• last updated 15 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Extend test suite to check behavior validating external URLs

Fixes for regression test: util_http_json_encoding

This change corrects 2 bugs, causing the regression test to fail under certain circumstances:

1) use for test location [::acs::test::url] instead of [ad_url]

The call [::acs::test::url] should be used for all tests in the regression tests and avoids

problems with wrong URLs when running e.g. in a container

2) When running on a setup with self-signed certificates, the curl requests require a "-k"

flag to be passed. Otherwise, the regression test fails.

  1. … 1 more file in changeset.
Fix test case

Extend test suite

provide a better domain name for temporal accounts in regression test

Reflect api changes in the test suite

In the end we do phase out the util_expand_entities* procs for being too lame

Good riddance

  1. … 1 more file in changeset.
a protocol relative URL is not complete, but it can be understood as external

  1. … 1 more file in changeset.
Extend the test cases for util_complete_url_p with a case of protocol-relative URL

Test util_expand_entities and util_expand_entities_ie_style

This test will show that since the long broken parenthesys in util_expand_entities_ie_style were fixed in a recent commit, this proc will just not work.

After further consideration, ns_absoluteurl is actually sufficient to preform location header completion on its own and does not need a wrapper utility

  1. … 3 more files in changeset.
Streamline terminology with other occurrences in OpenACS and NaviServer/AOLserver

- the term "location" is usually used in OpenACS/NaviServer/AOLserver for the

part of a URL before the path (i.e. SCHEME+HOST+PORT)

- the new function util::absolute_url is a value-added version of NaviServer's "ns_absoluteurl".

This is now documented with its differences, and aligned with its terminology

  1. … 2 more files in changeset.
Introduce util::complete_location

This utility is meant to require the value of the Location header in an HTTP response to be completed vith the host coming from a reference complete URL, which is normally that of the redirected request.

It is intended for use in the context of HTTP client APIs, where we want to handle server responses affected by https://www.rfc-editor.org/rfc/rfc7231#section-7.1.2

  1. … 3 more files in changeset.
Make test more robust in setups where we cache permissions

Expand permission test suite to include definition of custom privileges in a couple of setups

Provide an automated test of "advanced" permission features: permission inheritance via group, or via the permission context

Test further improvement of injection attempt by penetration tests

Replicate a smarter attempt by a penetration tool to disguise the javascript: protocol

Remove duplicated entry

Rework of util::which

The new version deals now correctly with absolute paths,

where just the extensions are added, and it is checked

whether the program is executable.

Extended regression test to deal with optional and required

external dependencies. Missing optional external programs

produce warnings.

  1. … 1 more file in changeset.
Cleanup of external binaries: always use "util::which" to resolve binaries

Background: it is important to always use the same binaries of some

programs. This is important for security reasons, consistency, and

configurability (some operating systems have read-only file systems,

which might be on the path and should be avoided for some operations).

Improve test:

whether the html filter will accept or not a script tag is configuration-dependent. We now enforce that the outcome is consistent with the security check for HTML used in the filter itself.

Replicate injection attempt by penetration tools

bugfix: fixed test test_ad_register_proc when running in a container

When runnig in a container, one cannot use util_current_localtion, which refers

to the URL to reach the server from the container host. To address the server

inside the container, acs::test::url should be used.

This change does not matter for non-containerized applications

Provide facilities to validate against invalid SQL strings

We introduce a new page contract filter and nsf validator called "dbtext". They implement enforcing of a value to be useable in an SQL query. Currently, this means that the value should not contain the NUL character, but the definition may change in the future or become database-specific.

The html contract filter has also be extended to reject the NUL character.

The test suite has been updated/extended to reflect the changes.

  1. … 2 more files in changeset.
improved spelling

Move test from acs-kernel to acs-tcl, add remarks

  1. … 1 more file in changeset.
Make URLs assumed to be hosted on openacs.org absolute

  1. … 3 more files in changeset.
Improve test for singleton package parameters (aka instance parameters of singleton packages):

- do not choose a parameter at random, test them all instead

- do not test for global parameters. For those, the api will behave differently

- do not test for parameters coming from the configuration file. The parameter::* api does not allow to manipulate those

- do not check for packages that are not mounted. A value would not be found for those

fix typo