Activity OpenACS/

1:04 pm

gernst

Quote error message to better protect against XSS attacks

- -2
- +2
/openacs-4/packages/xotcl-core/tcl/context-procs.tcl
- History
- Source
- Diff
/openacs-4/packages/.../tcl/context-procs.tcl

12:21 pm

gustafn

Added default dbn to database drivers (acs::dc)

Align behavior with recent change in the xo::db inteface

- -5
- +12
/openacs-4/packages/acs-tcl/tcl/acs-db-00-procs.tcl
- History
- Source
- Diff
/openacs-4/packages/.../acs-db-00-procs.tcl

12:04 pm

gustafn

Added parameter to define a default dbn to a database connection

By this change, one can now define a default dbn at the creation time

of a database connection object. Before, it was necessary to pass

the "-dbn" value to every single command. The parameter can still be

used for particular queries as before to overrule the default.

Example for defining a connection context to a pool named "legacy"

using the PostgreSQL database interface

::xo::db::DB-postgresql create ::xo::dc1 -dialect postgresql -dbn legacy

lappend _ [::xo::dc1 get_value . {select count(*) from acs_objects}]

lappend _ [::xo::dc get_value . {select count(*) from acs_objects}]

#> 660 51606

- -10
- +15
/openacs-4/packages/xotcl-core/tcl/05-db-procs.tcl
- History
- Source
- Diff
/openacs-4/packages/.../tcl/05-db-procs.tcl

2:36 pm

antoniop

"An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can remove its sandboxing"

See e.g. https://cloud.google.com/blog/products/data-analytics/iframe-sandbox-tutorial

We set in xooauth/tcl/lti-procs.tcl a restrictive default (all sandboxing restrictions are applied by default). Users should relax it according to their embedded application.

xooauth/www/admin/lti-test.tcl is not really a productive file, so we set the already hardcoded value to no-sandboxing and note that this would be appropriate.

- -1
- +1
/openacs-4/packages/xooauth/tcl/lti-procs.tcl
- History
- Source
- Diff
/openacs-4/packages/.../tcl/lti-procs.tcl
- -7
- +8
/openacs-4/packages/xooauth/www/admin/lti-test.tcl
- History
- Source
- Diff
/openacs-4/packages/.../admin/lti-test.tcl

5:17 pm

hectorr

Remove duplicated entry

- -5
- +4
/openacs-4/packages/acs-tcl/tcl/test/acs-tcl-test-procs.tcl
- History
- Source
- Diff
/openacs-4/.../acs-tcl-test-procs.tcl

4:05 pm

File-Storage used to generate downloaded archives in tgz format, to then switch to zip, more user-friendly, in particular outside the Linux world (See https://openacs.org/forums/message-view?message_id=557561). To ease the transition, a couple of parameters and relative API were introduced that would allow to choose the preferred command one should use. During this reform however, default parameter values in the tcl code became inconsistent with those in the info file. Furthermore, the chosen defaults were set as absolute paths to the executable, which is not friendly to non-linux environments, or other scenarios where the "typical" Linux filesystem structure cannot be assumed (e.g. containers, MacOS...).

The only usage of this parameters/api was in fact in the download-archive vuh. In upstream codebase, no package references this file, not even the file-storage itself. Upon review, one could see that the file would also allow to specify a custom download filename via the path, which could be considered questionable. It would also execute the command in a way that once again assumes some form of Linux environment (e.g. invoking bash).

Save for the ability to customize the archive format and the anti-feature of being able to manipulate the archive filename via the path, the script largely relplicates www/download-zip, in a better shape after a few reforms hinted by e.g. penetration tools.

Given the aformentioned considerations, I have decided to make download-archive a simple redirect to download-zip. Specifying the object_id via the path will keep working, while URLs out there expecting the name to change will not fail, but the name will not be modified. The archive format will from now on be assumed to be zip.

- -4
- +2
/openacs-4/packages/file-storage/file-storage.info
- History
- Source
- Diff
/openacs-4/packages/.../file-storage.info
- -1
- +15
/openacs-4/packages/file-storage/tcl/file-storage-install-procs.tcl
- History
- Source
- Diff
/openacs-4/.../file-storage-install-procs.tcl
- -2
- +2
/openacs-4/packages/file-storage/tcl/file-storage-procs.tcl
- History
- Source
- Diff
/openacs-4/.../file-storage-procs.tcl
- -47
- +1
/openacs-4/packages/file-storage/tcl/test/file-storage-procs.tcl
- History
- Source
- Diff
/openacs-4/.../file-storage-procs.tcl
- -57
- +24
/openacs-4/packages/file-storage/www/download-archive/index.vuh
- History
- Source
- Diff
/openacs-4/packages/.../index.vuh

12:54 pm

gustafn

removed legacy code from apm_transfer_file

util::http::get should be everywhere available

- -57
- +3
/openacs-4/packages/acs-tcl/tcl/apm-file-procs.tcl
- History
- Source
- Diff
/openacs-4/packages/.../apm-file-procs.tcl

12:09 pm

gustafn

Rework of util::which

The new version deals now correctly with absolute paths,

where just the extensions are added, and it is checked

whether the program is executable.

Extended regression test to deal with optional and required

external dependencies. Missing optional external programs

produce warnings.

- -30
- +46
/openacs-4/packages/acs-tcl/tcl/utilities-procs.tcl
- History
- Source
- Diff
/openacs-4/packages/.../utilities-procs.tcl
- -31
- +91
/openacs-4/packages/acs-tcl/tcl/test/acs-tcl-test-procs.tcl
- History
- Source
- Diff
/openacs-4/.../acs-tcl-test-procs.tcl

12:05 pm

gustafn

Reduced redundancy

call text_templates::create_pdf_from_html from

text_templates::create_pdf_content instead of replicating logic

- -31
- +27
/openacs-4/packages/acs-tcl/tcl/pdf-procs.tcl
- History
- Source
- Diff
/openacs-4/packages/.../tcl/pdf-procs.tcl

12:03 pm

gustafn

Use for new installation relative path names for external programs per default

- -1
- +1
/openacs-4/packages/acs-tcl/acs-tcl.info
- History
- Source
- Diff
/openacs-4/packages/acs-tcl/acs-tcl.info

10:58 am

gustafn

removed code, which was commented out since ages.

- -25
- +0
/openacs-4/packages/xowiki/tcl/yui-init.tcl
- History
- Source
- Diff
/openacs-4/packages/.../tcl/yui-init.tcl

10:57 am

gustafn

Cleanup of external binaries: always use "util::which" to resolve binaries

- -6
- +6
/openacs-4/packages/acs-subsite/tcl/email-image-procs.tcl
- History
- Source
- Diff
/openacs-4/packages/.../email-image-procs.tcl
- -3
- +3
/openacs-4/packages/acs-subsite/www/shared/portrait-bits.tcl
- History
- Source
- Diff
/openacs-4/packages/.../portrait-bits.tcl
- -3
- +3
/openacs-4/packages/evaluation-portlet/tcl/test/tclwebtest-procs.tcl
- History
- Source
- Diff
/openacs-4/packages/.../tclwebtest-procs.tcl
- -3
- +3
/openacs-4/packages/file-storage/tcl/test/webtest-procs.tcl
- History
- Source
- Diff
/openacs-4/packages/.../webtest-procs.tcl
- -3
- +3
/openacs-4/packages/xotcl-request-monitor/www/index.tcl
- History
- Source
- Diff
/openacs-4/packages/.../www/index.tcl
- -1
- +3
/openacs-4/packages/xowiki/www/ckeditor-images/upload_image.tcl
- History
- Source
- Diff
/openacs-4/packages/.../upload_image.tcl

10:54 am

gustafn

deprecate unused command cr_check_orphaned_files

- -2
- +2
/openacs-4/packages/acs-content-repository/tcl/acs-content-repository-procs.tcl
- History
- Source
- Diff
/openacs-4/.../acs-content-repository-procs.tcl

10:52 am

gustafn

reduced number of external dependencies

- -2
- +2
/openacs-4/packages/acs-automated-testing/tcl/tclwebtest-procs.tcl
- History
- Source
- Diff
/openacs-4/packages/.../tclwebtest-procs.tcl

10:51 am

gustafn

fixed typo

- -2
- +2
/openacs-4/packages/acs-automated-testing/tcl/aa-test-procs.tcl
- History
- Source
- Diff
/openacs-4/packages/.../tcl/aa-test-procs.tcl

6:29 pm

gustafn

Improved consistency with external programs

Since "unzip" is used as well on various other places,

use it as well in the file storage. This means that

the parameter "UnzipBinary" for the file-storage package

is now obsolete.

- -1
- +0
/openacs-4/packages/file-storage/file-storage.info
- History
- Source
- Diff
/openacs-4/packages/.../file-storage.info
- -2
- +2
/openacs-4/packages/file-storage/www/file-add.tcl
- History
- Source
- Diff
/openacs-4/packages/.../www/file-add.tcl

6:25 pm

gustafn

Cleanup of external binaries: always use "util::which" to resolve binaries

Background: it is important to always use the same binaries of some

programs. This is important for security reasons, consistency, and

configurability (some operating systems have read-only file systems,

which might be on the path and should be avoided for some operations).

- -2
- +2
/openacs-4/packages/acs-tcl/tcl/test/http-client-procs.tcl
- History
- Source
- Diff
/openacs-4/packages/.../http-client-procs.tcl

5:13 pm

gustafn

Cleanup of external binaries: always use "util::which" to resolve binaries

Background: it is important to always use the same binaries of some

programs. This is important for security reasons, consistency, and

configurability (some operating systems have read-only file systems,

which might be on the path and should be avoided for some operations).

- -1
- +1
/openacs-4/packages/acs-admin/tcl/acs-admin-procs.tcl
- History
- Source
- Diff
/openacs-4/packages/.../acs-admin-procs.tcl
- -2
- +2
/openacs-4/packages/acs-automated-testing/tcl/aa-test-procs.tcl
- History
- Source
- Diff
/openacs-4/packages/.../tcl/aa-test-procs.tcl
- -2
- +2
/openacs-4/packages/acs-tcl/tcl/http-client-procs.tcl
- History
- Source
- Diff
/openacs-4/packages/.../http-client-procs.tcl
- -2
- +2
/openacs-4/packages/caldav/tcl/caldav-interface-procs.tcl
- History
- Source
- Diff
/openacs-4/.../caldav-interface-procs.tcl

4:46 pm

gustafn

Use GNU grep when available

GNU grep is now used for the lookup of message keys using the

"--include=" parameter. This improves the speed of the command

significantly and reduces the number of external dependencies (no

"find", or "xargs" needed).

- -4
- +29
/openacs-4/packages/acs-lang/www/admin/message-usage-include.tcl
- History
- Source
- Diff
/openacs-4/.../message-usage-include.tcl
- -8
- +9
/openacs-4/packages/acs-tcl/tcl/00-icanuse-procs.tcl
- History
- Source
- Diff
/openacs-4/packages/.../00-icanuse-procs.tcl

4:43 pm

gustafn

Removed obsolete files www/admin/lookups-include.tcl

The file www/admin/lookups-include.tcl was replaced some time ago by

www/admin/message-usage-include.tcl but as it looks, not removed from

the repository.

- -23
- +0
/openacs-4/packages/acs-lang/www/admin/lookups-include.tcl
- History
- Source
- Diff
/openacs-4/packages/.../lookups-include.tcl

11:49 am

gustafn

Cleanup of external binaries: always use "util::which" to resolve binaries

- -3
- +3
/openacs-4/packages/acs-tcl/tcl/apm-file-procs.tcl
- History
- Source
- Diff
/openacs-4/packages/.../apm-file-procs.tcl

11:40 am

gustafn

Cleanup of external binaries: always use "util::which" to resolve binaries

Furthermore, this change makes the handling of "identify" consistent

with "convert". Before, the parameter "ImageMagickIdentifyBinary"

could not be modified via the parameter settings, only

"ImageMagickConvertBinary" was defined.

Bump version number to 5.10.1b3 to pick up additional parameter.

- -3
- +4
/openacs-4/packages/acs-content-repository/acs-content-repository.info
- History
- Source
- Diff
/openacs-4/.../acs-content-repository.info
- -9
- +9
/openacs-4/packages/acs-content-repository/tcl/image-procs.tcl
- History
- Source
- Diff
/openacs-4/packages/.../tcl/image-procs.tcl

2:14 pm

antoniop

Improve test:

whether the html filter will accept or not a script tag is configuration-dependent. We now enforce that the outcome is consistent with the security check for HTML used in the filter itself.