection scheme, and thus potentially be possible to bypass restrictions
configured in Kallithea.
Fixed by making it configurable which WSGI environment variable to use for the
protocol. Users can configure url_scheme_header to for example
HTTP_X_FORWARDED_PROTO instead of using the default wsgi.url_scheme .
This change is a bit similar to what is going on in the https_fixup middleware,
but is doing a bit more of what for example is happening in similar code in
werkzeug/middleware/proxy_fix.py .
The semantics of the old https_fixup were unsafe, so it has been dropped.
Admins that are upgrading must change their configuration to use the new
url_scheme_header option.
Before, several X- headers would be trusted to overrule the actual connection
protocol (http or https) seen by the Kallithea WSGI server. That was mainly
when https_fixup were set, but it incorrectly also kicked in if https_fixup or
use_htsts were configured. The ambiguity of which headers were used also made
it less reliable. The proxy server not only had to be configured to set one of
the headers correctly, it also had to make sure other headers were not passed
on from the client. It would thus in some cases be possible for clients to fake
the connection scheme, and thus potentially be possible to bypass restrictions
configured in Kallithea.
Fixed by making it configurable which WSGI environment variable to use for the
protocol. Users can configure url_scheme_header to for example
HTTP_X_FORWARDED_PROTO instead of using the default wsgi.url_scheme .
This change is a bit similar to what is going on in the https_fixup middleware,
but is doing a bit more of what for example is happening in similar code in
werkzeug/middleware/proxy_fix.py .
The semantics of the old https_fixup were unsafe, so it has been dropped.
Admins that are upgrading must change their configuration to use the new
url_scheme_header option.
d4f66ca15110 d4f66ca15110 d4f66ca15110 d4f66ca15110 f5b5749113aa f5b5749113aa f5b5749113aa f5b5749113aa f5b5749113aa f5b5749113aa f5b5749113aa f5b5749113aa f5b5749113aa f5b5749113aa f5b5749113aa f5b5749113aa f5b5749113aa 89e9aef9b983 f5b5749113aa f5b5749113aa d06c0566cb23 22321950133a d06c0566cb23 d06c0566cb23 dba4e770d4b6 d06c0566cb23 d06c0566cb23 d4f66ca15110 d06c0566cb23 d06c0566cb23 d06c0566cb23 d06c0566cb23 d06c0566cb23 b70ad5c7e706 b70ad5c7e706 d06c0566cb23 d06c0566cb23 aa6f17a53b49 aa6f17a53b49 d4f66ca15110 d06c0566cb23 d4f66ca15110 d4f66ca15110 d4f66ca15110 d06c0566cb23 d4f66ca15110 d4f66ca15110 d06c0566cb23 8f51a05b9856 d06c0566cb23 d06c0566cb23 aa6f17a53b49 d06c0566cb23 08de75df7775 08de75df7775 08de75df7775 d06c0566cb23 d4f66ca15110 d06c0566cb23 d06c0566cb23 d06c0566cb23 d06c0566cb23 d06c0566cb23 d4f66ca15110 d06c0566cb23 d4f66ca15110 d06c0566cb23 d06c0566cb23 d4f66ca15110 d4f66ca15110 d4f66ca15110 d4f66ca15110 d4f66ca15110 d06c0566cb23 d4f66ca15110 d4f66ca15110 ecef27ac1ffa 61bd04b90f58 d06c0566cb23 e4452268c09f d06c0566cb23 | #!/bin/bash
set -e
set -x
cleanup()
{
echo "Removing venv $venv"
rm -rf "$venv"
}
echo "Checking that you are NOT inside a virtualenv"
[ -z "$VIRTUAL_ENV" ]
venv=$(mktemp -d --tmpdir kallithea-release-XXXXX)
trap cleanup EXIT
echo "Setting up a fresh virtualenv in $venv"
python3 -m venv "$venv"
. "$venv/bin/activate"
echo "Install/verify tools needed for building and uploading stuff"
pip install --upgrade -e . -r dev_requirements.txt twine python-ldap python-pam
echo "Cleanup and update copyrights ... and clean checkout"
scripts/run-all-cleanup
scripts/update-copyrights.py
hg up -cr .
echo "Make release build from clean checkout in build/"
rm -rf build dist
hg archive build
cd build
echo "Check that each entry in MANIFEST.in match something"
sed -e 's/[^ ]*[ ]*\([^ ]*\).*/\1/g' MANIFEST.in | xargs ls -lad
echo "Build dist"
python3 setup.py compile_catalog
python3 setup.py sdist
echo "Verify VERSION from kallithea/__init__.py"
namerel=$(cd dist && echo Kallithea-*.tar.gz)
namerel=${namerel%.tar.gz}
version=${namerel#Kallithea-}
ls -l $(pwd)/dist/$namerel.tar.gz
echo "Releasing Kallithea $version in directory $namerel"
echo "Verify dist file content"
diff -u <((hg mani | grep -v '^\.hg\|^kallithea/i18n/en/LC_MESSAGES/kallithea.mo$') | LANG=C sort) <(tar tf dist/Kallithea-$version.tar.gz | sed "s|^$namerel/||" | grep . | grep -v '^kallithea/i18n/.*/LC_MESSAGES/kallithea.mo$\|^Kallithea.egg-info/\|^PKG-INFO$\|/$' | LANG=C sort)
echo "Verify docs build"
python3 setup.py build_sphinx # the results are not actually used, but we want to make sure it builds
echo "Shortlog for inclusion in the release announcement"
scripts/shortlog.py "only('.', branch('stable') & tagged() & public() & not '.')"
cat - << EOT
Now, make sure
* all tests are passing
* release note is ready
* announcement is ready
* source has been pushed to https://kallithea-scm.org/repos/kallithea
EOT
echo "Verify current revision is tagged for $version"
hg log -r "'$version'&." | grep .
echo -n "Enter \"pypi\" to upload Kallithea $version to pypi: "
read answer
[ "$answer" = "pypi" ]
echo "Rebuild readthedocs for docs.kallithea-scm.org"
xdg-open https://readthedocs.org/projects/kallithea/
curl -X POST http://readthedocs.org/build/kallithea
xdg-open https://readthedocs.org/projects/kallithea/builds
xdg-open https://docs.kallithea-scm.org/en/latest/ # or whatever the branch is
twine upload dist/*
xdg-open https://pypi.python.org/pypi/Kallithea
|