• last updated 12 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
improved clarity of the code and simplified structure

    • -16
    • +16
    ./packages/acs-tcl/tcl/security-procs.tcl
fix for using fallback interface and wrong results for non TLS installation

Many thanks to Antonio for flagging this and provide insights

    • -3
    • +8
    ./packages/acs-tcl/tcl/security-procs.tcl
Fixes to SSE notifications

- request for Notification permission at the time we are subscribing to it, so that it happens following a user interaction, required by the API

- find a plain-text format that will keep displaying the URLs as formatted in the notification, as the API does not support HTML

    • -0
    • +16
    ./packages/notifications/www/request-new.adp
    • -2
    • +4
    ./packages/notifications/www/request-new.tcl
provide complaints for invalid repository URLs

    • -2
    • +4
    ./packages/acs-admin/tcl/apm-admin-procs.tcl
Version and CDN maintenance for tinymce

- Switched from cdnjs to jsdelivr

- Bumped upstream version number from 5.3.3 to 5.3.6

- bumped version to 2.1.9

Version and CDN maintenance for bootstrap 5

- Switched from cdnjs to jsdelivr

- Bumped upstream version number from 5.3.3 to 5.3.6

- bumped version to 6.0.0d3

bumped version number to allow packages to use mutiple tags from jsdelivr

::util::resources::cdnjs_get_newest_version: support cases, where multiple tags are returned

    • -2
    • +3
    ./packages/acs-tcl/tcl/utilities-procs.tcl
Version and CDN maintenance

- Switched from cdnjs to jsdelivr

- Bumped upstream version number from 1.11.3 to 1.13.1

- bumped version to 0.3d1

bumped version number to 6.0.0d4

pass version number, since it is needed in the path

added support for jsdelivr, since cdnjs misses many new releases

    • -1
    • +1
    ./packages/acs-tcl/lib/check-installed.adp
    • -3
    • +3
    ./packages/acs-tcl/lib/check-installed.tcl
    • -18
    • +52
    ./packages/acs-tcl/tcl/utilities-procs.tcl
replaced hard-coded postgres version numbers, that were introduced for testing

    • -2
    • +2
    ./packages/acs-admin/www/posture-overview.tcl
backport from HEAD

    • -2
    • +23
    ./packages/acs-tcl/tcl/security-procs.tcl
fix for "security::get_secure_qualified_url" when no an old-style servername is used

    • -6
    • +27
    ./packages/acs-tcl/tcl/security-procs.tcl
Fix variable name

    • -2
    • +2
    ./packages/acs-subsite/tcl/rel-types-procs.tcl
bumped highcharts version to 12.2.0

    • -2
    • +2
    ./packages/highcharts/tcl/resource-procs.tcl
don't raise an exception, when invalid host header field is provided

Since this happens often with introsion attempts, provide a security warning.

    • -2
    • +9
    ./packages/acs-tcl/tcl/security-procs.tcl
use "ns_log security" when available

    • -3
    • +3
    ./packages/acs-tcl/tcl/security-init.tcl
cleared editor buffer

    • -1
    • +1
    ./packages/acs-tcl/tcl/00-icanuse-procs.tcl
added: icanuse "ns_log security"

    • -0
    • +1
    ./packages/acs-tcl/tcl/00-icanuse-procs.tcl
new feature: added database vulnerability checks to posture overview

Extended the /acs-admin/posture-overview page to include known CVEs

for both the database client library and the database server in

use. Previously, the overview displayed privacy and privilege analyses

and flagged vulnerable JavaScript libraries; it now also surfaces

database‐related vulnerabilities.

* Leverage the NaviServer–nsdbpg API to fetch and display client‐ and

server‐side version numbers

* Drive this feature via a database‐agnostic interface—only the nsdbpg

driver currently returns versions, but support for other databases

can be added by updating their drivers (no NaviServer core changes

required)

To use this new feature, use the latest NaviServer and nsdbpg releases.

Otherwise, the section "Database Vulnerability Check" won't appear.

    • -0
    • +52
    ./packages/acs-admin/www/posture-overview.adp
    • -3
    • +63
    ./packages/acs-admin/www/posture-overview.tcl
    • -7
    • +76
    ./packages/acs-tcl/tcl/utilities-procs.tcl
Adjusted results for file updates

Many thanks to Khy H.

For details, see https://openacs.org/forums/message-view?message_id=7412487

Fixed snyk vulnerability check (backport from HEAD)

Snyk page has changed, we have to switch the pattern we are looking for.

Bumped version number to flage the change to "upgrade from repository"

    • -2
    • +2
    ./packages/acs-tcl/tcl/utilities-procs.tcl
Fixed snyk vulnerability check

Snyk page has changed, we have to switch the pattern we are looking for.

    • -2
    • +2
    ./packages/acs-tcl/tcl/utilities-procs.tcl
bump version numbers

- update upstream version to 7.6.1

- bump package number to 2.1.8

Do not modify posted form data when logging the request. In addition mask log output for all fields having password in their name

    • -6
    • +9
    ./packages/acs-tcl/tcl/utilities-procs.tcl
set focus via HTML "autofocus" attribute

improved comments

    • -12
    • +13
    ./packages/acs-subsite/lib/login.tcl
added a log message, when login page expires (happens seldomly)