• last updated 10 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
fix typo

Permit "lang::message::cache" in acs::clusterwide operations

improvement for ACS clusters

Incorporated changes as suggested by Jonathan Kelley

For details, see https://openacs.org/forums/message-post?parent_id=5814308

  1. … 1 more file in changeset.
Base "ad_conn behind_proxy_p" on "ns_conn details" when available

    • -10
    • +27
    ./tcl/request-processor-procs.tcl
Make test more robust in setups where we cache permissions

    • -2
    • +39
    ./tcl/test/test-permissions-procs.tcl
Improved readability of configuration parameter "parameterSecret"

- Switched to camelCase for better readabilty and uniformity

- NaviServer configuration parameters are case insensitive, so no danger for backward compatibility

  1. … 2 more files in changeset.
Expand permission test suite to include definition of custom privileges in a couple of setups

    • -11
    • +221
    ./tcl/test/test-permissions-procs.tcl
Provide an automated test of "advanced" permission features: permission inheritance via group, or via the permission context

    • -1
    • +203
    ./tcl/test/test-permissions-procs.tcl
Untangle if logics

Reject URLs displaying multiple protocols

Test further improvement of injection attempt by penetration tests

Strenghten validation against smarter attempts to disguise the javascript: protocol

Replicate a smarter attempt by a penetration tool to disguise the javascript: protocol

Added default dbn to database drivers (acs::dc)

Align behavior with recent change in the xo::db inteface

Remove duplicated entry

removed legacy code from apm_transfer_file

util::http::get should be everywhere available

Rework of util::which

The new version deals now correctly with absolute paths,

where just the extensions are added, and it is checked

whether the program is executable.

Extended regression test to deal with optional and required

external dependencies. Missing optional external programs

produce warnings.

    • -31
    • +91
    ./tcl/test/acs-tcl-test-procs.tcl
Reduced redundancy

call text_templates::create_pdf_from_html from

text_templates::create_pdf_content instead of replicating logic

Use for new installation relative path names for external programs per default

Cleanup of external binaries: always use "util::which" to resolve binaries

Background: it is important to always use the same binaries of some

programs. This is important for security reasons, consistency, and

configurability (some operating systems have read-only file systems,

which might be on the path and should be avoided for some operations).

Cleanup of external binaries: always use "util::which" to resolve binaries

Background: it is important to always use the same binaries of some

programs. This is important for security reasons, consistency, and

configurability (some operating systems have read-only file systems,

which might be on the path and should be avoided for some operations).

  1. … 3 more files in changeset.

Use GNU grep when available

GNU grep is now used for the lookup of message keys using the

"--include=" parameter. This improves the speed of the command

significantly and reduces the number of external dependencies (no

"find", or "xargs" needed).

  1. … 1 more file in changeset.
Cleanup of external binaries: always use "util::which" to resolve binaries

Improve test:

whether the html filter will accept or not a script tag is configuration-dependent. We now enforce that the outcome is consistent with the security check for HTML used in the filter itself.

Manually replace the ":" entity to prevent attempts at disguising "javascript:" links

Replicate injection attempt by penetration tools

page filters with NUL value

Prefer "string first" over "regexp" since this is twice as fast.

security::validated_host_header: Made acceptance of configured vhosts the first check

Under certain conditions (such as running in a container, or reverse

proxy situations) the admin of a server wants to specify accepted host

names. This can be achieved in the "*/servers" section of a network

driver. These values are used now first for accepting host header

fields. This change avoids unexpected redirects to, e.g., internal

server addresses.

bugfix: fixed test test_ad_register_proc when running in a container

When runnig in a container, one cannot use util_current_localtion, which refers

to the URL to reach the server from the container host. To address the server

inside the container, acs::test::url should be used.

This change does not matter for non-containerized applications

    • -2
    • +2
    ./tcl/test/request-processor-procs.tcl
Provide facilities to validate against invalid SQL strings

We introduce a new page contract filter and nsf validator called "dbtext". They implement enforcing of a value to be useable in an SQL query. Currently, this means that the value should not contain the NUL character, but the definition may change in the future or become database-specific.

The html contract filter has also be extended to reject the NUL character.

The test suite has been updated/extended to reflect the changes.

  1. … 1 more file in changeset.