You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ponymail.apache.org by se...@apache.org on 2017/04/12 21:23:59 UTC
incubator-ponymail git commit: Allow insecure cookie (config item
intended for local testing only)
Repository: incubator-ponymail
Updated Branches:
refs/heads/master f7df316e9 -> 438975124
Allow insecure cookie (config item intended for local testing only)
This updates #355
Project: http://git-wip-us.apache.org/repos/asf/incubator-ponymail/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ponymail/commit/43897512
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ponymail/tree/43897512
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ponymail/diff/43897512
Branch: refs/heads/master
Commit: 4389751240d3e3ff1af66a239e0fa93be503658a
Parents: f7df316
Author: Sebb <se...@apache.org>
Authored: Wed Apr 12 22:23:55 2017 +0100
Committer: Sebb <se...@apache.org>
Committed: Wed Apr 12 22:23:55 2017 +0100
----------------------------------------------------------------------
CHANGELOG.md | 1 +
site/api/lib/user.lua | 8 +++++++-
tools/setup.py | 1 +
3 files changed, 9 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ponymail/blob/43897512/CHANGELOG.md
----------------------------------------------------------------------
diff --git a/CHANGELOG.md b/CHANGELOG.md
index e4ab96f..39fdda5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -136,6 +136,7 @@
- useless conditional when fetching id parameter (#353)
- ES 5.0 no longer supports the write consistency option for index(); archiver fails (#351)
- Cookie should use httpOnly and Secure (#355)
+- Allow insecure cookie (config item intended for local testing only) (#355)
- crash in import-mbox when list-id is missing and --lid is not provided (#358)
- archiver traverses multi-part message parts twice (#359)
- Add unsubscribe button (#362)
http://git-wip-us.apache.org/repos/asf/incubator-ponymail/blob/43897512/site/api/lib/user.lua
----------------------------------------------------------------------
diff --git a/site/api/lib/user.lua b/site/api/lib/user.lua
index 9140a53..57c65ac 100644
--- a/site/api/lib/user.lua
+++ b/site/api/lib/user.lua
@@ -16,6 +16,12 @@
]]--
local elastic = require 'lib/elastic'
+local config = require 'lib/config'
+
+-- allow local override of secure cookie attribute
+-- Note: the config item is named to make it more obvious that enabling it is not recommended
+-- This makes the expression below a bit more complicated
+local SECURE = not(config.allow_insecure_cookie or false)
-- Get user data from DB
local function getUser(r, override)
@@ -82,7 +88,7 @@ local function updateUser(r, cid, data)
r:setcookie{
key = "ponymail",
value = cookie .. "==" .. (cid),
- secure = true,
+ secure = SECURE,
httponly = true,
path = "/"
}
http://git-wip-us.apache.org/repos/asf/incubator-ponymail/blob/43897512/tools/setup.py
----------------------------------------------------------------------
diff --git a/tools/setup.py b/tools/setup.py
index 4798e15..26dc1ed 100755
--- a/tools/setup.py
+++ b/tools/setup.py
@@ -515,6 +515,7 @@ local config = {
-- env = 'subprocess' -- use environment vars instead of request headers
-- }
},
+-- allow_insecure_cookie = true, -- override the default (false) - only use for test installations
-- no_association = {}, -- domains that are not allowed for email association
-- listsDisplay = 'regex', -- if defined, hide list names that don't match the regex
antispam = true -- Whether or not to add anti-spam measures aimed at anonymous users.