• last updated 12 hours ago
Constraints: committers
Constraints: files
Constraints: dates
Set "softrecreate" in nsf o avoid full cleanup on redefinition of classes

fix typo

    • -1
    • +1
New package parameter for acs-tcl: DbLogMinDuration

This parameter can be used to adjust the time threshold for longdb

warnings in the log file. When SQL logging is turned on, it might

also adjust the threshold, unless it is already more sensitive.

Bump version number to 5.10.1d25.

  1. … 1 more file in changeset.
improve spelling

  1. … 4 more files in changeset.
improve resolution in fallback case

Moved the experimental disk-cache from utilities to the other cacheing infrastructure

Make use of new API "ad_mktmpdir" and "ad_opentmpfile" instead of "ad_tmpnam"

    • -3
    • +3
  1. … 1 more file in changeset.
New API "ad_mktmpdir" and "ad_opentmpfile"

Since "ns_mktemp" is deprecated (on the C level) and is prone

to vulnerabilities. This effects as well "ad_tmpnam" in OpenACS,

which uses "ns_mktemp".

Newer C-compilers complain about this more loudly:

Due to security concerns inherent in the design of mktemp(3),

it is highly recommended that you use mkstemp(3) instead.

The security concern is that when ns_mktemp() is used to generate a

(unique) file name, which is used for opening a file, an attacker can

intercept the running binary and sneak in a different file. Although

ns_mktemp() guarantees to return a unique file name, there is no

mechanism to prevent another process or an attacker from creating a

file with the same name before the application attempts to open it.

The problem with using mkstemp() instead is that it has different

semantics, since it returns the open file. So one cannot blindly

replace these calls, but it requires some refactoring. Unfortunately,

this also effects application code, since NaviServer offers

"ns_mktemp" on the Tcl level.

To make it short: one has to separate out different use_cases of


(a) use it to obtain a name for creating a file, which is subsequently opened

(b) use it to obtain a name for creating a directory

(c) use it as a name, providing name as a unique name to some external programs.

Case (a) is similar to the "mkstemp(3)" recommendation above. For this

usage scenario, the call "file tmpfile..." in Tcl 8.6 can be used (but

it should also respect the configured tmp directory. This function

is also very similar to "ns_opentempdir" in NaviServer, which uses

as well "file tmpfile". Therefore, we have created a new API call

"ad_opentmpdir ..." which respects the OpenACS settings.

Case (b) can be addressed by "file tempdir" in Tcl 8.7, or by a function

in tcllib. The new API function "ad_mktmpdir" provides respects the

OpenACS settings, and works for Tcl 8.6 or newer.

Case (c) is somewhat different, since it just wants to create a unique name. This case has not received a special API so far

  1. … 1 more file in changeset.
Bugfix: Get database name from postgres connection string keywords

The connection string can be provided for libpq either as the plain

dbname (old style) or as a list of keywords (new style).

In the latter case, the full keyword string was returned

instead of the dbname.

fixed typo (many thanks to Franz Penz for spotting this)

Replaced "ns_mktemp" by "ad_tmpnam" to ease code maintenance

The underlying C library API for "ns_mktemp" is deprecated

for security reasons, we will have to do something about it.

    • -3
    • +3
  1. … 8 more files in changeset.
document right changes on new installs for api-doc

make behavior more robust when (erronously) called without a connection

without handling no-connection, the error message is swallowed

improve Oracle compatibility

Minor CSP improvements

- provided ability to add "trusted-types" and "require-trusted-types-for"

directives (Trusted Types policies)

For details, see:


- changed default "object-src" from 'self' to 'none'

improve Oracle compatibility

Deescalation: the usage of the pairs in export_vars is not so dangerous as it looked at first sight.

The problem case was originating from the call

lappend __vars [lindex $_var 0] [uplevel subst [lindex $_var 1]]

which calls Tcl's "uplevel" with two arguments. In this case, the arguments

are concatenated and the evaluated in the caller's frame. There is a substitution

before the evaluation. When just one argument is passed in, this problem there

is only one evaluation:

lappend __vars [lindex $_var 0] [uplevel [list subst [lindex $_var 1]]]

  1. … 1 more file in changeset.
added warning to export_vars

added optional parameter "-timeout" to "CACHE eval ..." method

make ad_sanitize_filename more robust to filenames with parentheses + extend automated tests

new API call util::potentially_unsafe_eval_p

Check content of the string to identify potentially unsafe content

in the provided string. The content is unsafe, when it contains

externally provided content, which might be provided e.g. via

query variables, or via user values stored in the database. When

such content contains square braces, a "subst" command on

theses can evaluate arbitrary commands, which is dangerous.

The new API call is used in "::xo::Package->return_page", where the

"subst" command stripped from its command substitution capabilities.

In case, command subsitution is needed, perform this prior this call.

bumped acs-tcl to 5.10.1d23

bumped xotcl-core to 5.10.1d13

  1. … 3 more files in changeset.
Deactivate api-doc access for all registered users by default

Over many years, all "Registered Users" got per default access

to /api-doc. This is probably OK, when one assumes that the

registered users are developers. However, providing source code

access to all registered users can pose a security thread,

especially on large sites.

For new installs, api-doc is now just accessible for site-wide admins.

Providing more liberal rights for users can be achieved via

setting the permissions via the sitemap.

don't create version directory in a checking function

fix typo

align spelling to LDP recommendations

improve Oracle compatibility (many thanks to Raul Rodriguez)

  1. … 2 more files in changeset.
make spelling more consistent

improve source code comments

new feature for caching infrastructure: flag "-per_request"

When this feature is used, the cache is locked max 1 time per request,

the results are stable for this request. This feature is useful for caches

having a potentially high number of locks per request.

The new feature is used currently for checking, if a package is enabled.

Util user messages reform: do not store the messages persistently in the database, as they are volatile in nature