aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2022-11-05fix: anonymous template arguments having wrong indexluaMartin Fischer
2022-10-28refactor: some linter fixesMartin Fischer
2022-10-28improve error page renderingMartin Fischer
Previously 404 pages did not set the viewport meta tag, which made the links very hard to click on mobile.
2022-10-28refactor: simplify render_page functionMartin Fischer
2022-10-28fix users.toml being disregardedMartin Fischer
Because of the ? the toml library was attempting to deserialize Option<Identities>, which apparently fails with: "invalid type: map, expected option".
2022-10-28add gitpad.encode_uri_component Lua functionMartin Fischer
2022-10-28drop gitpad.decode_toml Lua functionMartin Fischer
The function made sense when we had Lua shebangs but now that they have been removed, the function doesn't make much sense anymore.
2022-10-28refactor: avoid unnecessary LuaTable::get callMartin Fischer
2022-10-28drop support for Lua shebangsMartin Fischer
Now that we have Lua templating, which is more flexible, it doesn't make sense to keep Lua shebangs around.
2022-10-28implement lua-based templatesMartin Fischer
2022-10-28refactor: introduce lua_context functionMartin Fischer
2022-10-28stop rendering .html files via <iframe>sMartin Fischer
Now that we have Lua scripting we don't need iframes anymore.
2022-10-27update dependenciesMartin Fischer
2022-10-27disable unneeded chrono default featuresMartin Fischer
The new chrono version by default pulls in iana-time-zone, which pulls in a bunch of WASM crates we don't need.
2022-08-14add gitpad.decode_toml lua methodMartin Fischer
We are vendoring the rlua_serde crate because it currently depends on rlua 0.17, which is outdated and my attempts to contact the crate author were bounced by Yandex for somehow looking like spam.
2022-08-14allow inline CSS (for lua scripts)Martin Fischer
2022-07-30drop unneeded indirect openssl dependencyMartin Fischer
Since adding the rlua dependency I can no longer execute gitpad built on my developer machine on my server, since it fails with: gitpad2: /lib/x86_64-linux-gnu/libm.so.6: version `GLIBC_2.29' not found (required by gitpad2) As it turns out an easy workaround is to statically link MUSL (by passing --target x86_64-unknown-linux-musl to cargo build). The openssl-sys dependency (pulled in by git2) however failed to build for MUSL. Since we don't need it the simplest solution is to just drop it.
2022-07-30implement lua scriptingMartin Fischer
Inspired by the Scribunto extension for MediaWiki.
2022-07-30fix SoloController::build_url_pathMartin Fischer
2022-07-30set Referrer-Policy: same-origin for more privacyMartin Fischer
2022-07-30fix regression: allow creation of branchesMartin Fischer
2022-07-30refactor: restructure build_response logicMartin Fischer
2022-07-30add some basic testsMartin Fischer
2022-07-29refactor: introduce SoloController::newMartin Fischer
2022-07-27refactor: use Context::branch_headMartin Fischer
2022-07-27refactor: remove needless borrows / returnsMartin Fischer
2022-07-27update dependenciesMartin Fischer
2022-07-27update clap dependencyMartin Fischer
2021-07-18refactor: use camino for UTF-8 pathsMartin Fischer
2021-07-18update dependenciesMartin Fischer
2021-07-18doc: simplify nginx config example in READMEMartin Fischer
2021-07-18refactor: remove unreachable else branchMartin Fischer
When viewing the user directory of another user the request is intercepted beforehand by parse_url_path.
2021-07-18support If-None-Match headers with W/ prefixMartin Fischer
2021-07-05refactor: move HttpOrigin to new origins moduleMartin Fischer
2021-07-05disable textarea spellcheck for ext not in (md, txt)Martin Fischer
2021-07-05css: stop wrapping action links in divMartin Fischer
2021-07-05refactor: stop wrapping Page.header in OptionMartin Fischer
2021-07-04refactor: short-circuit with ? instead of mappingMartin Fischer
2021-07-04move src/help/*.html files to src/static/Martin Fischer
2021-07-04refactor: move Error rendering to error moduleMartin Fischer
2021-07-04strictly enforce Host and Origin headersMartin Fischer
Previously the Origin header was only checked if you specified an origin with --origin on startup and when you didn't we just printed a warning that this might make you vulnerable to CSRF attacks. I implemented it this way since I wanted GitPad to be runnable without any command-line options, but such warnings are of course suboptimal for security since they can simply be ignored. This commit changes this behavior so that the Origin header is always checked for POST requests. If you just run "gitpad" the enforced origin defaults to http://127.0.0.1:<port>. Additionally this commit also enforces an exact Host header (extracted from the Origin) to prevent DNS rebinding attacks.
2021-07-03refactor: introduce build_raw_response helperMartin Fischer
2021-07-03disable unneeded hyperlocal "client" featureMartin Fischer
2021-07-03render .html files securely using IFramesMartin Fischer
2021-07-03allow renderers to mutate Page (and frame-src CSP)Martin Fischer
2021-06-24generate <script> tags and CSP from Page vectorsMartin Fischer
2021-06-24refactor render_pageMartin Fischer
2021-06-24make CSP stricter by setting default-src to 'self'Martin Fischer
Embedding remote files can leak info via the Referer header. Also changes child-src to frame-src since it has a higher precedence. (https://www.w3.org/TR/CSP3/#changes-from-level-2)
2021-06-24refactor: simplify Page and Context structsMartin Fischer
Previously the Page struct contained references to the Controller and the http::request::Parts, so that page.render() could call controller.user_info_html(parts). This commit removes these references from the Page struct, so that it can implement Default in the future. The Context struct needs to be moved around since it contains git2::Repository, which isn't Send. Previously the Context struct also contained the http::request::Parts, so they were moved along. This commit extracts Parts out of the Context struct, so that our service function can access Parts after invoking our build_request method, allowing us to easily log request details for errors in the future.
2021-06-24refactor: simplify Controller request interceptionMartin Fischer
In multi-user mode if Alice attempts to access /~bob/ she would get an Unauthorized error since branches are private. To improve the UX we instead already showed Alice a list of which files Bob has shared with her. Previously this was achieved with an before_return_error hook in the Controller trait. While this worked fine, it wasn't elegant, since it required passing the Context struct in all Unauthorized errors, so that the before_return_error hook could access the context. This commit refactors the code to intercept requests to paths like /~bob/ before the regular request handling instead of afterwards. While this could have been implemented in the before_route hook, this would have required either invoking parse_url_path a second time or passing the Result of parse_url_path, both of which would be akward. Therefore this commit also merges before_route into parse_url_path.