Files
@ a041321d2aa1
Branch filter:
Location: kallithea/docs/usage/vcs_support.rst - annotation
a041321d2aa1
2.2 KiB
text/prs.fallenstein.rst
security: apply CSRF check to all non-GET requests
The automatic CSRF protection was broken for POST requests with no
request payload parameters (but possibly containing request URI
parameters); a security hole was narrowly avoided because the code
base quite consistently checks the request method in the same way,
and because of browser protection against PUT/DELETE CSRF attacks.
Since explicit is better than implicit, the better way of checking
the HTTP request method is to simply check request.method, instead
of checking if request.POST is non-empty, which is subtly different
(it doesn't catch POST requests if all parameters are in the query
string) and non-obvious (because it also applies to PUT requests).
The commit also fixes some tests which relied on the CSRF protection
being broken. It does not fix all the controllers that still does
the misleading request.POST check, but since the CSRF check has now
been tightened, those are no longer a potential security issue.
The automatic CSRF protection was broken for POST requests with no
request payload parameters (but possibly containing request URI
parameters); a security hole was narrowly avoided because the code
base quite consistently checks the request method in the same way,
and because of browser protection against PUT/DELETE CSRF attacks.
Since explicit is better than implicit, the better way of checking
the HTTP request method is to simply check request.method, instead
of checking if request.POST is non-empty, which is subtly different
(it doesn't catch POST requests if all parameters are in the query
string) and non-obvious (because it also applies to PUT requests).
The commit also fixes some tests which relied on the CSRF protection
being broken. It does not fix all the controllers that still does
the misleading request.POST check, but since the CSRF check has now
been tightened, those are no longer a potential security issue.
601282d36c06 601282d36c06 601282d36c06 601282d36c06 601282d36c06 601282d36c06 601282d36c06 601282d36c06 601282d36c06 601282d36c06 601282d36c06 601282d36c06 601282d36c06 601282d36c06 601282d36c06 601282d36c06 601282d36c06 601282d36c06 601282d36c06 fbbe80e3322b 601282d36c06 601282d36c06 601282d36c06 fbbe80e3322b 601282d36c06 601282d36c06 fbbe80e3322b 601282d36c06 601282d36c06 601282d36c06 601282d36c06 601282d36c06 601282d36c06 36a35394b3cb 601282d36c06 601282d36c06 601282d36c06 601282d36c06 601282d36c06 601282d36c06 601282d36c06 601282d36c06 601282d36c06 601282d36c06 601282d36c06 601282d36c06 601282d36c06 601282d36c06 9cef5a168b88 9cef5a168b88 9cef5a168b88 fbbe80e3322b 9cef5a168b88 9cef5a168b88 fbbe80e3322b b52a1ccee927 b52a1ccee927 b52a1ccee927 9cef5a168b88 9cef5a168b88 b52a1ccee927 b52a1ccee927 b52a1ccee927 b52a1ccee927 b52a1ccee927 9cef5a168b88 b52a1ccee927 9cef5a168b88 9cef5a168b88 b52a1ccee927 9cef5a168b88 9cef5a168b88 9cef5a168b88 9cef5a168b88 b52a1ccee927 b52a1ccee927 b52a1ccee927 9cef5a168b88 b52a1ccee927 9cef5a168b88 b52a1ccee927 b52a1ccee927 601282d36c06 fbbe80e3322b 601282d36c06 601282d36c06 b52a1ccee927 | .. _vcs_support:
===============================
Version control systems support
===============================
Kallithea supports Git and Mercurial repositories out-of-the-box.
For Git, you do need the ``git`` command line client installed on the server.
You can always disable Git or Mercurial support by editing the
file ``kallithea/__init__.py`` and commenting out the backend.
.. code-block:: python
BACKENDS = {
'hg': 'Mercurial repository',
#'git': 'Git repository',
}
Git support
-----------
Web server with chunked encoding
````````````````````````````````
Large Git pushes require an HTTP server with support for
chunked encoding for POST. The Python web servers waitress_ and
gunicorn_ (Linux only) can be used. By default, Kallithea uses
waitress_ for `paster serve` instead of the built-in `paste` WSGI
server.
The paster server is controlled in the .ini file::
use = egg:waitress#main
or::
use = egg:gunicorn#main
Also make sure to comment out the following options::
threadpool_workers =
threadpool_max_requests =
use_threadpool =
Mercurial support
-----------------
Working with Mercurial subrepositories
``````````````````````````````````````
This section explains how to use Mercurial subrepositories_ in Kallithea.
Example usage::
## init a simple repo
hg init mainrepo
cd mainrepo
echo "file" > file
hg add file
hg ci --message "initial file"
# clone subrepo we want to add from Kallithea
hg clone http://kallithea.local/subrepo
## specify URL to existing repo in Kallithea as subrepository path
echo "subrepo = http://kallithea.local/subrepo" > .hgsub
hg add .hgsub
hg ci --message "added remote subrepo"
In the file list of a clone of ``mainrepo`` you will see a connected
subrepository at the revision it was cloned with. Clicking on the
subrepository link sends you to the proper repository in Kallithea.
Cloning ``mainrepo`` will also clone the attached subrepository.
Next we can edit the subrepository data, and push back to Kallithea. This will
update both repositories.
.. _waitress: http://pypi.python.org/pypi/waitress
.. _gunicorn: http://pypi.python.org/pypi/gunicorn
.. _subrepositories: http://mercurial.aragost.com/kick-start/en/subrepositories/
|