Dashboard

make code more robust when exposed to hacking attacks

keep chain on session_ids in case the sessions change

comment out and/or drop references t money to address issue #3381

Default value for "sign" in export vars should be empty, and not "0"

- relax strict error handling on export_vars_sign for the time being

Fix regression in 'if_no_rows' idiom for db_foreach, document alternative syntax, create a test for db_foreach main functionalities

protect legacy HTTPd against XSS on error messages

    • -2
    • +6
    /library/xotcl/library/comm/Httpd.xotcl
simplify and fix subst operation

distinguish between "install" and "upgrade" in heading and explanation text

- ad_set_cookie: add option "-samesite" and use it, when the server supports it (NaviServer 4.99.18)

- use "-samesite strict" per default on signed cookies

Background from NaviServer commit:

ns_setcookie: add flag "-samesite" with values "strict|lax|none"

When the flag is set it prevents the browser from

sending this cookie along with cross-site requests to mitigate cross site

scripting attacks. Permissible values are [term strict], [term lax],

or [term none] (default). While the value [term strict] prevents

sending the cookie to the target site in all cross-site browsing

context, the value of [term lax] allows sending the cookie when the

user clicks on regular links. For details, see

https://www.owasp.org/index.php/SameSite

This cookie flag is not yet part of an RFC, but most major browsers

support it. Browsers that do not support it, ignore the flag

silently (see https://caniuse.com/#search=samesite).

Although most cookies should probably use the flags, in order to

provide backward compatibility, the flag can't be activated by

default on all cookies.

Bring files on oacs-5-10 in sync with HEAD

    • -13
    • +0
    /openacs-4/packages/chat/lib/transcripts.xql
whitespace and spelling changes

category_tree::get_categories reform:

always return all root categories of given tree. Keep sorting by localized name, but use the en_US translation as a default when desired one is missing. Improve documentation.

Rollback of 'boolean' parameter datatype, as oracle does not see necessary to have 'boolean' datatypes, and they do not even provide with a proper alternative on what to use instead. Great. See: https://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:6263249199595#876972400346931526

Add 'boolean' parameter datatype and increase version number

file upgrade-5.10.0d12-5.10.0d13.sql was initially added on branch oacs-5-10.

Fix typo

activate warnings in case the old IE bug is still around

Whitespace changes

Fix dynamic-types package installation (many Thanks to Iuri Sanpaio) See #3381

Remove trailing "Class" keyword so classes are correctly displayed in the api-doc (See #3383)

ad_sign: generalize last ad_sign handling to

allow user and csrf binding

use user-specific sign operations for protecting delete operations

    • -3
    • +3
    /openacs-4/packages/forums/forums.info
ad_sign: new optional parameter "user_binding"

The parameter user_binding allows to bind a signature to a user.

When the value is "-1" only the user who created the signature can

obtain the value again. A value of 0 (default) means no user binding.

The permissible values might be extended in the future.

bump version number to 5.10.0d24

    • -2
    • +2
    /openacs-4/packages/acs-tcl/acs-tcl.info
Bring files on oacs-5-10 in sync with HEAD

  1. … 148 more files in changeset.
Secure forums delete button by protecting the message_id with a timed signature

make sure to populate global variable for different notations of the default database

use usual spelling convention

Bring files on oacs-5-10 in sync with HEAD

add missing file