haskell/yesod
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4,227 Commits 42 Branches 853 Tags 10 MiB
Haskell 99.6%
HTML 0.2%
Dockerfile 0.1%
7f17d829b3
Go to file
Sibi Prabakaran 7f17d829b3
Fix CSRF security vulnerability in registerHelper function 
Return a 403 status code if the csrf tokens are matched. This currently
affects two endpoints: During registration and during password reset
forms.

This curl request demonstrates how this can be exploited to register new
email:

curl -i --header "Accept: application/json" --request POST -F
"email=sibi@psibi.in" http://localhost:3005/auth/page/email/register

With the patch applied, it will respond with this:

{"message":"Permission Denied. A valid CSRF token wasn't present in HTTP
headers or POST parameters. Because the request could have been forged,
it's been rejected altogether. Check the Yesod.Core.Handler docs of the
yesod-core package for details on CSRF protection."}
2016-11-20 03:59:32 +05:30
demo Added an example with email auth and an ses mailer 2015-12-05 20:21:38 -07:00
yesod Revised don't keep partial autogen file when exception occurs 2016-11-10 22:07:20 +00:00
yesod-auth Fix CSRF security vulnerability in registerHelper function 2016-11-20 03:59:32 +05:30
yesod-auth-oauth Version bump 2016-04-25 18:19:26 +03:00
yesod-bin Proper version bump for #1284 2016-10-07 17:03:54 +03:00
yesod-core languages reflects setLanguage 2016-11-04 11:10:26 +02:00
yesod-eventsource Doc link updates 2014-12-21 15:23:52 +02:00
yesod-form Version bump for #1296 2016-11-14 07:04:36 +02:00
yesod-newsfeed Fuller docs + version bump 2016-02-02 08:59:01 -08:00
yesod-persistent Version bump 2016-08-14 15:42:01 +03:00
yesod-sitemap Doc link updates 2014-12-21 15:23:52 +02:00
yesod-static Fix test suite compilation 2016-11-06 12:08:05 +02:00
yesod-test Fix error 2016-09-01 15:22:25 +03:00
yesod-websockets Bump yesod-websockets version. 2015-08-28 19:30:32 -05:00
.gitignore add a stack.yaml file 2015-06-07 21:41:18 -04:00
.travis.yml Travis update 2016-10-24 19:43:36 +03:00
CODE_OF_CONDUCT.md CODE_OF_CONDUCT spacing and problem resolution 2015-10-07 06:18:03 -07:00
Dockerfile add a Dockerfile for haskell development 2015-05-27 11:43:16 -04:00
LICENSE Update license with MIT license 2012-04-29 09:38:45 +03:00
README Formatted README a bit 2009-07-14 20:52:09 +03:00
README.md Add travis badge to README 2016-09-01 19:54:18 +03:00
ReleaseNotes.md notes were out of date, seem to be maintained on wiki, noted such 2013-01-03 21:09:54 -08:00
sources.txt Version bumps for 1.4 release 2014-09-21 11:41:37 +03:00
stack.yaml Another extra-dep 2016-11-11 07:05:07 +02:00

README.md

Build Status

Yesod Web Framework

An advanced web framework using the Haskell programming language. Featuring:

  • safety & security guaranteed at compile time
  • developer productivity: tools for all your basic web development needs
  • raw performance
    • fast, compiled code
    • techniques for constant-space memory consumption
  • asynchronous IO
    • this is built in to the Haskell programming language (like Erlang)

Learn more about Yesod on its main website. If you want to get started using Yesod, we strongly recommend the quick start guide, based on the Haskell build tool stack.

Hacking on Yesod

Yesod consists mostly of four repositories:

git clone --recursive http://github.com/yesodweb/shakespeare
git clone --recursive http://github.com/yesodweb/persistent
git clone --recursive http://github.com/yesodweb/wai
git clone --recursive http://github.com/yesodweb/yesod

Each repository can be built with stack build.