Bug fix:
The default for `NO_SSL` environment variable is `False`.
When the actual value, in runtime, is `True`, the code "ignores" it.
The reason: the code does not parse the given string. So it evaluates a non empty string as "True".
To resolve this, the suggested code parses the given string to a boolean value.
Also includes:
- Updated the versions in the requirements, as MarkupSafe did not install cleanly.
- Integration test that sets a password via the website, and then
verifies the timeout on the backend.
- Basic Makefile, updates to the docs to use the Makefile.
The requirements file was updated using pip freeze after I had updated the version of MarkupSafe. I don't know what the usual process is for this repo, so please let me know if I should use a different process there (that is why there are a few additions).
* Remove Travis Python 3.7 hack
No longer necessary: 3.7 is supported out-of-the-box
* Add support for Python 3.8
And explicitly document in setup.py
* "Upgrade base Docker image to Python 3.8"a
* Add entry about py38 support in WIP changelog
* Explicitly declare python versions in setup.py
* Bump Werkzeug to 0.15.6
This is the latest 0.15 version. 0.16 might be incompatible
The fix we are looking for is in [0.15.5](http://werkzeug.palletsprojects.com/en/0.15.x/changes/#version-0-15-5):
> Fix a TypeError due to changes to ast.Module in Python 3.8.
We have used snappass since it was first open sourced, and everyone in the organization loves it. Not sure about the A-Z ordering WRT to Pinterest, it feels like you should be on top since it's your project.
This addresses CVE-2018-10903:
A flaw was found in python-cryptography versions between >=1.9.0 and
<2.3. The finalize_with_tag API did not enforce a minimum tag
length. If a user did not validate the input length prior to passing
it to finalize_with_tag an attacker could craft an invalid payload
with a shortened tag (e.g. 1 byte) such that they would have a 1 in
256 chance of passing the MAC check. GCM tag forgeries can cause key
leakage.
... although snappass isn't affected because we doesn't use the
vulnerable `finalize_with_tag` API.
Also used the "slim" version, which will drastically reduce the
image size.
Base image sizes comparison:
| python:3.7-slim | 143MB |
| python:3.7 | 916MB |
Currently FontAwesome uses Cloudflare to serve font assets, however all
of the other assets are delivered locally. This standardizes the assets
to use all local assets from `/static/`.
