• last updated 23 hours ago
Constraints: committers
Constraints: files
Constraints: dates
page filters with NUL value

Prefer "string first" over "regexp" since this is twice as fast.

Provide facilities to validate against invalid SQL strings

We introduce a new page contract filter and nsf validator called "dbtext". They implement enforcing of a value to be useable in an SQL query. Currently, this means that the value should not contain the NUL character, but the definition may change in the future or become database-specific.

The html contract filter has also be extended to reject the NUL character.

The test suite has been updated/extended to reflect the changes.

  1. … 2 more files in changeset.
Reform of error handling in ad_page_contract when template recursion is detected

A "complaint recursion" happens if a validation error takes place in one of the templates used while rendering the error page (for instance, anything we include in the master template or the master template itself).

Previously, we would give up complaining after 10 recursions were detected. This had the consequence that after 10 attempt, the failing template involved in rendering the complaint would be fed the invalid data we were trying to reject.

Now, we complain and stop the execution as soon as a recursion is detected. The error will be rendered in a very basic way that overrides the templating system, so that we can exit the recursion cycle.

In practice, only malicious page manipulation attempts should be affected by this change.

addeded page contract filter: safetclchars

safetclchars should be used in cases, were the variable value is passed

to "subst", or "eval"...

  1. … 1 more file in changeset.
Deprecate usphone page filter, as a more generic alternative exists that does not assume the US as target audience

Deprecate ad_dateentrywidget, with hardcoded values, superseded by modern features

  1. … 3 more files in changeset.
ns_quotehtml user submitted value inside error message to prevent potential XSS attack

Allow to deprecate ad_page_contract_filters, improve doc

improve spelling

  1. … 6 more files in changeset.
tmpfile page contract filter reform:

do not allow acs-subsite TmpDir parameter to define where the tmpfolder is located anymore. This MUST be the one configured in the server-wide configuration. Tmpfiles cannot be in a subfolder of the tmpfolder, they MUST be direct children instead. A tmpfile MUST exist beforehand and be owned, be readable and writable by the user running the nsd process. This complies with the definition of a tmpfile by AolServer/NaviServer when they are created to store content coming from a file upload.

  1. … 4 more files in changeset.
Extend tmpfile filter to behave in the "old way" (default), or in strict mode e.g. tmpfile(strict), enforcing the behavior for tmpfile in Aolserver/Naviserver when a form is processed

Reimplement ad_page_contract_filter_proc_tmpfile using security::safe_tmpfile_p

Some of the features implemented by this filter have been ported into the api, namely the possibility to fetch the valid temp folders from the subsite TmpDir parameter and the possibility to relax the check and allow also files deeper in the tmpfolder hierachy.

Notably, the hardcoded tmpfolders "/var/tmp" and "/tmp" have NOT been ported. One should configure these values via the many available options. security::safe_tmpfile_p is also more restrictive when a file exists, because it checks for ownership and read and write permissions on the file.

  1. … 2 more files in changeset.
Properly escape "<" and ">" in api-doc documentation.

Since all documentation is rendered via HTML, the characters

"<" and ">" have to be HTML-quoted, otherwise strange things

(omission, unintended renderings) might occur.

E.g. the sentence

Define an interface between a page and an

ADP <include> similar to the page_contract.

was rendered as

Define an interface between a page and an

ADP similar to the page_contract.

which is incorrect.

  1. … 13 more files in changeset.
Fix typo

Provide a default value for the filter

New ad_page_contract filter object_type

Rhis can enforce an object id to not only be formally correct, but also to be an object of a specific type. It can also be used as a simple existance check

  1. … 1 more file in changeset.
Update documentation

Collect common definition of an argspec flag in a proc to improve clarity

Introduce a new clock ad_page_contract filter:

this filter enforces that a datestring belongs to one of the clock formats specified in the argspec. By default, this will be %Y-%m-%d.


ad_page/include_contract argspec parsing reform: allow arbitrary characters in the argspec flag parameters

This reform allows to specify an argspec containing pipes, parenthesys and other so far forbidden characters as parameters for a flag. The purpose is to enhance the expressiveness of existing validators (e.g. the oneof validator) and enable new one, for instance, a date validator using a clock format as parameter.

Pipes and parenthesys need to be escaped via the backslash character in the new syntax.

  1. … 1 more file in changeset.
mitigate attacks, where the referer header field is changed to a malicious value

The problem does not exist, when CSP is defined properly.

Many thanks to Frank Bergmann for sharing the pen-test protocol

  1. … 2 more files in changeset.
Set ad_include_contract's local variables in a way that they are hinted as private by the "__" prefix: this reduces the chance of conflicting with popular variable names to pass to an include such as "context"

Improved spelling

  1. … 1 more file in changeset.
add log warnings when include-contract is violated, since (in most cases) the passed values should be pre-checked

make using page-filter "object_id" backwards compatible by allowing it to be used also during update scripts

  1. … 1 more file in changeset.
Reuse email validation logic

Fix ancient typo

use the right message key

VS: ----------------------------------------------------------------------

Added page_contract filter "object_id"

This change adds the page_contract filter "object_id", which validates

values whether these are syntactically acceptable as object_ids in

PostgreSQL and Oracle.

Note that before one is able to use the filter, the server has to be

restarted. Otherwise, when e.g. "apm/version_reload.tcl" would be

executed with the new filter, it would fail. So, one has to be careful

on update scripts, when people upgrade from old version not to create

a blocking mutual blocking condition.

  1. … 4 more files in changeset.