This is only needed for unsecure spreadsheet applications (hi Google Docs and MS Excel) that load formulae by default.
See https://owasp.org/www-community/attacks/CSV_Injection for some mitigation explanation. This is not complete, but it should be OK for now.
In one case, we were not catching a family of possible exceptions
(socket.error), and in the two other cases there was no error handling at
all. Sending emails can easily fail if no email server is configured, so
it is really necessary to handle these errors instead of crashing with a
HTTP 500 error.
Refactor email sending code and add proper error handling.
Show alert messages that tell the user if an email was sent or if there
was an error.
When sending a password reminder email or inviting people by email, we
don't proceed to the next step in case of error, because sending emails is
the whole point of these actions.
Co-Authored-By: Glandos <bugs-github@antipoul.fr>
All project activity can be tracked, using SQLAlchemy-continuum.
IP addresses can optionally be recorded.
Fix#417
* New tab upload
* Extract data from JSON
* Add users
* Black format
* Try to add bill
* Import bills
* Add french translation msg
* Black reformat missing
* Deactivated users are supported
* Test import
* Remove temp file in upload_json()
* Incomplete tests
* tests import
* Update ihatemoney/translations/fr/LC_MESSAGES/messages.po
Co-Authored-By: Rémy HUBSCHER <hubscher.remy@gmail.com>
* Remove useless variable and check json format
* Use String.IO and test for wrong json
* Remove coma
Co-authored-by: Rémy HUBSCHER <hubscher.remy@gmail.com>
Flake8 was nitpicking about:
ihatemoney/forms.py:192:13: F841 local variable 'e' is assigned to but never used
ihatemoney/utils.py:26:8: W605 invalid escape sequence '\w'
ihatemoney/utils.py:26:10: W605 invalid escape sequence '\s'
ihatemoney/utils.py:27:8: W605 invalid escape sequence '\s'
For this I had to create an Jinja2 explicit environment, so I put a
function in `ihatemoney.utils.create_jinja2_env(strict_rendering=False)`.
When using this environment and if `strict_rendering` is activated,
templates using undefined variables will now error out rather than
failing silently.
* Protect admin endpoints against brute force attacks
Add a throttling mechanism to prevent a client brute
forcing the authentication form, based on its ip address
Closes#245
* Reset attempt counters if they get memory hungry
* Use absolute imports and rename package to ihatemoney
* Add a ihatemoney command
* Factorize application creation logic
* Refactor the tests
* Update the wsgi.py module with the new create_app() function
* Fix some styling thanks to Flake8.
* Automate Flake8 check in the CI.
