haskell/yesod
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4,745 Commits 42 Branches 853 Tags 10 MiB
da9e72b82f
Commit Graph

4745 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Evan Rutledge Borden
da9e72b82f Add minor version bump to 1.6.11 
JSON parsing function deprecations warrant a minor version bump.
 2019-01-29 15:31:35 -06:00
Evan Rutledge Borden
b50ca99566 Deprecate insecure JSON body functions 
`parseJsonBody` and `requireJsonBody` do not require a mime type when
parsing `JSON` content. This leaves them open to CSRF. They are now
deprecated and `insecure` versions are added in their place. Consumers
are now given a proper choice between secure and insecure functions.

There is a potential attack vector in that the browser does not trigger
CORS requests for "simple requests", which includes POST requests that
are form or text content-types. An attacker can craft a form whose body
is valid JSON, and when a user visits attacker.com and submits that
form, it can be submitted to bank.com and bypass CORS.

Checking the content-type is application/json prevents this, because if
the content-type was set to application/json, then the browser would
send a CORS request—a preflight OPTIONS request to the server asking if
the current domain (and some other values) are whitelisted to send
requests to that server. If the server doesn't say attacker.com is
whitelisted, the browser will not send the real request to the server.
 2019-01-24 09:12:48 -06:00
Michael Snoyman
874a711d47
Merge pull request #1574 from yesodweb/more-ltses 
More LTSes are tested
 2019-01-23 08:26:41 +02:00
Michael Snoyman
5f597494b5
More LTSes are tested 2019-01-22 20:09:05 +02:00
Michael Snoyman
c7e4dd0a1c
Fix test suite compilation on GHC 8.6.3 commercialhaskell/stackage#4319 2019-01-22 18:40:31 +02:00
Michael Snoyman
9ff1f18a4a
Merge pull request #1573 from yesodweb/getSetCache 
Add functions to get and set values in the per-request caches
 2019-01-22 09:35:37 +02:00
Maximilian Tagher
c8974d81f9 Add functions to get and set values in the per-request caches 
Closes #1572
 2019-01-21 10:47:27 -08:00
Sibi
09c4587393
Merge pull request #1571 from jlamothe/FormResult 
Make FormResult instances of Eq and Monad
 2019-01-20 22:59:18 +05:30
Jonathan Lamothe
92e4e48353 updated ChangeLog 2019-01-19 13:12:29 -05:00
Jonathan Lamothe
fd141d56b7 incremented version number 2019-01-18 18:53:04 -05:00
Jonathan Lamothe
429f78859c make FormResult an instance od Eq 2019-01-18 12:48:36 -05:00
Maximilian Tagher
673db5f6ff
Merge pull request #1570 from yesodweb/cookieHelpers 
[yesod-test] Add utility functions to modify cookies
 2019-01-15 08:04:30 -08:00
Maximilian Tagher
bedec86c74 [yesod-test] Add utility functions to modify cookies 2019-01-14 16:12:32 -08:00
Michael Snoyman
72c6187a22
Merge pull request #1568 from stevehartdata/master 
Eliminate deprecation warnings when building websockets sample.hs
 2019-01-09 08:49:51 +02:00
Steve Hart
e1a33248b0 Eliminate deprecation warnings when building websockets sample.hs 2019-01-07 20:12:12 -05:00
Sibi
c5268e3581
Merge pull request #1567 from gabebw/gbw-fix-typo 
Fix typo in deprecation message
 2018-12-28 10:41:12 +05:30
Gabe Berke-Williams
9720363117 Fix typo in deprecation message 
The message recommended using `authTwitterUsingUserID` (note that the
`ID` at the end of the method name is all capitalized).

However, the actual method name is `authTwitterUsingUserId` (note the `Id` at the
end).
 2018-12-27 17:31:58 -08:00
Michael Snoyman
f7f356b32e
Relax upper bound (fixes #1566) 2018-12-19 08:28:07 +02:00
Michael Snoyman
7a2c5367e7
Merge pull request #1565 from StevenXL/add-send-response-no-content 
Add sendResponseNoContent.
 2018-12-03 09:22:06 +02:00
Steven Leiva
2a9bef34c0 Add sendResponseNoContent. 2018-11-30 14:27:21 -06:00
Michael Snoyman
6eb91bdb77
Add missing test file (fixes #1563) 2018-10-15 16:21:17 +03:00
Michael Snoyman
f7e177d5f2
Version bump 2018-10-14 11:10:13 +03:00
Michael Snoyman
ab0ac8b1a2
Fix extra-deps 2018-10-14 10:49:12 +03:00
Michael Snoyman
aed169b43f
Merge branch 'update-persistent' of https://github.com/DanBurton/yesod 2018-10-14 10:47:23 +03:00
Michael Snoyman
b16084ed34
Configuration for persistent 2.9 2018-10-14 10:45:45 +03:00
Michael Snoyman
7f07325dc4
Merge branch 'master' of https://github.com/iand675/yesod 2018-10-14 10:44:18 +03:00
Dan Burton
bff8200ae4
Updated changelogs and versions for #1561 2018-10-11 14:21:17 -04:00
Dan Burton
132abccff2
Compile with ghc 8.6 by pushing MonadFail usage into IO 2018-10-11 13:53:35 -04:00
Dan Burton
90423f5bc7
Downgrade yesod-persistent version bump to patch level 2018-10-11 12:56:49 -04:00
Dan Burton
49dcfe02af
Merge branch 'master' of https://github.com/iand675/yesod into update-persistent 2018-10-11 12:54:52 -04:00
Michael Snoyman
84f77fe34a
Merge pull request #1558 from whittle/routes-file-line-continuations 
In the route syntax, allow trailing backslashes to indicate line continuation.
 2018-10-09 05:24:15 +03:00
Jason Whittle
ee260e24cb Update changelog with a link to PR #1558. 2018-10-08 18:04:16 -04:00
Jason Whittle
ca602d11bf Bump minor version. 2018-10-08 16:56:20 -04:00
Jason Whittle
4e4efd1627 In the route syntax, allow trailing backslashes to indicate line continuation. 2018-10-08 16:47:06 -04:00
Michael Snoyman
6a9bcc292d
Remove unneeded version bumps 2018-10-08 10:20:49 +03:00
Michael Snoyman
55e0ca4bc3
Add PrimMonad instances 
Pointed out at: https://stackoverflow.com/q/52692508/369198
 2018-10-08 08:19:32 +03:00
Michael Snoyman
1c2cb0c717
Merge pull request #1554 from oddvars/oddvars-typo-patch 
minor typos
 2018-09-14 08:29:19 +03:00
oddvars
41101b20dd
minor typos 
fixed typo and escaped backslash for haddock
 2018-09-13 16:42:52 +02:00
Michael Snoyman
2af5d9c64c
Relax yaml upper bound 2018-08-20 10:11:42 +03:00
Michael Snoyman
67c223d76b
Minor cabal file improvements 2018-08-20 10:11:42 +03:00
Steven Leiva
3ebd8f91a5
Merge pull request #1550 from StevenXL/set-x-xss-protection 
Set X-XSS-Protection to 1; mode=block.
 2018-08-06 15:46:31 -05:00
Steven Leiva
4015ef2919 Set X-XSS-Protection to 1; mode=block. 2018-08-03 14:17:11 -05:00
Chris Allen
826a607571
Merge pull request #1548 from yesodweb/MaxGabriel-patch-1 
Explain how requireCheckJsonBody can prevent CSRF
 2018-08-02 10:30:41 -05:00
Maximilian Tagher
1f05d2c72f
Explain how requireCheckJsonBody can prevent CSRF 2018-07-31 21:22:39 -07:00
Michael Snoyman
6f76b5ff91
Merge pull request #1544 from nmk/master 
Do not lose selected value in `selectFieldHelper` when validation fails
 2018-07-29 10:21:35 +03:00
Nickolay Kolev
073c9fabd4 Do not lose selected value in selectFieldHelper when validation fails 2018-07-26 20:44:26 +02:00
Steven Leiva
db1ff95520
Merge pull request #1540 from StevenXL/error-406 
Fix Improper 406 Responses
 2018-07-24 07:36:16 -05:00
Steven Leiva
266c436f18 selectRep chooses first rep if no matches found. 
The `selectRep` documentation indicates that it choose the first
representation provided if no representation matches.

This was only partially correct, as `selectRep` required that no
representation matched **and** that the `Content-Type` header of the
response was empty.

This led to a problem because `defaultErrorhandler` relies on
`selectRep`, and when `selectRep` was unable to find a suitable
representation, it would "swallow" the original error that resulted in
`defaultErrorhandler` being called, and set a status 406 for all cases.
 2018-07-19 21:32:02 -05:00
Michael Snoyman
1c51a93a45
Relax upper bounds 2018-07-11 08:20:20 +03:00
Michael Snoyman
04393855e5
Merge branch 'master' of github.com:yesodweb/yesod 2018-07-10 11:56:46 +03:00