https://forge-allura.apache.org/p/allura/tickets/You searched for assigned_to:"brondsem"enFri, 01 May 2026 18:21:37 -0000https://forge-allura.apache.org/p/allura/tickets/8603/Dave BrondsemaWed, 29 Apr 2026 21:15:14 -0000https://forge-allura.apache.org/p/allura/tickets/8603/https://forge-allura.apache.org/p/allura/tickets/8601/With a link we can have a longer token for more security (still type-able if needed). And the link will defeat some MITM phishing attacks, forcing you to the right site. We can apply this to 2FA accounts too (currently being skipped) so they get the MITM protections too Downside is if you don't have email access on the same computer you're logging in to :(Dave BrondsemaFri, 01 May 2026 18:21:37 -0000https://forge-allura.apache.org/p/allura/tickets/8601/https://forge-allura.apache.org/p/allura/tickets/8599/When showing links (e.g originating from markdown, but really any html output) we should do something about links that could be misleading. For example with `<a href=https://evil.com/>sourceforge.net/auth/</a>` we could automatically append `(evil.com)` into the output so its obvious when its misleading. We should also check for non-ascii domain names (IDN) and if they have chars that are potentially confusing with normal ascii, then show the decoded domain name (even if the link & text match, if the chars could be confusing)Dave BrondsemaWed, 01 Apr 2026 15:14:14 -0000https://forge-allura.apache.org/p/allura/tickets/8599/https://forge-allura.apache.org/p/allura/tickets/8597/In some very specific cases the performance of markdown can be quite badDave BrondsemaMon, 23 Feb 2026 20:20:24 -0000https://forge-allura.apache.org/p/allura/tickets/8597/https://forge-allura.apache.org/p/allura/tickets/8589/After [#8588] we should be able to support python 3.14 I thinkDave BrondsemaMon, 01 Dec 2025 15:56:07 -0000https://forge-allura.apache.org/p/allura/tickets/8589/https://forge-allura.apache.org/p/allura/tickets/8588/`regex-as-re-globally` is a very hacky package (I made it, I'm ok to admit it) and it continuously has needs more fixes for every new version of python https://github.com/brondsem/regex-as-re-globally/issues?q=is%3Aissue So lets fix our regexes so we don't need itDave BrondsemaMon, 01 Dec 2025 17:36:58 -0000https://forge-allura.apache.org/p/allura/tickets/8588/https://forge-allura.apache.org/p/allura/tickets/8576/To get compliant with https://retirejs.github.io/retire.js/ vulnerability scanningDave BrondsemaTue, 12 Aug 2025 17:44:01 -0000https://forge-allura.apache.org/p/allura/tickets/8576/https://forge-allura.apache.org/p/allura/tickets/8572/Dave BrondsemaTue, 12 Aug 2025 17:44:00 -0000https://forge-allura.apache.org/p/allura/tickets/8572/https://forge-allura.apache.org/p/allura/tickets/8568/Dave BrondsemaTue, 12 Aug 2025 17:43:59 -0000https://forge-allura.apache.org/p/allura/tickets/8568/https://forge-allura.apache.org/p/allura/tickets/8566/our LDAP plugin's password handling uses `crypt` which is deprecated since 3.11 and removed in 3.13 https://docs.python.org/3/library/crypt.html crypt only supports a few algorithms anyway, it'd be good to support argon2, scrypt, bcrypt, pbkdf2_sha512 local password storage does sha256 and definitely should be updated. Similar/same config options for local & ldap hashing? https://passlib.readthedocs.io/en/stable/ seems pretty good and supports a lot of algorithms, but it isn't maintained the best :( If an admin configures a new password hashing algorithm, we should make it be a seamless transition, including when someone logs in to re-hash the password, when needed.Dave BrondsemaTue, 12 Aug 2025 17:43:59 -0000https://forge-allura.apache.org/p/allura/tickets/8566/https://forge-allura.apache.org/p/allura/tickets/8555/If a user is blocked at the tool level, they still may be able to post in discussion forums that have additional ACLs. E.g. a forum within the discussion tool, which has anonymous posting allowed, or has developer only posting.Dave BrondsemaMon, 10 Jun 2024 15:31:45 -0000https://forge-allura.apache.org/p/allura/tickets/8555/https://forge-allura.apache.org/p/allura/tickets/8540/The "Recently Updated" sort option on wiki's Browse Pages does not work correctly. It does the query and then applies a sort afterwards. So if you have more than one page of results, it only sorts within the current page not the whole set of pages.Dave BrondsemaMon, 10 Jun 2024 15:31:45 -0000https://forge-allura.apache.org/p/allura/tickets/8540/https://forge-allura.apache.org/p/allura/tickets/8539/https://docs.astral.sh/ruff/rules/#flake8-bandit-s in particular would be good, some others tooDave BrondsemaMon, 10 Jun 2024 15:31:45 -0000https://forge-allura.apache.org/p/allura/tickets/8539/https://forge-allura.apache.org/p/allura/tickets/8536/- `Markup()` objects can use `%` or `.format` to automatically escape things into them, that's nicer - `|safe` in templates is not ideal, better to use Markup() right when the string is constructed and known to be safe html.Dave BrondsemaMon, 10 Jun 2024 15:31:45 -0000https://forge-allura.apache.org/p/allura/tickets/8536/https://forge-allura.apache.org/p/allura/tickets/8534/Our repo gets mirrored to https://github.com/apache/allura/ so we can set up CodeQL to run there and check for security issues in codeDave BrondsemaMon, 10 Jun 2024 15:31:45 -0000https://forge-allura.apache.org/p/allura/tickets/8534/https://forge-allura.apache.org/p/allura/tickets/8533/If an email has a super long subject header (for example) with no spaces in it, email delivery can fail. For example `exim` gives `message has lines too long for transport` We’ve handled this before: - in `SMTPClient.sendmail` and `test_send_email_long_lines_use_quoted_printable` but apparently it doesn’t split a header if there’s no spaces or other chars to split on - `encode_email_part` handled it too, and debugging that seems like it works correctly (setting header charsets) but it still ends up rewritten later in sendmail, and causes the error https://docs.python.org/3/library/email.mime.html for MIMEText and MIMEMultipart extend from Message which has a default policy of compat32 (python 3.2 compatibility, bugs included). Specifying a different policy (or using EmailMessage perhaps) seems to work better, and maybe we can get rid of workarounds within our code. See https://docs.python.org/3/library/email.policy.html in the middle of the page. SMTP seems best. (SMTPUTF8 sound appealing, but not all mail servers support utf8) Dave BrondsemaMon, 10 Jun 2024 15:31:45 -0000https://forge-allura.apache.org/p/allura/tickets/8533/https://forge-allura.apache.org/p/allura/tickets/8532/Dave BrondsemaMon, 10 Jun 2024 15:31:45 -0000https://forge-allura.apache.org/p/allura/tickets/8532/https://forge-allura.apache.org/p/allura/tickets/8529/Currently a branch name with unicode in it is browsable, but only if you go their directly. If you go to a code tool it'll try to do a redirect and get this error ``` File "/src/allura/Allura/allura/lib/custom_middleware.py", line 638, in __call__ start_response(status, headers, exc_info) ValueError: unicode object contains non latin-1 characters ```Dave BrondsemaMon, 10 Jun 2024 15:31:45 -0000https://forge-allura.apache.org/p/allura/tickets/8529/https://forge-allura.apache.org/p/allura/tickets/8528/It'd be helpful to know which command is being run. And this entry point should be documentedDave BrondsemaMon, 10 Jun 2024 15:31:45 -0000https://forge-allura.apache.org/p/allura/tickets/8528/https://forge-allura.apache.org/p/allura/tickets/8526/Main thing is to move away from pickle, but we can also implement stronger keys, support key rotation, etc.Dave BrondsemaMon, 10 Jun 2024 15:31:45 -0000https://forge-allura.apache.org/p/allura/tickets/8526/https://forge-allura.apache.org/p/allura/tickets/8523/Dave BrondsemaMon, 06 Nov 2023 20:21:23 -0000https://forge-allura.apache.org/p/allura/tickets/8523/https://forge-allura.apache.org/p/allura/tickets/8520/According to `setup_tools`, [pkg_resources is deprecated and we should migrate to importlib.resources and importlib.metadata](https://setuptools.pypa.io/en/latest/pkg_resources.html). Migration Guides: - [Migration guide - importlib-resources 6.0.2.dev11+ge540919.d20230910 documentation](https://importlib-resources.readthedocs.io/en/latest/migration.html) - [Migration guide - importlib-metadata 6.8.1.dev12+gb98411e.d20230910 documentation](https://importlib-metadata.readthedocs.io/en/latest/migration.html)Dillon WallsMon, 25 Aug 2025 15:00:34 -0000https://forge-allura.apache.org/p/allura/tickets/8520/https://forge-allura.apache.org/p/allura/tickets/8500/Dave BrondsemaThu, 14 Sep 2023 18:51:37 -0000https://forge-allura.apache.org/p/allura/tickets/8500/