Files
@ a041321d2aa1
Branch filter:
Location: kallithea/docs/usage/backup.rst - annotation
a041321d2aa1
512 B
text/prs.fallenstein.rst
security: apply CSRF check to all non-GET requests
The automatic CSRF protection was broken for POST requests with no
request payload parameters (but possibly containing request URI
parameters); a security hole was narrowly avoided because the code
base quite consistently checks the request method in the same way,
and because of browser protection against PUT/DELETE CSRF attacks.
Since explicit is better than implicit, the better way of checking
the HTTP request method is to simply check request.method, instead
of checking if request.POST is non-empty, which is subtly different
(it doesn't catch POST requests if all parameters are in the query
string) and non-obvious (because it also applies to PUT requests).
The commit also fixes some tests which relied on the CSRF protection
being broken. It does not fix all the controllers that still does
the misleading request.POST check, but since the CSRF check has now
been tightened, those are no longer a potential security issue.
The automatic CSRF protection was broken for POST requests with no
request payload parameters (but possibly containing request URI
parameters); a security hole was narrowly avoided because the code
base quite consistently checks the request method in the same way,
and because of browser protection against PUT/DELETE CSRF attacks.
Since explicit is better than implicit, the better way of checking
the HTTP request method is to simply check request.method, instead
of checking if request.POST is non-empty, which is subtly different
(it doesn't catch POST requests if all parameters are in the query
string) and non-obvious (because it also applies to PUT requests).
The commit also fixes some tests which relied on the CSRF protection
being broken. It does not fix all the controllers that still does
the misleading request.POST check, but since the CSRF check has now
been tightened, those are no longer a potential security issue.
af371e206ec5 af371e206ec5 17c9393e9645 e73a69cb98dc af371e206ec5 af371e206ec5 af371e206ec5 af371e206ec5 af371e206ec5 af371e206ec5 e73a69cb98dc af371e206ec5 fbbe80e3322b af371e206ec5 af371e206ec5 af371e206ec5 4e6dfdb3fa01 4e6dfdb3fa01 af371e206ec5 af371e206ec5 af371e206ec5 af371e206ec5 af371e206ec5 e73a69cb98dc af371e206ec5 af371e206ec5 4e6dfdb3fa01 | .. _backup:
====================
Backing up Kallithea
====================
Settings
--------
Just copy your .ini file, it contains all Kallithea settings.
Whoosh index
------------
The Whoosh index is located in the ``data/index`` directory where you installed
Kallithea, i.e., the same place where the ini file is located
Database
--------
When using sqlite just copy kallithea.db.
Any other database engine requires a manual backup operation.
A database backup will contain all gathered statistics.
|