OpenACS / openacs-4 / packages / acs-tcl / tcl

security-procs.tcl

Tools

Line History

Line Count Graph
Line Count Graph

Stats

Commits this week: 0
Total Committers: 22
Last Commit: 30 Apr
Commits this week: 0
Total Lines of Code (LoC): 2,822
Net change in LoC this week: 0

Commit Activity

Commits By Day In Week
52 week commits volume
Commits By Day In Week
Commits by day
Commits By Day In Week
Commits by hour
Commits By Hour In Day
Commit calendar
 

Most active committers (90 days)

loading
loading
  • last updated 8 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Thursday 02 Feb 2017
10:59 pm

gustafn

Prettify code

Options
    • -4
    • +5
    ./security-procs.tcl
12:30 pm

gustafn

- improve proc documentation

Options
    • -6
    • +14
    ./security-procs.tcl
12:26 pm

gustafn

- Make security::locations aware of potentially multiple drivers listening on multiple ports

- use "ns_driver info" when available

Options
    • -93
    • +194
    ./security-procs.tcl
  2. … 1 more file in changeset.
Thursday 29 Dec 2016
8:42 pm

gustafn

security::validated_host_header:

- check also in nssock sections for v4 and v6

- check as well virtual server configuration

Options
    • -14
    • +32
    ./security-procs.tcl
Thursday 01 Dec 2016
3:37 pm

gustafn

- perform nonce-computation independent of user_id computation

Options
    • -2
    • +12
    ./security-procs.tcl
3:31 pm

gustafn

- put resetting of untrusted user_id to the right place

Options
    • -4
    • +1
    ./security-procs.tcl
  2. … 1 more file in changeset.
3:26 pm

gustafn

- provide initial value for untrusted user_id

Options
    • -2
    • +5
    ./security-procs.tcl
3:13 pm

gustafn

- setting nonce always (also for non-authenticated requests)

Options
    • -3
    • +2
    ./security-procs.tcl
Tuesday 22 Nov 2016
10:13 am

gustafn

- use variable names consistently

Options
    • -4
    • +4
    ./security-procs.tcl
10:09 am

gustafn

- fix handling of csrf token

Options
    • -3
    • +3
    ./security-procs.tcl
Friday 11 Nov 2016
6:05 pm

gustafn

- make sure, that the sec_handler's global variables are always set (also in error cases, blocked bots, etc.)

Options
    • -1
    • +12
    ./security-procs.tcl
Thursday 29 Sep 2016
11:24 pm

gustafn

- allow csrf token generation in background jobs

Options
    • -5
    • +12
    ./security-procs.tcl
Thursday 22 Sep 2016
7:23 pm

gustafn

- improve comments

Options
    • -4
    • +10
    ./security-procs.tcl
Thursday 15 Sep 2016
9:23 am

gustafn

- added default CSP directive "font-src data:"

Options
    • -1
    • +7
    ./security-procs.tcl
Tuesday 13 Sep 2016
10:23 am

gustafn

- adding "-force" parameter to security::csp::require

- bump version number to 5.9.1d12

Options
    • -3
    • +21
    ./security-procs.tcl
  2. … 1 more file in changeset.
Monday 12 Sep 2016
10:29 am

gustafn

- Refine security policies: when necessary, define both a nonce and a

'unsafe-inline' to ensure compatibility on some less adavanced

browsers

- use same "secure" setting for ad_session_id, otherwise, just the

last one is honored

- fix linefeed and semicolon in js for focus handling

Options
    • -23
    • +26
    ./security-procs.tcl
  2. … 2 more files in changeset.
Friday 09 Sep 2016
10:27 am

gustafn

- add CSP directive "img-src 'self'" per default

Options
    • -1
    • +2
    ./security-procs.tcl
Tuesday 06 Sep 2016
7:33 pm

gustafn

- Added support for W3C Content Security Policy(CSP)

* For details about CSP, see https://www.w3.org/TR/CSP/

* New calls:

security::csp::nonce:

Generate a CSP nonce token token

security::csp::require /directive/ /value/:

Add a requirements of a page to the CSP in order to generate

later a tailored policy with the minimal permissions for

this page. For example, the following requirement is

currently added per default to the oacs-master template to

permit style tags and style attribites in the markup.

security::csp::require style-src 'unsafe-inline'

security::csp::render:

Generate a policy from the requirements

* Added Kernel Parameter CSPEnabledP to activate/desctivate CSP

(default on)

- Bump version numbers

acs-tcl to 5.9.1d11

acs-bootstrap-installer to 5.9.1d4

acs-kernel to 5.9.1d17

Options
    • -33
    • +124
    ./security-procs.tcl
  2. … 7 more files in changeset.
10:14 am

gustafn

- new function ::security::nonce_token to generate a nonce token as described in W3C Content Security Policy

Options
    • -5
    • +51
    ./security-procs.tcl
Monday 05 Sep 2016
10:32 am

gustafn

- security::redirect_to_secure: add flag "-script_abort" to make it

usable in filter procs (ad_script_abort triggers errors without

error message)

- security::get_secure_location:

* align implementation to function documentation (to make it usable

for sub-sites). Last version returned always the "configured

secure" location, not the "current secure location"

* replace regexps by util::split_location/util::join_location/

Options
    • -22
    • +16
    ./security-procs.tcl
Friday 02 Sep 2016
10:08 pm

gustafn

- add kernel parameter to make ad_session_id cookies secure (useful on sites, where all sessions are via https, improves security rating on e.g. mozillas observatory tool)

Options
    • -3
    • +7
    ./security-procs.tcl
  2. … 1 more file in changeset.
9:16 pm

gustafn

- reduce redundancy handling legacy network drivers

- simplify code

Options
    • -33
    • +14
    ./security-procs.tcl
7:33 pm

gustafn

- fix bug for host-node-mapped subsites: on the (subsite) admin-page

of a host-node-mapped subsites, the link to site-wide-admin should

always point to the main site.

- add new helper function util::configured_location to address the bug

above to return the configured location as configured for the

current network driver. While [util_current_location] honors the

virtual host information of the host header field,

util::configured_location returns the main configured location

(probably the main subsite).

- extend [util_driver_info]

* make the passed-in array name optional and to return always a dict

* include the configured host name in the result (dict/array)

- add cross references via @see to make it easier to switch between

related functions

- bump version number of acs-tcl to 5.9.1d10 and acs-subsite to

5.9.1d7 to address dependencies

Options
    • -5
    • +8
    ./security-procs.tcl
  2. … 6 more files in changeset.
Tuesday 30 Aug 2016
1:01 pm

gustafn

security-procs:

- fix broken comparisons when "UseHostnameDomainforReg" is set

(see also issue #3293).

- don't use string match/regesub when manipulating URLs

(causes troubles with IP-literal notation). Instead, us

"eq" or "util::split_location"/"util::join_location"

- added means to ease debugging of login_urls and login_cookie:

variables "::security::log(login_url)" and

"::security::log(login_cookie)" contain the log severity.

by setting these to e.g. "notice", this does not require

to activate full debugging (setting severity to debug) in order

to obtain log output.

Options
    • -53
    • +90
    ./security-procs.tcl
Monday 29 Aug 2016
1:42 pm

gustafn

- address bug #3293: actual code in oacs-5-9 used full host header

(from request header fields) which might contain port.

db-query is now performed without the optional port

- improve Tcl coding (use defaults, break long lines)

Options
    • -9
    • +12
    ./security-procs.tcl
Saturday 20 Aug 2016
8:58 am

gustafn

- security::validated_host_header: Handle aliases for locations, which cannot be determined from config files, but which are supposed to be ok

Options
    • -1
    • +14
    ./security-procs.tcl
Friday 19 Aug 2016
5:27 pm

gustafn

- don't report urls in security::locations obtained form https drivers which loaded but not listening (identifiable via port number 0)

Options
    • -4
    • +15
    ./security-procs.tcl
Wednesday 08 Jun 2016
9:17 am

gustafn

- unset coockies with the same "-secure" setting, which was used when creating it (differed for ad_session_id and ad_user_login).

Options
    • -3
    • +3
    ./security-procs.tcl
Tuesday 07 Jun 2016
11:34 am

gustafn

- improve documentation

Options
    • -11
    • +19
    ./security-procs.tcl
Saturday 04 Jun 2016
1:10 pm

gustafn

- improve behavior on invalid host headers and comment the purpose in more detail

Options
    • -2
    • +20
    ./security-procs.tcl
  2. … 1 more file in changeset.