| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
shouldn't have much impact on us, but let's be safe.
Crate: remove_dir_all
Version: 0.5.3
Title: Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU)
Date: 2023-02-24
ID: RUSTSEC-2023-0018
URL: https://rustsec.org/advisories/RUSTSEC-2023-0018
Solution: Upgrade to >=0.8.0
|
|
|
|
|
|
| |
a few were vulnerable according to cargo-audit, but none of it would've
mattered for us (probably). time is still vulnerable, but that really
doesn't matter.
|
|
|
|
|
|
| |
update flake locks, which also changes how check dependencies are used.
none of these actually run on the target arch, only the host, so they
all have to be native now.
|
|
|
|
|
|
| |
upgrading dependencies will mean we have to use hyper for web-push
instead of isahc. sadly hyper doesn't send content-length headers for
empty bodies, but we can fudge that for the tests.
|
| |
|
| |
|
|
|
|
|
|
| |
while device ids should be impossible to guess (being as long as oauth
tokens), we should still guard against malicious activity if they should
ever leak.
|
|
|
|
|
|
|
| |
at least up to 103 there are two webchannel implementations in mobile
firefox, one of which should not be there and only responds with error.
https://bugzilla.mozilla.org/show_bug.cgi?id=1616635
|
|
|
|
| |
but it *must* be done over https with trusted certificates
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
prompted by a cargo audit run. time works just as well and is better
maintained. web-push still uses chrono, but from the looks of things it
won't be affected.
|
| |
|
| |
|
|
|
|
|
| |
this doesn't do much for functionality, but it makes extending things
easier. hopefully.
|
|
|
|
|
| |
we'll send mail so rarely, keeping a connection open at all times just
spams syslog
|
|
|
|
|
| |
local mail connections are much preferred for this service, and those
needn't be encrypted.
|
| |
|
|
|
|
|
| |
mostly by grouping tests that can reuse the same account (which is
expensive to create) into classes and scoping accounts to classes.
|
|
|
|
|
| |
not necessary for the standalone server, but if we want to launch many
server for testing it'll be relevant.
|
|
|
|
| |
u8 arrays are copy, no need to not have our wrappers be copy.
|
|
|
|
| |
the trait doesn't leave the module, so sealing doesn't do anything useful.
|
|
|
|
|
| |
there's no benefit to keeping it around, the zeroing behavior it had was
never any good and without it it's just a fancy [u8; N]
|
| |
|
|
|
|
| |
the db already does this, crypto did not.
|
|
|
|
| |
using SecretBytes for all of them isn't that great.
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
this is not so much a problem as a possible source of false security for
the readers. all secret keys we handle are serialized in some form, and
those serialization buffers are *not* zeroed out after use. zeroing our
raw buffers doesn't help much in that case, using a zero-on-free
allocator would be much more helpful.
|
|
|
|
| |
it never worked out, but a bit of support stuff remained.
|
| |
|
| |
|
|
|
|
|
|
|
| |
these are not "official" test vectors, just an example of what the
implementation does currently. since it works with other parts of the
ecosystem (most importantly firefox itself) they seem good enough to
include.
|
|
|
|
|
| |
this doesn't do much for performance, but it does allow running the
tests with a simple `cargo t`.
|
| |
|
| |
|
|
|
|
|
|
|
| |
firefox wants to delete profile access tokens after they're expired and
logs errors if it can't do that. since this happens every hour we can
end up with a bunch of error logs very quickly, so we better let it do
what it wants.
|
| |
|
| |
|
|
|