haskell/yesod
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4,751 Commits 42 Branches 853 Tags 10 MiB
e5cc9987ae
Commit Graph

34 Commits

Author SHA1 Message Date
Evan Rutledge Borden
da9e72b82f Add minor version bump to 1.6.11 
JSON parsing function deprecations warrant a minor version bump.
 2019-01-29 15:31:35 -06:00
Evan Rutledge Borden
b50ca99566 Deprecate insecure JSON body functions 
`parseJsonBody` and `requireJsonBody` do not require a mime type when
parsing `JSON` content. This leaves them open to CSRF. They are now
deprecated and `insecure` versions are added in their place. Consumers
are now given a proper choice between secure and insecure functions.

There is a potential attack vector in that the browser does not trigger
CORS requests for "simple requests", which includes POST requests that
are form or text content-types. An attacker can craft a form whose body
is valid JSON, and when a user visits attacker.com and submits that
form, it can be submitted to bank.com and bypass CORS.

Checking the content-type is application/json prevents this, because if
the content-type was set to application/json, then the browser would
send a CORS request—a preflight OPTIONS request to the server asking if
the current domain (and some other values) are whitelisted to send
requests to that server. If the server doesn't say attacker.com is
whitelisted, the browser will not send the real request to the server.
 2019-01-24 09:12:48 -06:00
Maximilian Tagher
1f05d2c72f
Explain how requireCheckJsonBody can prevent CSRF 2018-07-31 21:22:39 -07:00
Michael Snoyman
fbccfe2306
Merge branch 'better-monads' into no-transformers 2018-01-11 22:49:02 +02:00
Michael Snoyman
a16e75249a
More moving over to unliftio 2017-12-31 09:20:02 +02:00
Michael Snoyman
47ee7384ea
Be gone with ye HandlerT! 2017-12-13 09:53:14 +02:00
Michael Snoyman
c5ac821115
Remove some conditionals for old versions 2017-12-12 12:08:06 +02:00
Michael Snoyman
aefd074efa Cleanup GHC 8 redundant constraints 2017-02-05 13:35:12 +02:00
Michael Snoyman
64ed0792bc Check mime-type for JSON bodies #1330 2017-02-02 08:10:19 +02:00
Michael Snoyman
85e7fd7e33 Version bump for #1241 2016-06-20 17:30:28 +03:00
Alexander Lippling
18cd7834d6 Added support for aeson's toEncoding function (>= 0.11) 2016-06-20 13:19:11 +02:00
Michael Snoyman
3447510080 Clean up a bunch of warnings 2014-09-29 08:08:02 +03:00
Michael Snoyman
ccab062f2d Remove all conditional compilation for Yesod 1.4 release 
Left in for GHC-bundled libraries (ghc, base, bytestring, binary)
 2014-09-07 18:17:45 +03:00
Michael Snoyman
d764464152 conduit 1.1 2014-03-27 16:38:52 +02:00
Greg Weber
a62157097c parseJsonBody_ -> requireJsonBody. closes #678 2014-03-04 10:06:56 -08:00
Michael Snoyman
5b379067b2 Add warning about calling parseJsonBody twice 2013-09-08 16:52:56 +02:00
Michael Snoyman
89203d0630 returnJson and provideJson 2013-05-09 08:39:06 +03:00
Michael Snoyman
68ca768b83 Export more aeson stuff 2013-03-20 11:57:00 +02:00
Michael Snoyman
4295346171 Split files up a bit more 2013-03-17 11:38:33 +02:00
Michael Snoyman
a2c4f1f3b7 MonadHandler/MonadWidget 2013-03-17 10:10:39 +02:00
Michael Snoyman
8b9f8ea024 Some convenience re-exports 2013-03-15 05:54:09 +02:00
Michael Snoyman
15bbd54e12 Some cleanup 2013-03-14 10:23:57 +02:00
Michael Snoyman
c466845095 More incomplete changes 2013-03-14 05:58:37 +02:00
Michael Snoyman
553dff7bd2 Incomplete change: GWidget/GHandler->WidgetT/HandlerT 2013-03-14 05:00:16 +02:00
Michael Snoyman
4bdd01ef58 Simplified GHandler/GWidget 2013-03-13 10:59:10 +02:00
Michael Snoyman
9873b4d8f3 Moved code around some more 2013-03-12 05:49:24 +02:00
Michael Snoyman
e2cd292877 yesod-auth doesn't use redirects for JSON requests (fixes #479) 2013-03-11 11:37:45 +02:00
Michael Snoyman
2af304bd7f Provide JSON reps for default error message handler (fixes #478) 2013-03-11 11:10:00 +02:00
Michael Snoyman
1d0cac6e03 TypedContent 2013-03-11 10:45:01 +02:00
Michael Snoyman
2c2ee10dd7 Converted Yesod.Handler to typeclasses 2013-03-11 07:08:03 +02:00
Michael Snoyman
1b8a1b9d42 Removed unneeded conditional 2013-03-10 14:04:45 +02:00
Michael Snoyman
98613278d4 Yesod.Core.Types created, but it's a mess 2013-03-10 11:02:53 +02:00
Michael Snoyman
2377d70ec8 Merge branch 'master' into yesod1.2 
Conflicts:
	yesod-json/yesod-json.cabal
 2013-03-10 09:49:28 +02:00
Michael Snoyman
ed53b20308 Merge yesod-json functionality into yesod-core (closes #487) 2013-02-12 15:42:45 +02:00