• last updated 8 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
distinguish between "install" and "upgrade" in heading and explanation text

- ad_set_cookie: add option "-samesite" and use it, when the server supports it (NaviServer 4.99.18)

- use "-samesite strict" per default on signed cookies

Background from NaviServer commit:

ns_setcookie: add flag "-samesite" with values "strict|lax|none"

When the flag is set it prevents the browser from

sending this cookie along with cross-site requests to mitigate cross site

scripting attacks. Permissible values are [term strict], [term lax],

or [term none] (default). While the value [term strict] prevents

sending the cookie to the target site in all cross-site browsing

context, the value of [term lax] allows sending the cookie when the

user clicks on regular links. For details, see

https://www.owasp.org/index.php/SameSite

This cookie flag is not yet part of an RFC, but most major browsers

support it. Browsers that do not support it, ignore the flag

silently (see https://caniuse.com/#search=samesite).

Although most cookies should probably use the flags, in order to

provide backward compatibility, the flag can't be activated by

default on all cookies.

Bring files on oacs-5-10 in sync with HEAD

    • -13
    • +0
    /openacs-4/packages/chat/lib/transcripts.xql
whitespace and spelling changes

category_tree::get_categories reform:

always return all root categories of given tree. Keep sorting by localized name, but use the en_US translation as a default when desired one is missing. Improve documentation.

Rollback of 'boolean' parameter datatype, as oracle does not see necessary to have 'boolean' datatypes, and they do not even provide with a proper alternative on what to use instead. Great. See: https://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:6263249199595#876972400346931526

Add 'boolean' parameter datatype and increase version number

file upgrade-5.10.0d12-5.10.0d13.sql was initially added on branch oacs-5-10.

Fix typo

activate warnings in case the old IE bug is still around

Whitespace changes

Fix dynamic-types package installation (many Thanks to Iuri Sanpaio) See #3381

Remove trailing "Class" keyword so classes are correctly displayed in the api-doc (See #3383)

ad_sign: generalize last ad_sign handling to

allow user and csrf binding

use user-specific sign operations for protecting delete operations

    • -3
    • +3
    /openacs-4/packages/forums/forums.info
ad_sign: new optional parameter "user_binding"

The parameter user_binding allows to bind a signature to a user.

When the value is "-1" only the user who created the signature can

obtain the value again. A value of 0 (default) means no user binding.

The permissible values might be extended in the future.

bump version number to 5.10.0d24

    • -2
    • +2
    /openacs-4/packages/acs-tcl/acs-tcl.info
Bring files on oacs-5-10 in sync with HEAD

  1. … 148 more files in changeset.
Secure forums delete button by protecting the message_id with a timed signature

make sure to populate global variable for different notations of the default database

use usual spelling convention

Bring files on oacs-5-10 in sync with HEAD

add missing file

Fix incorrect default value

Whitespace changes + editor hints

    • -74
    • +74
    /openacs-4/packages/glossar/tcl/glossar-procs.tcl
    • -27
    • +33
    /openacs-4/packages/glossar/www/glossar-add.tcl
    • -15
    • +21
    /openacs-4/packages/glossar/www/glossar-edit.tcl
    • -131
    • +126
    /openacs-4/packages/jabber/www/edit-user-2.tcl
  1. … 11 more files in changeset.
Replace/remove deprecated proc 'db_null'

  1. … 11 more files in changeset.
Remove deprecated proc 'db_nullify_empty_string' from doc

Whitespace changes + editor hints

    • -55
    • +55
    /openacs-4/packages/acs-tcl/tcl/install-procs.tcl
    • -422
    • +422
    /openacs-4/packages/assessment/tcl/as-qti-procs.tcl
    • -16
    • +22
    /openacs-4/packages/logger/tcl/util-procs.tcl
  1. … 5 more files in changeset.
Replace/remove deprecated proc 'db_null' and update doc accordingly

  1. … 19 more files in changeset.
Deprecate 'db_nullify_empty_string', essentially just returning the same string it receives

Deprecate 'db_null'