monkeyking

Commit Graph

Author	SHA1	Message	Date
Min RK	2e1c56b0c4	Validate redirect target in TrailingSlashHandler Fixes open redirect vulnerability GHSA-c7vm-f5p4-8fqh	5 years ago
Ram Rachum	54e58be448	Fix exception causes in handlers.py	6 years ago
Kris Wilson	8aad324773	Fixup.	6 years ago
Kris Wilson	a9ed339d58	Add UNIX socket support to notebook server.	6 years ago
Kerwin.Sun	b5f5c9500e	remove py2 dependence	6 years ago
Min RK	efc0f0089e	Allow ?no_track_activity=1 to opt-out of activity tracking (#4235 ) * Don't track API requests with `?no_track_activity=1` in the activity counter allows external idle-culling scripts to avoid updating the activity counter * Don't track kernel shutdown as kernel activity this causes idle-kernel shutdowns to restart the idle-shutdown timer user-requested shutdowns will still be tracked as api activity * test ?no_track_activity=1 tracking * Changelog for activity	7 years ago
Min RK	ca7b8dd163	catch errors when writing on closed sockets avoids issues with direct-checks for closed or closing sockets, which seems to change across tornado versions fixes some tornado 6 issues	7 years ago
Min RK	7f7bfeefc0	Block cross-origin GET,HEAD requests with mismatched Referer - /files/ downloads must come from a local page (no direct visits or external links) - same for /api/ requests - disabling xsrf checks	7 years ago
Min RK	d7becafd59	add xsrf checks on files endpoints	7 years ago
Min RK	98773c1a8a	Set X-Content-Options: nosniff on all handlers for XSSI protections of non-script content	7 years ago
Min RK	729183b148	use our own maybe_future instead of the monkeypatch we did to keep the backport patch small requiring tornado 5 simplifies things a ton because tornado.concurrent.Future is asyncio.Future	7 years ago
Min RK	5828300401	fix check for closed connection stream is None in tornado 6	7 years ago
Thomas Kluyver	7c8db2d063	Call tornado WebSocketHandler.get() as a coroutine This change will probably be needed for Tornado 6. Ben Darnell figured it out. https://groups.google.com/d/msg/python-tornado/mSeG7Kc6z4o/baeTDOvJGgAJ	7 years ago
Thomas Kluyver	56d7a2d3a6	Remove one-time token code	7 years ago
Bill Major	cc5e08d1bc	Allow access control headers to be overriden in jupyter_notebook_config.py	8 years ago
Min RK	e33a16f42f	use localhost as default local hostname so this list isn't empty when these handlers are used outside NotebookApp	8 years ago
Min RK	1901eeac63	ip_address only accepts unicode on Python 2 ipaddress.ip_address('127.0.0.1') fails with ValueError on Python 2 need to decode it, otherwise 127.0.0.1 won't be treated as local	8 years ago
Thomas Kluyver	0d6ffa6888	Explain how to disable host check in warning message	8 years ago
Thomas Kluyver	7f1bba613d	Check 'Host' header for local connections	8 years ago
yuvipanda	a764f90b14	Add a /metrics endpoint for Prometheus Metrics [Prometheus](https://prometheus.io/) provides a standard metrics format that can be collected and used in many contexts. - From the browser to drive 'current resource usage' displays, such as https://github.com/yuvipanda/nbresuse - From a prometheus server to collect historical data for operational analysis and performance monitoring Example: https://grafana.mybinder.org/dashboard/db/1-overview?refresh=1m&orgId=1 for mybinder.org metrics from JupyterHub and BinderHub, via prometheus server at https://prometheus.mybinder.org The JupyterHub and BinderHub projects already expose Prometheus metrics natively. Adding this to the Jupyter notebook server allows us to instrument the code easily and in a standard format that has lots of 3rd party tooling for it. This commit does the following: - Introduce the `prometheus_client` library as a dependency. This library has no dependencies of its own and is pure python. - Add an authenticated `/metrics` endpoint to the server, which returns metrics in Prometheus Text Format - Expose the default process metrics from `prometheus_client`, which include memory usage and CPU usage info (for just the notebook process)	8 years ago
Thomas Kluyver	694ed72fb4	Use content_security_policy property to add restriction when serving user files	8 years ago
Thomas Kluyver	901f1e9492	Use CSP header to treat served files as belonging to a separate origin	8 years ago
Thomas Kluyver	0f0fe84740	Expand description of compatibility code	8 years ago
Thomas Kluyver	6ba7b17181	Only use force_clear_cookie for the extra compatibility piece	8 years ago
Thomas Kluyver	1fdcd375ab	Fix clearing two cookies with the same name Closes gh-3196	8 years ago
Daniel Farrell	605eaa72be	Added a flag to allow access of hidden files (#2819 ) * Added a flag to allow access of hidden files The flag '--allow-hidden' will allow Tornado to access hidden files such as '.images/my_img.jpg' * Fixed jupyterlab not following allow-hidden Jupyterlab stores its options in a different location than the standard notebook. Added the ability to check there as well. * Updated implementation for any app Previously I was accessing the settings dict based on the name of the app that was being used. ex 'NotebookApp', or 'LabApp'. Now the setting is passed directly into the Tornado settings, and can be accessed via a more general method. * Added/fixed unit tests for test_hidden_files Fixed broken unit tests by setting the default to allow_hidden=False then added unit test in FilesTest:test_hidden_files that checks for the accessibility of files with allow_hidden=True * allow-hidden now works everywhere Previously allow-hidden flag only allowed hidden files to be accessed via tornado. Now you can use the allow-hidden flag to access hidden directories and files via the filebrowser. * Remove --allow-hidden alias * Move allow_hidden option onto ContentsManager * Use try/finally to ensure allow_hidden option is set back to False after test * Allow access to hidden files, but don't list them for now * Simplify hidden check for listing again * Fix indentation	8 years ago
Thomas Kluyver	74fbc5b578	Merge pull request #3008 from Carreau/autopawd When login-in via token, let a chance for user to set the password	8 years ago
Matthias Bussonnier	a8971410c1	Add option disabled changing password at login. Document the changing of password.	8 years ago
Min RK	1deb0aec16	tornado 5: PeriodicCallback loop arg will be removed (#3034 ) * tornado 5: PeriodicCallback loop arg will be removed PCs are always run with the current eventloop, which is what the explicitly passed loop always is for us already * Don't double-close socket & stream closing stream closes the socket * remove now-inaccurate comment	8 years ago
Thomas Kluyver	9a5c2c06ad	Merge pull request #2958 from kevin-bates/fix-2957-add-reason-to-json-errors Add 'reason' field to JSON error responses	8 years ago
Thomas Kluyver	e7f69cc2d7	Work on loading UI translations (#2969 ) * Load translations for Javascript in page template * Normalise language codes to gettext format with underscores * .mo files need to be under LC_MESSAGES as well * remove unused JS code * Normalise result in test * Fix for opening files on Py 2 * Fix location of I18N directory * Add translation files to package_data	8 years ago
Kevin Bates	ed3b0e4594	Set reason on HTTP errors, None otherwise.	8 years ago
Thomas Kluyver	55aa80e10f	Merge pull request #2920 from minrk/allow-origin-token allow token-authenticated requests cross-origin by default	8 years ago
Min RK	fea2ef258f	set cookie on base_url avoids clobbering cookies when multiple notebook servers are run on one host. Users can override `cookie_options.path = ‘/‘` if they want cookies to be shared across notebooks on one host.	8 years ago
Kevin Bates	b24aa5e023	Add 'reason' field to JSON error responses During the deprecation/removal of the `@json_errors` decorator, the `reason` field was not carried forward into the compatible replacement method `APIHandler.write_error`. This broke some client (tests) that relied on that field's presence. Fixes #2957.	8 years ago
Min RK	08f7189cba	only allow CORS exception when auth is enabled	8 years ago
Min RK	9acf6a80f4	allow token-authenticated requests cross-origin by default we already apply this logic in our server-side checks, but browsers check `Access-Control-Allow-Origin` headers themselves as well, meaning that token-authenticated requests can’t be made cross-origin without CORS headers from browsers, only scripts. This makes default browser and server-side origin checks consistent	8 years ago
Min RK	a8c6b8bab6	Fix some errors caused by raising 403 in get_current_user (#2919 ) get_current_user is called in a few places that really shouldn’t raise move the raising to `get_login_url`, which is called in `@web.authenticated`, where we want to replace redirect logic with 403.	8 years ago
Sam Lau	1c2a256add	Add x-xsrftoken to Access-Control-Allow-Headers When starting a kernel using the Jupyter Notebook Kernel API, web browsers will automatically check for the presence of `x-xsrftoken` in the Access-Control-Allow-Headers during the preflight CORS check ([ref][ref]). [ref]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers Since we didn't allow this header before, web browsers would fail the preflight check even when the x-xsrftoken header isn't being used by the notebook server. This meant that running a webpage on localhost:8080 that used Javascript to start a kernel on a notebook server running on localhost:8888 would fail. How I tested this commit: 1. Start a notebook server using jupyter notebook --no-browser --NotebookApp.allow_origin="*" --NotebookApp.disable_check_xsrf=True --NotebookApp.token='' 2. Build the [web3](https://github.com/jupyter-widgets/ipywidgets/tree/master/examples/web3) example from ipywidgets. 3. In that directory, run `npm run host`. 4. Verify that visiting http://localhost:8080/ starts a kernel in the notebook server.	8 years ago
Min RK	4467dc9f12	specify version for deprecation	8 years ago
Min RK	962c5ccd80	stop using `@json_handlers`	8 years ago
Min RK	ba353e20f7	use .write_error on APIHandler instead of `@json_errors` for JSON error messages this is the standard tornado way to do it, and catches errors at the `prepare` stage, which method decorators do not	8 years ago
Min RK	92209228f6	raise 403 on APIHandler failed login instead of redirecting to human login page, which can have side effects	8 years ago
Min RK	d6a534ec5b	use RFC5987 encoding for filenames as described in RFC 6266 describing Content-Disposition	9 years ago
Grant Nestor	64ed6e439c	Don't url escape filenames on download	9 years ago
Min RK	0308dc78d9	ensure "default-src 'none'" CSP is added to APIHandlers even if custom Content-Security-Policy header is applied, which was previously setting the same value for both APIHandlers and page handlers	9 years ago
Thomas Kluyver	227704cda5	Merge pull request #2671 from minrk/dont-modify-headers avoid modifying settings['headers'] in add_default_headers	9 years ago
Min RK	f512880fcb	allow overriding csp report uri via tornado settings	9 years ago
Min RK	fb7ee6f348	avoid modifying settings['headers'] in add_default_headers Use a copy to avoid writing content security policy into settings['headers'], which can be a problem because APIHandlers have a stricter CSP than page handlers. If an API request is made before the first page request, pages will fail to load due to CSP violations.	9 years ago
Grant Nestor	5192d72c63	Merge pull request #2656 from agermanidis/master Use StaticFileHandler when files are local	9 years ago

1 2 3

110 Commits (6.x)