aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2023-06-11refactor: enable Context to contain borrowed dataHEADmasterMartin Fischer
2023-06-11refactor: introduce StaticContextMartin Fischer
2023-06-10feature-gate Markdown renderingMartin Fischer
2023-06-10remove .shares.txt featureMartin Fischer
2023-06-10refactor: some linter fixesMartin Fischer
2023-06-10fix users.toml being disregardedMartin Fischer
Because of the ? the toml library was attempting to deserialize Option<Identities>, which apparently fails with: "invalid type: map, expected option".
2023-06-10update dependenciesMartin Fischer
2023-06-10disable unneeded chrono default featuresMartin Fischer
The new chrono version by default pulls in iana-time-zone, which pulls in a bunch of WASM crates we don't need.
2023-06-10drop unneeded indirect openssl dependencyMartin Fischer
2022-07-30fix SoloController::build_url_pathMartin Fischer
2022-07-30set Referrer-Policy: same-origin for more privacyMartin Fischer
2022-07-30fix regression: allow creation of branchesMartin Fischer
2022-07-30refactor: restructure build_response logicMartin Fischer
2022-07-30add some basic testsMartin Fischer
2022-07-29refactor: introduce SoloController::newMartin Fischer
2022-07-27refactor: use Context::branch_headMartin Fischer
2022-07-27refactor: remove needless borrows / returnsMartin Fischer
2022-07-27update dependenciesMartin Fischer
2022-07-27update clap dependencyMartin Fischer
2021-07-18refactor: use camino for UTF-8 pathsMartin Fischer
2021-07-18update dependenciesMartin Fischer
2021-07-18doc: simplify nginx config example in READMEMartin Fischer
2021-07-18refactor: remove unreachable else branchMartin Fischer
When viewing the user directory of another user the request is intercepted beforehand by parse_url_path.
2021-07-18support If-None-Match headers with W/ prefixMartin Fischer
2021-07-05refactor: move HttpOrigin to new origins moduleMartin Fischer
2021-07-05disable textarea spellcheck for ext not in (md, txt)Martin Fischer
2021-07-05css: stop wrapping action links in divMartin Fischer
2021-07-05refactor: stop wrapping Page.header in OptionMartin Fischer
2021-07-04refactor: short-circuit with ? instead of mappingMartin Fischer
2021-07-04move src/help/*.html files to src/static/Martin Fischer
2021-07-04refactor: move Error rendering to error moduleMartin Fischer
2021-07-04strictly enforce Host and Origin headersMartin Fischer
Previously the Origin header was only checked if you specified an origin with --origin on startup and when you didn't we just printed a warning that this might make you vulnerable to CSRF attacks. I implemented it this way since I wanted GitPad to be runnable without any command-line options, but such warnings are of course suboptimal for security since they can simply be ignored. This commit changes this behavior so that the Origin header is always checked for POST requests. If you just run "gitpad" the enforced origin defaults to http://127.0.0.1:<port>. Additionally this commit also enforces an exact Host header (extracted from the Origin) to prevent DNS rebinding attacks.
2021-07-03refactor: introduce build_raw_response helperMartin Fischer
2021-07-03disable unneeded hyperlocal "client" featureMartin Fischer
2021-07-03render .html files securely using IFramesMartin Fischer
2021-07-03allow renderers to mutate Page (and frame-src CSP)Martin Fischer
2021-06-24generate <script> tags and CSP from Page vectorsMartin Fischer
2021-06-24refactor render_pageMartin Fischer
2021-06-24make CSP stricter by setting default-src to 'self'Martin Fischer
Embedding remote files can leak info via the Referer header. Also changes child-src to frame-src since it has a higher precedence. (https://www.w3.org/TR/CSP3/#changes-from-level-2)
2021-06-24refactor: simplify Page and Context structsMartin Fischer
Previously the Page struct contained references to the Controller and the http::request::Parts, so that page.render() could call controller.user_info_html(parts). This commit removes these references from the Page struct, so that it can implement Default in the future. The Context struct needs to be moved around since it contains git2::Repository, which isn't Send. Previously the Context struct also contained the http::request::Parts, so they were moved along. This commit extracts Parts out of the Context struct, so that our service function can access Parts after invoking our build_request method, allowing us to easily log request details for errors in the future.
2021-06-24refactor: simplify Controller request interceptionMartin Fischer
In multi-user mode if Alice attempts to access /~bob/ she would get an Unauthorized error since branches are private. To improve the UX we instead already showed Alice a list of which files Bob has shared with her. Previously this was achieved with an before_return_error hook in the Controller trait. While this worked fine, it wasn't elegant, since it required passing the Context struct in all Unauthorized errors, so that the before_return_error hook could access the context. This commit refactors the code to intercept requests to paths like /~bob/ before the regular request handling instead of afterwards. While this could have been implemented in the before_route hook, this would have required either invoking parse_url_path a second time or passing the Result of parse_url_path, both of which would be akward. Therefore this commit also merges before_route into parse_url_path.
2021-06-24css: decrease margin-top for h1Martin Fischer
2021-06-24log: allow diffing specific revisionsMartin Fischer
2021-06-24log: mark up dates as headingsMartin Fischer
2021-06-24css: set row-gap for bodyMartin Fischer
2021-06-24refactor diff_blobMartin Fischer
2021-06-24refactor: move Error enum and impls to own moduleMartin Fischer
2021-06-24split off diff action from log actionMartin Fischer
2021-06-24refactor: split up blob routes into functionsMartin Fischer
2021-06-23make single-user mode operate on HEAD branchMartin Fischer