Hello community,
here is the log from the commit of package ghc-yesod-core for openSUSE:Factory
checked in at 2016-10-22 13:21:23
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/ghc-yesod-core (Old)
and /work/SRC/openSUSE:Factory/.ghc-yesod-core.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ghc-yesod-core"
Changes:
--------
--- /work/SRC/openSUSE:Factory/ghc-yesod-core/ghc-yesod-core.changes
2016-08-26 23:17:29.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.ghc-yesod-core.new/ghc-yesod-core.changes
2016-10-22 13:21:24.000000000 +0200
@@ -1,0 +2,10 @@
+Sat Oct 1 17:18:12 UTC 2016 - psim...@suse.com
+
+- Update to version 1.4.25 with cabal2obs.
+
+-------------------------------------------------------------------
+Thu Sep 15 06:53:57 UTC 2016 - psim...@suse.com
+
+- Update to version 1.4.24 revision 0 with cabal2obs.
+
+-------------------------------------------------------------------
Old:
----
yesod-core-1.4.23.tar.gz
New:
----
yesod-core-1.4.25.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ ghc-yesod-core.spec ++++++
--- /var/tmp/diff_new_pack.XfM06V/_old 2016-10-22 13:21:25.000000000 +0200
+++ /var/tmp/diff_new_pack.XfM06V/_new 2016-10-22 13:21:25.000000000 +0200
@@ -19,7 +19,7 @@
%global pkg_name yesod-core
%bcond_with tests
Name: ghc-%{pkg_name}
-Version: 1.4.23
+Version: 1.4.25
Release: 0
Summary: Creation of type-safe, RESTful web applications
License: MIT
++++++ yesod-core-1.4.23.tar.gz -> yesod-core-1.4.25.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yesod-core-1.4.23/ChangeLog.md
new/yesod-core-1.4.25/ChangeLog.md
--- old/yesod-core-1.4.23/ChangeLog.md 2016-08-10 14:21:43.000000000 +0200
+++ new/yesod-core-1.4.25/ChangeLog.md 2016-09-26 06:19:15.000000000 +0200
@@ -1,3 +1,16 @@
+## 1.4.25
+
+* Add instance of MonadHandler and MonadWidget for ExceptT
[#1278](https://github.com/yesodweb/yesod/pull/1278)
+
+## 1.4.24
+
+* cached and cachedBy will not overwrite global state changes
[#1268](https://github.com/yesodweb/yesod/pull/1268)
+
+## 1.4.23.1
+
+* Don't allow sending multiple cookies with the same name to the client, in
accordance with [RFC 6265](https://tools.ietf.org/html/rfc6265). This fixes an
issue where multiple CSRF tokens were sent to the client.
[#1258](https://github.com/yesodweb/yesod/pull/1258)
+* Default CSRF tokens to the root path "/", fixing an issue where multiple
tokens were stored in cookies, and using the wrong one led to CSRF errors
[#1248](https://github.com/yesodweb/yesod/pull/1248)
+
## 1.4.23
* urlParamRenderOverride method for Yesod class
[#1257](https://github.com/yesodweb/yesod/pull/1257)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yesod-core-1.4.23/Yesod/Core/Class/Handler.hs
new/yesod-core-1.4.25/Yesod/Core/Class/Handler.hs
--- old/yesod-core-1.4.23/Yesod/Core/Class/Handler.hs 2016-08-10
14:21:43.000000000 +0200
+++ new/yesod-core-1.4.25/Yesod/Core/Class/Handler.hs 2016-09-26
06:19:15.000000000 +0200
@@ -24,6 +24,9 @@
import Control.Monad.Trans.List ( ListT )
import Control.Monad.Trans.Maybe ( MaybeT )
import Control.Monad.Trans.Error ( ErrorT, Error)
+#if MIN_VERSION_transformers(0,4,0)
+import Control.Monad.Trans.Except ( ExceptT )
+#endif
import Control.Monad.Trans.Reader ( ReaderT )
import Control.Monad.Trans.State ( StateT )
import Control.Monad.Trans.Writer ( WriterT )
@@ -55,6 +58,9 @@
GO(ListT)
GO(MaybeT)
GOX(Error e, ErrorT e)
+#if MIN_VERSION_transformers(0,4,0)
+GO(ExceptT e)
+#endif
GO(ReaderT r)
GO(StateT s)
GOX(Monoid w, WriterT w)
@@ -78,6 +84,9 @@
GO(ListT)
GO(MaybeT)
GOX(Error e, ErrorT e)
+#if MIN_VERSION_transformers(0,4,0)
+GO(ExceptT e)
+#endif
GO(ReaderT r)
GO(StateT s)
GOX(Monoid w, WriterT w)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yesod-core-1.4.23/Yesod/Core/Class/Yesod.hs
new/yesod-core-1.4.25/Yesod/Core/Class/Yesod.hs
--- old/yesod-core-1.4.23/Yesod/Core/Class/Yesod.hs 2016-08-10
14:21:43.000000000 +0200
+++ new/yesod-core-1.4.25/Yesod/Core/Class/Yesod.hs 2016-09-26
06:19:15.000000000 +0200
@@ -419,9 +419,9 @@
-- all responses so that browsers will rewrite all http links to https
-- until the timeout expires. For security, the max-age of the STS header
-- should always equal or exceed the client sessions timeout. This defends
--- against hijacking attacks on the sessions of users who attempt to access
--- the site using an http url. This middleware makes a site functionally
--- inaccessible over vanilla http in all standard browsers.
+-- against SSL-stripping man-in-the-middle attacks. It is only effective if
+-- a secure connection has already been made; Strict-Transport-Security
+-- headers are ignored over HTTP.
--
-- Since 1.4.7
sslOnlyMiddleware :: Yesod site
@@ -491,14 +491,18 @@
-- | Calls 'csrfSetCookieMiddleware' with the 'defaultCsrfCookieName'.
--
+-- The cookie's path is set to @/@, making it valid for your whole website.
+--
-- Since 1.4.14
defaultCsrfSetCookieMiddleware :: Yesod site => HandlerT site IO res ->
HandlerT site IO res
-defaultCsrfSetCookieMiddleware handler = csrfSetCookieMiddleware handler (def
{ setCookieName = defaultCsrfCookieName })
+defaultCsrfSetCookieMiddleware handler = setCsrfCookie >> handler
-- | Takes a 'SetCookie' and overrides its value with a CSRF token, then sets
the cookie. See 'setCsrfCookieWithCookie'.
--
-- For details, see the "AJAX CSRF protection" section of "Yesod.Core.Handler".
--
+-- Make sure to set the 'setCookiePath' to the root path of your application,
otherwise you'll generate a new CSRF token for every path of your app. If your
app is run from from e.g. www.example.com\/app1, use @app1@. The vast majority
of sites will just use @/@.
+--
-- Since 1.4.14
csrfSetCookieMiddleware :: Yesod site => HandlerT site IO res -> SetCookie ->
HandlerT site IO res
csrfSetCookieMiddleware handler cookie = setCsrfCookieWithCookie cookie >>
handler
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yesod-core-1.4.23/Yesod/Core/Handler.hs
new/yesod-core-1.4.25/Yesod/Core/Handler.hs
--- old/yesod-core-1.4.23/Yesod/Core/Handler.hs 2016-08-10 14:21:43.000000000
+0200
+++ new/yesod-core-1.4.25/Yesod/Core/Handler.hs 2016-09-26 06:19:15.000000000
+0200
@@ -214,6 +214,7 @@
import qualified Data.ByteString as S
import qualified Data.ByteString.Lazy as L
import qualified Data.Map as Map
+import qualified Data.HashMap.Strict as HM
import Data.Byteable (constEqBytes)
@@ -615,10 +616,14 @@
-- | Bypass remaining handler code and output the given JSON with the given
-- status code.
---
+--
-- Since 1.4.18
sendStatusJSON :: (MonadHandler m, ToJSON c) => H.Status -> c -> m a
+#if MIN_VERSION_aeson(0, 11, 0)
+sendStatusJSON s v = sendResponseStatus s (toEncoding v)
+#else
sendStatusJSON s v = sendResponseStatus s (toJSON v)
+#endif
-- | Send a 201 "Created" response with the given route as the Location
-- response header.
@@ -724,7 +729,11 @@
-- | Set the cookie on the client.
setCookie :: MonadHandler m => SetCookie -> m ()
-setCookie = addHeaderInternal . AddCookie
+setCookie sc = do
+ addHeaderInternal (DeleteCookie name path)
+ addHeaderInternal (AddCookie sc)
+ where name = setCookieName sc
+ path = maybe "/" id (setCookiePath sc)
-- | Helper function for setCookieExpires value
getExpires :: MonadIO m
@@ -994,12 +1003,14 @@
=> m a
-> m a
cached action = do
- gs <- get
- eres <- Cache.cached (ghsCache gs) action
+ cache <- ghsCache <$> get
+ eres <- Cache.cached cache action
case eres of
Right res -> return res
Left (newCache, res) -> do
- put $ gs { ghsCache = newCache }
+ gs <- get
+ let merged = newCache `HM.union` ghsCache gs
+ put $ gs { ghsCache = merged }
return res
-- | a per-request cache. just like 'cached'.
@@ -1014,12 +1025,14 @@
-- Since 1.4.0
cachedBy :: (MonadHandler m, Typeable a) => S.ByteString -> m a -> m a
cachedBy k action = do
- gs <- get
- eres <- Cache.cachedBy (ghsCacheBy gs) k action
+ cache <- ghsCacheBy <$> get
+ eres <- Cache.cachedBy cache k action
case eres of
Right res -> return res
Left (newCache, res) -> do
- put $ gs { ghsCacheBy = newCache }
+ gs <- get
+ let merged = newCache `HM.union` ghsCacheBy gs
+ put $ gs { ghsCacheBy = merged }
return res
-- | Get the list of supported languages supplied by the user.
@@ -1354,7 +1367,7 @@
--
-- The form-based approach has the advantage of working for users with
Javascript disabled, while adding the token to the headers with Javascript
allows things like submitting JSON or binary data in AJAX requests. Yesod
supports checking for a CSRF token in either the POST parameters of the form
('checkCsrfParamNamed'), the headers ('checkCsrfHeaderNamed'), or both options
('checkCsrfHeaderOrParam').
--
--- The easiest way to check both sources is to add the 'defaultCsrfMiddleware'
to your Yesod Middleware.
+-- The easiest way to check both sources is to add the
'Yesod.Core.defaultCsrfMiddleware' to your Yesod Middleware.
-- | The default cookie name for the CSRF token ("XSRF-TOKEN").
--
@@ -1364,12 +1377,16 @@
-- | Sets a cookie with a CSRF token, using 'defaultCsrfCookieName' for the
cookie name.
--
+-- The cookie's path is set to @/@, making it valid for your whole website.
+--
-- Since 1.4.14
setCsrfCookie :: MonadHandler m => m ()
-setCsrfCookie = setCsrfCookieWithCookie def { setCookieName =
defaultCsrfCookieName }
+setCsrfCookie = setCsrfCookieWithCookie def { setCookieName =
defaultCsrfCookieName, setCookiePath = Just "/" }
-- | Takes a 'SetCookie' and overrides its value with a CSRF token, then sets
the cookie.
--
+-- Make sure to set the 'setCookiePath' to the root path of your application,
otherwise you'll generate a new CSRF token for every path of your app. If your
app is run from from e.g. www.example.com\/app1, use @app1@. The vast majority
of sites will just use @/@.
+--
-- Since 1.4.14
setCsrfCookieWithCookie :: MonadHandler m => SetCookie -> m ()
setCsrfCookieWithCookie cookie = do
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yesod-core-1.4.23/Yesod/Core/Types.hs
new/yesod-core-1.4.25/Yesod/Core/Types.hs
--- old/yesod-core-1.4.23/Yesod/Core/Types.hs 2016-08-10 14:21:43.000000000
+0200
+++ new/yesod-core-1.4.25/Yesod/Core/Types.hs 2016-09-26 06:19:15.000000000
+0200
@@ -323,7 +323,7 @@
----- header stuff
-- | Headers to be added to a 'Result'.
data Header =
- AddCookie SetCookie
+ AddCookie SetCookie
| DeleteCookie ByteString ByteString
| Header ByteString ByteString
deriving (Eq, Show)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yesod-core-1.4.23/test/YesodCoreTest/Cache.hs
new/yesod-core-1.4.25/test/YesodCoreTest/Cache.hs
--- old/yesod-core-1.4.23/test/YesodCoreTest/Cache.hs 2016-08-10
14:21:43.000000000 +0200
+++ new/yesod-core-1.4.25/test/YesodCoreTest/Cache.hs 2016-09-26
06:19:15.000000000 +0200
@@ -2,6 +2,7 @@
{-# LANGUAGE OverloadedStrings #-}
{-# LANGUAGE FlexibleInstances #-}
{-# LANGUAGE DeriveDataTypeable #-}
+{-# LANGUAGE Rank2Types #-}
module YesodCoreTest.Cache (cacheTest, Widget) where
import Test.Hspec
@@ -25,6 +26,8 @@
mkYesod "C" [parseRoutes|
/ RootR GET
/key KeyR GET
+/nested NestedR GET
+/nested-key NestedKeyR GET
|]
instance Yesod C where
@@ -55,6 +58,24 @@
return $ RepPlain $ toContent $ show [v1a, v1b, v2a, v2b, v3a, v3b]
+getNestedR :: Handler RepPlain
+getNestedR = getNested cached
+
+getNestedKeyR :: Handler RepPlain
+getNestedKeyR = getNested $ cachedBy "3"
+
+-- | Issue #1266
+getNested :: (forall a. Typeable a => (Handler a -> Handler a)) -> Handler
RepPlain
+getNested cacheMethod = do
+ ref <- newIORef 0
+ let getV2 = atomicModifyIORef ref $ \i -> (i + 1, V2 $ i + 1)
+ V1 _ <- cacheMethod $ do
+ V2 val <- cacheMethod $ getV2
+ return $ V1 val
+ V2 v2 <- cacheMethod $ getV2
+
+ return $ RepPlain $ toContent $ show v2
+
cacheTest :: Spec
cacheTest =
describe "Test.Cache" $ do
@@ -68,5 +89,15 @@
assertStatus 200 res
assertBody (L8.pack $ show [1, 1, 2, 2, 3, 3 :: Int]) res
+ it "nested cached" $ runner $ do
+ res <- request defaultRequest { pathInfo = ["nested"] }
+ assertStatus 200 res
+ assertBody (L8.pack $ show (1 :: Int)) res
+
+ it "nested cachedBy" $ runner $ do
+ res <- request defaultRequest { pathInfo = ["nested-key"] }
+ assertStatus 200 res
+ assertBody (L8.pack $ show (1 :: Int)) res
+
runner :: Session () -> IO ()
runner f = toWaiApp C >>= runSession f
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yesod-core-1.4.23/test/YesodCoreTest/Csrf.hs
new/yesod-core-1.4.25/test/YesodCoreTest/Csrf.hs
--- old/yesod-core-1.4.23/test/YesodCoreTest/Csrf.hs 2016-08-10
14:21:43.000000000 +0200
+++ new/yesod-core-1.4.25/test/YesodCoreTest/Csrf.hs 2016-09-26
06:19:15.000000000 +0200
@@ -45,6 +45,12 @@
assertStatus 200 res
assertClientCookieExists "Should have an XSRF-TOKEN cookie"
defaultCsrfCookieName
+ it "uses / as the path of the cookie" $ runner $ do --
https://github.com/yesodweb/yesod/issues/1247
+ res <- request defaultRequest
+ assertStatus 200 res
+ cookiePath <- fmap setCookiePath requireCsrfCookie
+ liftIO $ cookiePath `shouldBe` Just "/"
+
it "200s write requests with the correct CSRF header, but no param" $
runner $ do
getRes <- request defaultRequest
assertStatus 200 getRes
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yesod-core-1.4.23/yesod-core.cabal
new/yesod-core-1.4.25/yesod-core.cabal
--- old/yesod-core-1.4.23/yesod-core.cabal 2016-08-10 14:21:43.000000000
+0200
+++ new/yesod-core-1.4.25/yesod-core.cabal 2016-09-26 06:19:15.000000000
+0200
@@ -1,5 +1,5 @@
name: yesod-core
-version: 1.4.23
+version: 1.4.25
license: MIT
license-file: LICENSE
author: Michael Snoyman <mich...@snoyman.com>
