Files
@ a041321d2aa1
Branch filter:
Location: kallithea/docs/usage/statistics.rst - annotation
a041321d2aa1
1.2 KiB
text/prs.fallenstein.rst
security: apply CSRF check to all non-GET requests
The automatic CSRF protection was broken for POST requests with no
request payload parameters (but possibly containing request URI
parameters); a security hole was narrowly avoided because the code
base quite consistently checks the request method in the same way,
and because of browser protection against PUT/DELETE CSRF attacks.
Since explicit is better than implicit, the better way of checking
the HTTP request method is to simply check request.method, instead
of checking if request.POST is non-empty, which is subtly different
(it doesn't catch POST requests if all parameters are in the query
string) and non-obvious (because it also applies to PUT requests).
The commit also fixes some tests which relied on the CSRF protection
being broken. It does not fix all the controllers that still does
the misleading request.POST check, but since the CSRF check has now
been tightened, those are no longer a potential security issue.
The automatic CSRF protection was broken for POST requests with no
request payload parameters (but possibly containing request URI
parameters); a security hole was narrowly avoided because the code
base quite consistently checks the request method in the same way,
and because of browser protection against PUT/DELETE CSRF attacks.
Since explicit is better than implicit, the better way of checking
the HTTP request method is to simply check request.method, instead
of checking if request.POST is non-empty, which is subtly different
(it doesn't catch POST requests if all parameters are in the query
string) and non-obvious (because it also applies to PUT requests).
The commit also fixes some tests which relied on the CSRF protection
being broken. It does not fix all the controllers that still does
the misleading request.POST check, but since the CSRF check has now
been tightened, those are no longer a potential security issue.
bbd499c7b55e bbd499c7b55e ac7e43325817 ac7e43325817 ac7e43325817 bbd499c7b55e 5ae8e644aa88 ac7e43325817 ac7e43325817 ac7e43325817 bbd499c7b55e ac7e43325817 ac7e43325817 ac7e43325817 ac7e43325817 ac7e43325817 bbd499c7b55e ac7e43325817 ac7e43325817 ac7e43325817 bbd499c7b55e ac7e43325817 ac7e43325817 ac7e43325817 bbd499c7b55e ac7e43325817 bbd499c7b55e ac7e43325817 ac7e43325817 ac7e43325817 ac7e43325817 | .. _statistics:
=====================
Repository statistics
=====================
Kallithea has a *repository statistics* feature, disabled by default. When
enabled, the amount of commits per committer is visualized in a timeline. This
feature can be enabled using the ``Enable statistics`` checkbox on the
repository ``Settings`` page.
The statistics system makes heavy demands on the server resources, so
in order to keep a balance between usability and performance, statistics are
cached inside the database and gathered incrementally.
When Celery is disabled:
On each first visit to the summary page a set of 250 commits are parsed and
added to the statistics cache. This incremental gathering also happens on each
visit to the statistics page, until all commits are fetched.
Statistics are kept cached until additional commits are added to the
repository. In such a case Kallithea will only fetch the new commits when
updating its statistics cache.
When Celery is enabled:
On the first visit to the summary page, Kallithea will create tasks that will
execute on Celery workers. These tasks will gather all of the statistics until
all commits are parsed. Each task parses 250 commits, then launches a new
task.
|