• last updated 9 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
file upgrade-2.9.0-2.9.1d1.sql was initially added on branch oacs-5-9.

- harding page contract

- fix trim operation

- handle leading / returned by the hardened apidoc::sanitize_path function

- don't report data source errors with status code 200 (use 422 instead)

- handle invalid input message from bug-tracker via datasource error (not perfect, but better)

- avoid potential recursive loop in error handler

- hardening page contract to avoid attack vectors

- stenghten page contract to avoid attack vactors

- protect against DOS attack with large values of m

- hardening page contract to prevent potential XSS attack

- protect against a potential XSS attack

- prevent potential sql injection attack

- hardening pacge contract (fix potential XSS attack)

    • -2
    • +2
    /openacs-4/packages/calendar/www/view.tcl
- fix potential traversal attack

- hardinging page contracts

    • -4
    • +3
    /openacs-4/packages/search/www/search.tcl
- improve error message and error handling on ad_script_abort

    • -5
    • +8
    /openacs-4/packages/xowiki/tcl/xowiki-procs.tcl
- hardening page contracts

- make sure, url is always set

- fix robustness on mangeled query parameters

- strengthen page contract

- revise last patch

- - fix bug, when "description" is not set either

CVS: ----------------------------------------------------------------------

*** empty log message ***

- raise error, when xowiki package is initialized with an incorrect provided package_id (... and it creates a root folder for that package)

    • -17
    • +28
    /openacs-4/packages/xowiki/tcl/package-procs.tcl
- improve configurability of BootstrapNavbarModeButton

- add example, how to style Bootstrap Navbar buttons

*** empty log message ***

- revise the recent folder-path fix: don't renvode the whole path, but only path segoments (many thank to thomas renner for the fix)

    • -3
    • +3
    /openacs-4/packages/xowiki/tcl/package-procs.tcl
- never call util_memoize with string substitions, but use [list] instead

- fix bug, which occurs, when dotlrn/configure is called, when use is not logged in (portal::get_name returns a runtime error)