summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2016-04-16Merge pull request #2506 from stevepiercy/masterSteve Piercy
replace nose with pytest, clean up
2016-04-16Merge pull request #2507 from stevepiercy/masterSteve Piercy
replace ps1con with doscon for lexer and syntax highlighting
2016-04-16Merge pull request #2508 from stevepiercy/1.7-branchSteve Piercy
Merge pull request #2505 from stevepiercy/docs/quick-tour-gotcher-nose
2016-04-16Merge pull request #2505 from stevepiercy/docs/quick-tour-gotcher-noseSteve Piercy
Docs/quick tour gotcher nose
2016-04-16prep 1.7a1Michael Merickel
2016-04-16drop py27-only features at least temporarilyMichael Merickel
call me nostalgic
2016-04-16add docs and backward incompatibility notices for #2501Michael Merickel
2016-04-16fix format string to work on py26Michael Merickel
2016-04-16Merge pull request #2501 from dstufft/check-origin-csrfMichael Merickel
In addition to CSRF token, verify the origin too
2016-04-16In addition to CSRF token, verify the origin tooDonald Stufft
Add an additional layer of protection against CSRF by verifying the actual origin of the request in addition to the CSRF token. We only do this check on sites hosted behind HTTPS because only HTTPS sites have evidence to show that the Referrer header is not being spuriously removed by random middleware boxes.
2016-04-15Update CHANGES/whatsnew-1.7 for updated require_csrfBert JW Regeer
2016-04-15Merge pull request #2500 from dstufft/improve-csrfBert JW Regeer
Increase the protection provided by the CSRF checks
2016-04-15Have Automatic CSRF on all unsafe HTTP methodsDonald Stufft
Instead of only protecting against unsafe POST requests, have the automatic CSRF protect on all methods which are not defined as "safe" by RFC2616.
2016-04-15Only Accept CSRF Tokens in headers or POST bodiesDonald Stufft
Previously `check_csrf_token` would allow passing in a CSRF token in through a the URL of a request. However this is a security issue because a CSRF token must not be allowed to leak, and URLs regularly get copy/pasted or otherwise end up leaking to the outside world.
2016-04-15link to router chapterMichael Merickel
2016-04-15link to alchemy pull requestMichael Merickel
2016-04-15Merge pull request #2499 from stevepiercy/masterSteve Piercy
remove 2.6 and 3.2, minor cleanup
2016-04-15remove 2.6 and 3.2, minor cleanupSteve Piercy
2016-04-14Merge pull request #2498 from stevepiercy/masterSteve Piercy
editorial review and approval
2016-04-14Merge remote-tracking branch 'upstream/master'Steve Piercy
Conflicts: docs/whatsnew-1.7.rst
2016-04-14editorial review and approvalSteve Piercy
2016-04-15link to HTTPException classMichael Merickel
2016-04-15snapshot the 1.6 changes into historyMichael Merickel
2016-04-151.7, not 1.6Michael Merickel
2016-04-15link the whatsnew-1.7Michael Merickel
2016-04-15first cut at whatsnew-1.7Michael Merickel
2016-04-15curate the changelogMichael Merickel
2016-04-14Merge pull request #2496 from Pylons/update/hashalg_authtktMichael Merickel
Switch to sha512 in AuthTktAuthenticationPolicy
2016-04-14Remove TODO itemBert JW Regeer
2016-04-14Update documentationBert JW Regeer
2016-04-14Add CHANGES.txt entry, and re-organiseBert JW Regeer
2016-04-14Remove unused importBert JW Regeer
2016-04-14Switch to sha512 in AuthTktAuthenticationPolicyBert JW Regeer
2016-04-14Merge pull request #2494 from arianmaykon/fix-issue-2493Steve Piercy
Issue #2493: Fixing Quick Tutorial Step 18 - CSS/JS Paths
2016-04-14Merge pull request #2489 from Pylons/feature/json_exceptionsMichael Merickel
Feature: JSON exceptions
2016-04-14Merge branch 'master' into feature/json_exceptionsBert JW Regeer
2016-04-14Update CHANGESBert JW Regeer
2016-04-14add a note in the todo about python 3.3Michael Merickel
2016-04-14Merge pull request #2491 from stevepiercy/feature.py33.deprecateMichael Merickel
- Deprecated support for Python 3.3. See #2477
2016-04-14Issue #2493: Fixing Quick Tutorial Step 18 - CSS/JS Paths, also on Step 19 - ↵Arian Maykon de Araújo Diógenes
Database
2016-04-14We don't use default_match, so remove itBert JW Regeer
2016-04-14Update test to verify the default is text/htmlBert JW Regeer
2016-04-14Make text/html the preferred server returnBert JW Regeer
This matches the original code whereby it would return an HTML page if you sent an Accept header of */*.
2016-04-13update deprecation log entrySteve Piercy
2016-04-13Issue #2493: Fixing Quick Tutorial Step 18 - CSS/JS PathsArian Maykon de Araújo Diógenes
2016-04-13Merge pull request #2490 from stevepiercy/masterSteve Piercy
- update Pyramid Request Processing Diagram.
2016-04-13- nudge `BeforeTraversal`Steve Piercy
2016-04-13- Deprecated support for Python 3.3. See #2477Steve Piercy
2016-04-13- update Pyramid Request Processing Diagram.Steve Piercy
- Closes #2473. - See also #2413 and #2469.
2016-04-12For */* case, MIMEAccept picks first server offerBert JW Regeer
This means that to make "text/plain" the default, we need to specifically make it the first thing we offer. For anything else, since the server offers are all weighted equally, the client order should be accepted.
generated by cgit v1.2.3 (git 2.25.1) at 2026-02-10 12:15:08 +0000