haskell/yesod
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
5,027 Commits 42 Branches 853 Tags 10 MiB
cf3d9db87d
Commit Graph

904 Commits

Author SHA1 Message Date
nytopop
70b730cc4e
Use at most one valid session cookie per request 
Makes `loadClientSession` ignore all sessions in a request if more than
a single session cookie decodes successfully. The prior behavior was to
merge all valid session cookies' values.

Bumps version to 1.6.12
 2019-02-10 08:42:37 -08:00
Evan Rutledge Borden
da9e72b82f Add minor version bump to 1.6.11 
JSON parsing function deprecations warrant a minor version bump.
 2019-01-29 15:31:35 -06:00
Evan Rutledge Borden
b50ca99566 Deprecate insecure JSON body functions 
`parseJsonBody` and `requireJsonBody` do not require a mime type when
parsing `JSON` content. This leaves them open to CSRF. They are now
deprecated and `insecure` versions are added in their place. Consumers
are now given a proper choice between secure and insecure functions.

There is a potential attack vector in that the browser does not trigger
CORS requests for "simple requests", which includes POST requests that
are form or text content-types. An attacker can craft a form whose body
is valid JSON, and when a user visits attacker.com and submits that
form, it can be submitted to bank.com and bypass CORS.

Checking the content-type is application/json prevents this, because if
the content-type was set to application/json, then the browser would
send a CORS request—a preflight OPTIONS request to the server asking if
the current domain (and some other values) are whitelisted to send
requests to that server. If the server doesn't say attacker.com is
whitelisted, the browser will not send the real request to the server.
 2019-01-24 09:12:48 -06:00
Michael Snoyman
c7e4dd0a1c
Fix test suite compilation on GHC 8.6.3 commercialhaskell/stackage#4319 2019-01-22 18:40:31 +02:00
Maximilian Tagher
c8974d81f9 Add functions to get and set values in the per-request caches 
Closes #1572
 2019-01-21 10:47:27 -08:00
Steven Leiva
2a9bef34c0 Add sendResponseNoContent. 2018-11-30 14:27:21 -06:00
Michael Snoyman
6eb91bdb77
Add missing test file (fixes #1563) 2018-10-15 16:21:17 +03:00
Jason Whittle
ee260e24cb Update changelog with a link to PR #1558. 2018-10-08 18:04:16 -04:00
Jason Whittle
ca602d11bf Bump minor version. 2018-10-08 16:56:20 -04:00
Jason Whittle
4e4efd1627 In the route syntax, allow trailing backslashes to indicate line continuation. 2018-10-08 16:47:06 -04:00
Michael Snoyman
6a9bcc292d
Remove unneeded version bumps 2018-10-08 10:20:49 +03:00
Michael Snoyman
55e0ca4bc3
Add PrimMonad instances 
Pointed out at: https://stackoverflow.com/q/52692508/369198
 2018-10-08 08:19:32 +03:00
Steven Leiva
4015ef2919 Set X-XSS-Protection to 1; mode=block. 2018-08-03 14:17:11 -05:00
Maximilian Tagher
1f05d2c72f
Explain how requireCheckJsonBody can prevent CSRF 2018-07-31 21:22:39 -07:00
Steven Leiva
266c436f18 selectRep chooses first rep if no matches found. 
The `selectRep` documentation indicates that it choose the first
representation provided if no representation matches.

This was only partially correct, as `selectRep` required that no
representation matched **and** that the `Content-Type` header of the
response was empty.

This led to a problem because `defaultErrorhandler` relies on
`selectRep`, and when `selectRep` was unable to find a suitable
representation, it would "swallow" the original error that resulted in
`defaultErrorhandler` being called, and set a status 406 for all cases.
 2018-07-19 21:32:02 -05:00
Michael Snoyman
182abd89bf
Drop some deps 2018-07-03 19:01:58 +03:00
Michael Snoyman
867e7c32dc
Clean up some CPP 2018-07-03 18:57:23 +03:00
Michael Snoyman
d38d00f114 Skip RawResponse tests on Windows #1523 
These tests stall on Windows starting with network-2.6.3.4. I haven't
yet figured out why exactly that's the case, or a minimum repro.
 2018-06-19 10:37:20 +03:00
Michael Snoyman
12a2bb58e9 Add timeouts so stalling is more obvious 2018-06-19 09:52:20 +03:00
Steven Leiva
a63bf16a68 defaultErrorHandler handles text/plain request. 2018-06-12 21:08:55 -05:00
ncaq
708648798e deleted: unneed cabal build-depends by weeder 
[weeder: Detect dead code](https://hackage.haskell.org/package/weeder)

deleted depends is

* mime-mail
* wai-eventsource

I sort build-depends, because duplicate depend some exist, to sort is detect to easy.
 2018-06-09 13:15:21 +09:00
ncaq
a8df3c48c2 modified: use sinkLazy and toStrict 
Because performance problem.
 2018-05-01 17:15:13 +09:00
ncaq
e664ae2e0e changed: use foldC 2018-04-24 12:55:55 +09:00
ncaq
74ce4c57ff Merge branch 'master' into add-file-source-bytes 2018-04-24 12:36:36 +09:00
ncaq
33b5171b75 modified: fileSourceByteString: use sinkLazy 2018-04-17 18:54:18 +09:00
ncaq
a59ee6b62e added: ChangeLog 1.6.4 2018-04-17 18:47:54 +09:00
ncaq
eb220c936a added: addContentDispositionFileName: document comment 
I wrote battle of multibyte from code review.
 2018-04-17 18:44:19 +09:00
ncaq
1e89f4d4c3 cleaned: fileSourceByteString: document comment 
from code review.
 2018-04-17 18:01:36 +09:00
ncaq
11159f3a75 cleaned: use runConduit and .| instead of connect 
from code review.
 2018-04-17 17:58:49 +09:00
ncaq
712e8bb475 added: addContentDispositionFileName 2018-04-17 14:33:38 +09:00
ncaq
955b21d7ea added: ChangeLog 1.6.4 2018-04-17 14:24:57 +09:00
ncaq
7e2ca33ed5 added: fileSourceByteString 
This function is to get `FileInfo` raw body.
 2018-04-17 13:58:15 +09:00
Michael Snoyman
778cf2cf0b
Add missing SubHandlerFor export 2018-04-04 12:11:27 +03:00
Alex Greif
760b947ed4
minor doc change 2018-03-05 14:09:38 +00:00
Maximilian Tagher
08ef0e26dc Derive Show instances for route data structures 
* It's very helpful to have a Show instance for debugging and development
* Currently third party packages are deriving this instance themselves which is not ideal.
    * http://hackage.haskell.org/package/yesod-routes-flow-2.0/docs/src/Yesod-Routes-Flow-Generator.html
    * http://hackage.haskell.org/package/yesod-routes-typescript-0.3.0.0/docs/src/Yesod-Routes-Typescript-Generator.html
    * This change would break those packages, which isn't great
         * At least the typescript one is broken anyway
 2018-03-04 15:59:54 -08:00
Michael Snoyman
3014d8028c
Fix compilation in #1484 
Pinging @RyanGlScott, these changes were necessary for older versions of
dependencies. Is there any problem with using this for GHC 8.4?
 2018-02-05 12:14:54 +02:00
Ryan Scott
3408e1e630 Adapt to Semigroup changes in base-4.11 2018-02-04 20:09:37 -05:00
Michael Snoyman
c2f9dec1e6
Tighten base lower bound 
Technically unnecessary since it's inherited from conduit, but this is
more explicit.
 2018-02-02 00:35:30 +02:00
Michael Snoyman
6ad81f6d15
Merge remote-tracking branch 'origin/master' into better-monads 2018-02-02 00:17:37 +02:00
Michael Snoyman
7f78e81cc1
Lower bounds and missing extra-deps 2018-02-02 00:15:24 +02:00
Michael Snoyman
fe233dd958
Merge pull request #1478 from jprider63/master 
Update `mkYesodWith` and refactor so that `mkYesod` uses the context parser
 2018-01-29 14:57:44 +02:00
James Parker
8796310eef More documentation for mkYesod and mkYesodWith 2018-01-24 23:55:57 -05:00
Michael Snoyman
fa8e1ac00f
Switch to SubHandlerFor 
This is much more consistent than suddenly using a ReaderT for subsites.
Thanks to @jprider63 for the inspiration for this, I think it cleans
things up a lot!
 2018-01-24 13:01:26 +02:00
James Parker
b71bfae261 Refactor so that mkYesod and mkYesodDispatch use the context parser 2018-01-22 00:45:44 -05:00
James Parker
18910b516b Change mkYesodWith to accept separate lists for contexts and type 
arguments
 2018-01-22 00:19:04 -05:00
Michael Snoyman
0f09393c34
Merge branch 'simple-content-type' of https://github.com/JaSpa/yesod into better-monads 2018-01-21 11:13:05 +02:00
Maximilian Tagher
6b22a0b9be Give more detail in the error message for too large request bodies. 
* Just to be helpful to developers, give the maximum body length and their body length
* Also point developers to the function to change that value

(I don't think this leaks any sensitive info, because you can always binary search with different request body sizes to find the maximum allowable)
 2018-01-18 18:30:34 -08:00
Janek Spaderna
492102537f [yesod] Bump version & add changelog entry 2018-01-18 12:11:43 +01:00
Janek Spaderna
7f6f1821e8 [yesod] Fix comment for contentTypeTypes & simpler implementation 
In the implementation of contentTypeTypes make use of simpleContentType.
 2018-01-18 12:00:46 +01:00
Michael Snoyman
6830a9840c
Merge branch 'better-monads' into no-transformers 2018-01-17 06:43:52 +02:00
Michael Snoyman
ad35ef9431
Deal with another sneaky exception 2018-01-16 16:10:23 +02:00
Michael Snoyman
f2926e60f0
Remove some deprecated methods from the Yesod class 2018-01-15 20:52:33 +02:00
Michael Snoyman
915d9e2fa6
Finish switching header key to a CI 
Fixes #1418
 2018-01-15 16:47:49 +02:00
Michael Snoyman
25acc5799b
Version bumps and changelog updates 2018-01-15 15:57:36 +02:00
Michael Snoyman
89be12c147
Strictify a bunch of fields 2018-01-15 15:18:09 +02:00
Michael Snoyman
60f65ed267
Cleanup warnings 2018-01-15 15:09:07 +02:00
Michael Snoyman
1f7a2a287b
Switch to gauge 2018-01-15 11:46:38 +02:00
Michael Snoyman
8c96b4e36c
Fix benchmark compile 2018-01-15 10:48:50 +02:00
Michael Snoyman
1a1cb8a45f
Drop mwc-random 2018-01-15 10:18:16 +02:00
Michael Snoyman
6a715c06c3
Merge remote-tracking branch 'origin/guess-approot-default' into better-monads 2018-01-12 00:18:37 +02:00
Michael Snoyman
3bb654857c
Ditch ResumableSource 2018-01-12 00:09:54 +02:00
Michael Snoyman
3e06942449
Simplify YesodSubDispatch 2018-01-11 23:13:32 +02:00
Michael Snoyman
fbccfe2306
Merge branch 'better-monads' into no-transformers 2018-01-11 22:49:02 +02:00
Michael Snoyman
103c098cf8
Catch up with Data.Conduit.Combinators 2018-01-10 12:16:31 -08:00
Michael Snoyman
a16e75249a
More moving over to unliftio 2017-12-31 09:20:02 +02:00
Michael Snoyman
eac95935e6
Switch over to WIP conduit 1.3 2017-12-30 22:47:56 +02:00
Michael Snoyman
8a30e487b0
Merge remote-tracking branch 'origin/master' into better-monads 2017-12-30 20:41:28 +02:00
Maximilian Tagher
5cdc0a39ac Document whitelisting certain routes to not need CSRF protection 
This question came up on the #yesod Slack channel and I think it's moderately common; I've seen it elsewhere.
 2017-12-29 23:44:08 -05:00
Michael Snoyman
aed10fc84a
WIP 2017-12-13 14:39:59 +02:00
Michael Snoyman
61c887f501
Start converting yesod-auth over 2017-12-13 13:44:59 +02:00
Michael Snoyman
47ee7384ea
Be gone with ye HandlerT! 2017-12-13 09:53:14 +02:00
Sibi Prabakaran
323d7f4322
Fix haddock doc for the Yesod.Core.Unsafe module 2017-12-13 02:33:37 +05:30
Michael Snoyman
1c2914eded
MonadUnliftIO instances 2017-12-12 12:46:49 +02:00
Michael Snoyman
5c8b1b542a
WidgetT uses IORef 2017-12-12 12:46:35 +02:00
Michael Snoyman
c5ac821115
Remove some conditionals for old versions 2017-12-12 12:08:06 +02:00
Maximilian Tagher
1275cce1af Give better error messages when CSRF validation fails 
* This is important because historically these errors have tripped people up
* Making security as easy as possible is important so that it doesn't just get turned off
* Giving clear directions about where to get the CSRF token (a cookie) and where to send it (a header/param) is especially helpful to frontend developers not necessarily familiar with the backend codebase
 2017-11-26 09:00:30 -05:00
Josh Berman
6d6afcf826 point changelog to PR not issue 2017-11-26 12:09:17 +02:00
Josh Berman
79ab662a80 Fix docs on languages set and getMessageRender to use it (#1325) 2017-11-26 11:52:37 +02:00
Ian Duncan
05b2193e9f
Code review fixes for #1444 2017-09-08 09:00:12 +09:00
Ian Duncan
fd872cff40
Add support to yesod-core for weak etags 2017-09-06 10:08:45 +09:00
Sibi Prabakaran
7cfefdf3fa
Merge remote-tracking branch 'origin/master' into header-yesod 
Conflicts resolved in:
	yesod-core/ChangeLog.md
	yesod-core/yesod-core.cabal
 2017-07-28 17:01:03 +05:30
Sibi Prabakaran
19ff5c2006
Fix warning in test code 2017-07-28 16:58:11 +05:30
Michael Snoyman
4b34fe9c72
Fix deprecation warning for LTS 8 2017-07-23 12:25:29 +03:00
Michael Snoyman
06ca675bb6
Version bump 2017-07-20 13:58:15 +03:00
Sibi Prabakaran
617591aa4e
Do case insensitive equality on header name 2017-07-14 13:44:21 +05:30
Sibi Prabakaran
89fc6c46e2
Fix ordering logic in replaceHeader function 2017-07-13 16:29:08 +05:30
Sibi Prabakaran
f3ed12ed81
Add additional test to make sure that header value is not lost 2017-07-13 12:43:16 +05:30
Sibi Prabakaran
18951b0de7
Update the replace logic to obey proper ordering 2017-07-13 12:42:30 +05:30
Sibi Prabakaran
8416bb6569
Add Haddock documentation for the added function 2017-07-13 11:27:03 +05:30
Sibi Prabakaran
a31c270893
Update Changelog and do verion bump of the package 2017-07-13 11:24:57 +05:30
Sibi Prabakaran
3cec499c85
ScopedTypeVariables is also needed 2017-07-13 11:17:03 +05:30
Sibi Prabakaran
4e0b084df2
Enable test in YesodCoreTest 2017-07-13 11:16:47 +05:30
Sibi Prabakaran
839b56b032
Implement replaceOrAddHeader function 2017-07-13 11:10:54 +05:30
Sibi Prabakaran
301f4bc630
Expose YesodCoreTest.Header module 2017-07-13 11:07:13 +05:30
Sibi Prabakaran
051339f3dc
Add test code for HTTP headers properties 2017-07-13 11:05:57 +05:30
Josh Berman
ec85ef735c Work with TH from GHC 8.2.1-rc2 2017-07-03 06:44:25 -04:00
James Parker
70f643b7e9 Merge branch 'master' of https://github.com/yesodweb/yesod into dev.jp 2017-06-01 11:24:54 -04:00
James Haver II
5ee51262de Update ChangeLog and Hackage comments 2017-05-12 01:04:13 +08:00
James Haver II
56b09eef93 Add WaiSubsiteWithAuth 2017-05-12 00:13:07 +08:00
Alan Zimmerman
01d5f02cee GHC 7.6 not supported 2017-04-12 19:31:40 +02:00