All Activity

Add '-delete' flag to 'ad_parameter_cache' in 'parameter::set_value', to delete the value from cache before setting, making the value coherent amongst threads (thanks Antonio for the fix).

make code more robust when exposed to hacking attacks

keep chain on session_ids in case the sessions change

comment out and/or drop references t money to address issue #3381

Default value for "sign" in export vars should be empty, and not "0"

- relax strict error handling on export_vars_sign for the time being

Fix regression in 'if_no_rows' idiom for db_foreach, document alternative syntax, create a test for db_foreach main functionalities

protect legacy HTTPd against XSS on error messages

    • -2
    • +6
    /library/xotcl/library/comm/Httpd.xotcl
simplify and fix subst operation

distinguish between "install" and "upgrade" in heading and explanation text

- ad_set_cookie: add option "-samesite" and use it, when the server supports it (NaviServer 4.99.18)

- use "-samesite strict" per default on signed cookies

Background from NaviServer commit:

ns_setcookie: add flag "-samesite" with values "strict|lax|none"

When the flag is set it prevents the browser from

sending this cookie along with cross-site requests to mitigate cross site

scripting attacks. Permissible values are [term strict], [term lax],

or [term none] (default). While the value [term strict] prevents

sending the cookie to the target site in all cross-site browsing

context, the value of [term lax] allows sending the cookie when the

user clicks on regular links. For details, see

https://www.owasp.org/index.php/SameSite

This cookie flag is not yet part of an RFC, but most major browsers

support it. Browsers that do not support it, ignore the flag

silently (see https://caniuse.com/#search=samesite).

Although most cookies should probably use the flags, in order to

provide backward compatibility, the flag can't be activated by

default on all cookies.

Bring files on oacs-5-10 in sync with HEAD

    • -13
    • +0
    /openacs-4/packages/chat/lib/transcripts.xql
whitespace and spelling changes

category_tree::get_categories reform:

always return all root categories of given tree. Keep sorting by localized name, but use the en_US translation as a default when desired one is missing. Improve documentation.

Rollback of 'boolean' parameter datatype, as oracle does not see necessary to have 'boolean' datatypes, and they do not even provide with a proper alternative on what to use instead. Great. See: https://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:6263249199595#876972400346931526

Add 'boolean' parameter datatype and increase version number

file upgrade-5.10.0d12-5.10.0d13.sql was initially added on branch oacs-5-10.

Fix typo

activate warnings in case the old IE bug is still around

Whitespace changes

Fix dynamic-types package installation (many Thanks to Iuri Sanpaio) See #3381

Remove trailing "Class" keyword so classes are correctly displayed in the api-doc (See #3383)

ad_sign: generalize last ad_sign handling to

allow user and csrf binding

use user-specific sign operations for protecting delete operations

    • -3
    • +3
    /openacs-4/packages/forums/forums.info
ad_sign: new optional parameter "user_binding"

The parameter user_binding allows to bind a signature to a user.

When the value is "-1" only the user who created the signature can

obtain the value again. A value of 0 (default) means no user binding.

The permissible values might be extended in the future.

bump version number to 5.10.0d24

    • -2
    • +2
    /openacs-4/packages/acs-tcl/acs-tcl.info
Bring files on oacs-5-10 in sync with HEAD

  1. … 148 more files in changeset.
Secure forums delete button by protecting the message_id with a timed signature

make sure to populate global variable for different notations of the default database

use usual spelling convention

Bring files on oacs-5-10 in sync with HEAD