Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
branch: master
Commits on Apr 17, 2015
  1. @dpp

    Merge pull request #1698 from lift/dpp_extra_comet_args

    dpp authored
    Enhanced Support for browser Actor proxies
Commits on Apr 16, 2015
  1. @dpp
  2. @dpp
  3. @dpp
Commits on Apr 15, 2015
  1. @dcbriccetti

    Fix spelling error

    dcbriccetti authored
Commits on Apr 13, 2015
  1. @farmdawgnation

    Merge pull request #1696 from natekupp/patch-1

    farmdawgnation authored
    Replace defunct scala-tools.org reference
  2. @natekupp

    Replace defunct scala-tools.org reference

    natekupp authored
    scala-tools.org is no longer active. Pointing to sonatype.org for the jar instead.
Commits on Mar 23, 2015
  1. @Shadowfiend @fmpwizard

    Lock down SecurityHelpers.secureXML further.

    Shadowfiend authored fmpwizard committed
    We disable external doctypes altogether, and We also enable secure processing;
    combined, these mitigate more attacks than just the XML External Entity attack.
    
    The tests are updated to indicate that we now throw an exception whenever we
    encounter an XML document with a doctype declaration.
    
    Signed-off-by: Diego Medina <diego@fmpwizard.com>
Commits on Mar 15, 2015
  1. @Shadowfiend @fmpwizard

    Provide a secure XML parser in SecurityHelpers, use it throughout.

    Shadowfiend authored fmpwizard committed
    The secure XML parser does not allow entity references to refer to external
    entities; allowing this exposes an application to XXE (XML External Entity)
    attacks, where the external reference can be to a local file with sensitive
    data, whose contents will then appear in the resulting parse error messages.
    External entities are ignored and will not appear in the parsed or reserialized
    XML.
    
    All of Lift's built-in XML parsing now uses Helpers.secureXML instead of
    directly using scala.xml.XML, including in tests.
    
    More at https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing .
    
    Signed-off-by: Diego Medina <diego@fmpwizard.com>
Commits on Feb 21, 2015
  1. @fmpwizard

    Merge pull request #1685 from lift/diego_warnings

    fmpwizard authored
    Removed many warnings
  2. @fmpwizard

    Merge pull request #1674 from lift/locket-down

    fmpwizard authored
    Locket Down: Add support for Content-Security-Policy and Strict-Transport-Security
Commits on Feb 18, 2015
  1. @fmpwizard

    use contant for eof char

    fmpwizard authored
Commits on Feb 17, 2015
  1. @fmpwizard

    code review fixes

    fmpwizard authored
Commits on Feb 16, 2015
  1. @Shadowfiend

    Merge pull request #1678 from arkadius/futureExInMapFlatMap

    Shadowfiend authored
    Fix LAFuture.map/flatMap when an exception happens inside.
    
    Before the change `LAFuture.map`/`.flatMap` never satisfied the future in cases
    where the function threw an exception. After the change, returned future is satisfied
    by a `Failure`.
    
    This change also contains minor fix: `get(timeout)` was returning `Empty` instead of
    a `Failure` if the `LAFuture` was aborted.
    
    Also added extensions providing `toBox` conversions from `scala.Option` and from
    `scala.util.Try`.
  2. @Shadowfiend
  3. @Shadowfiend
  4. @Shadowfiend

    Make BadRequest be BadRequestResponse.

    Shadowfiend authored
    This is more in line with the naming of other LiftResponse subclasses, and
    makes it clear that the class doesn't represent a bad request, but rather the
    response to one.
  5. @fmpwizard

    Merge pull request #1684 from lift/session-ipa

    fmpwizard authored
    Session IPA: Split out SessionMaster and ScopedLiftActor from LiftSession
  6. @fmpwizard

    Removed many warnings

    fmpwizard authored
Commits on Feb 14, 2015
  1. @arkadius

    Fixed missing braces

    arkadius authored
  2. @arkadius

    Removed Tryo object. Added more explicit conversion from Option/scala…

    arkadius authored
    ….uitl.Try to Box: extension implicit classes with toBox methods.
  3. @farmdawgnation
  4. @farmdawgnation
Commits on Feb 10, 2015
  1. @pbrant

    Merge pull request #1682 from lift/pmb_cometlifespan

    pbrant authored
    Fix Comet clean-up bug
  2. @pbrant

    Fix Comet clean-up bug

    pbrant authored
    Comet actors which defined a life span were being half-cleaned up with
    correspondingly strange results. The cause was java.util.Map#remove
    taking an Object, not a K with the result that this was missed when
    migrating from a tuple to CometId.
  3. @fmpwizard

    Merge pull request #1679 from lift/diego_issue_string_inter

    fmpwizard authored
    Fixed missing `s` in string interpolation
Commits on Feb 8, 2015
  1. @arkadius
  2. @arkadius

    tryo inside separated Tryo object

    arkadius authored
    Import of Box._ and Helpers._ was causing ambiguousity errors. Now tryo is inside separate class in common module.
  3. @arkadius

    Reuse of tryo inside LAFuture

    arkadius authored
    Before change, in case of circular module dependencies it wasn't possible to use tryo inside actor module (was used by util which would be used by actor). Now tryo is available from Box singleton and ControlHelpers refer back to it.
Commits on Feb 7, 2015
  1. @fmpwizard
Commits on Feb 1, 2015
  1. @Shadowfiend

    Small documentation tweaks.

    Shadowfiend authored
    Add a note about default frame restrictions to SecurityRules
    and fix the link to contentSecurityPolicyViolationReport.
  2. @Shadowfiend

    Log non-HTTPS requests when requested.

    Shadowfiend authored
    When LiftRules.https is set, we’re in dev mode, and
    logInDevMode is on, we log requests that come in and are
    not HTTPS.
  3. @Shadowfiend

    Handle logInDevMode in ContentSecurityPolicy.

    Shadowfiend authored
    We now use report-only in dev mode only if enforceInDevMode
    is off and logInDevMode is on.
  4. @Shadowfiend

    Lock security rules on first use.

    Shadowfiend authored
    Security rules-related stuff will be running every request, so
    we want to minimize the overhead of using it. We can relax
    the limitation if someone says they need to modify these at
    runtime.
Commits on Jan 31, 2015
  1. @Shadowfiend

    Default scriptSources to include unsafe-eval.

    Shadowfiend authored
    We do this because Lift does a lot of AJAX-based script
    injection at the moment, which requires eval. So, to avoid
    breaking a Lift application, unsafe-eval stays on.
    
    Also expand a little on documentation to indicate Lift’s
    reliance on this functionality.
Something went wrong with that request. Please try again.