auth: strip RFC4007 zone identifiers from IPv6 addresses before doing access control If using IPv6, the request IP address might contain a '%' that the ipaddr module that is used for IP filtering can't handle. https://tools.ietf.org/html/rfc4007#section-11 specifies how IPv6 addresses can have zone identifiers like trailing '%13' or '%eth0'. The zone identifier is used to help distinguish *if* the same address should be available on multiple interfaces. It *could* potentially have security implications in the odd case where the same address is different on different interfaces. The IP whitelist functionality does however not support zone filters, so there is no way users can expect the zone to be relevant for IP filtering. We can thus safely strip the zone index and only check for match on the other parts of the address.

[run]
omit =
    # the bin scripts are not part of the Kallithea web app
    kallithea/bin/*
    # we ship with no active extensions
    kallithea/config/rcextensions/*
    # dbmigrate and paster_commands are not part of the Kallithea web app
    kallithea/lib/dbmigrate/*
    kallithea/lib/paster_commands/*
    # the tests themselves should not be part of the coverage report
    kallithea/tests/*
    # the scm hooks are not run in the kallithea process
    kallithea/config/post_receive_tmpl.py
    kallithea/config/pre_receive_tmpl.py

[paths]
source =
    kallithea/
    **/workspace/*/kallithea