OpenACS / openacs-4 / packages / acs-tcl

tcl

Tools

Line History

Line Count Graph
Line Count Graph

Stats

Commits this week: 5
Total Committers: 71
Last Commit: 03 Jun
Commits this week: 5
Total Lines of Code (LoC): 65,995
Net change in LoC this week: 0

Commit Activity

Commits By Day In Week
52 week commits volume
Commits By Day In Week
Commits by day
Commits By Day In Week
Commits by hour
Commits By Hour In Day
Commit calendar
 

Most active committers (90 days)

loading
loading
  • last updated 8 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Monday 03 Jun
7:47 pm

gustafn

Added support for relative redirects

RFC 2616 requires an absolute URI in the "Location" header field. So

if someone calls "ns_returnredirect /", NaviServer transforms it on

the fly into an absolute URL by prefixing it with the location

(e.g. https://openacs.org/). NaviServer (and OpenACS) has some complex

code to compute the location value, especially when virtual servers

are involved (or for "host-node mapped" subsites in OpenACS). The

situation is further complicated when running behind a reverse proxy

and/or in a containerized environment. In such cases, the location is

computed from the "host" request header field, which must be

validated, otherwise an attacker could hijack a session and redirect

it to a spoofed site.

The situation changed 10 years ago (June 2014) with the introduction

of RFC 7231, which allows relative redirects (see

https://www.rfc-editor.org/rfc/rfc7231#section-7.1.2). Using relative

redirects greatly simplifies configuration and closes the attack

vector using the host header field. RFC 7231 has been superseded by

RFC 9110 (June 2022), which also supports relative redirects via the

"location" response header field (see

https://www.rfc-editor.org/rfc/rfc9110#field.location).

Since OpenACS prefixed always the URL with a location, when it

encounters are relative URL in a "ad_returnredirect", this change

makes use of the new feature of NaviServer 5.

Make sure to use a current version of NaviServer, where the support

was added recently.

Options
    • -0
    • +14
    ./00-icanuse-procs.tcl
    • -4
    • +10
    ./utilities-procs.tcl
Friday 31 May
2:01 pm

gustafn

improved robustness during bootstrap

Options
    • -7
    • +20
    ./parameter-procs.tcl
2:00 pm

gustafn

improved speling

Options
    • -2
    • +2
    ./xml-0-sgml-procs.tcl
2:00 pm

gustafn

improved spelling

Options
    • -1
    • +1
    ./acs-db-00-procs.tcl
    • -2
    • +2
    ./acs-permissions-procs.tcl
    • -2
    • +2
    ./request-processor-procs.tcl
    • -2
    • +2
    ./text-html-procs.tcl
    • -4
    • +4
    ./utilities-procs.tcl
  6. … 1 more file in changeset.
Wednesday 29 May
11:24 am

gustafn

Extended "ad_conn behind_secure_proxy_p"

This test will be now true, when either the recieved request

contains one of those request header fields.

- "X-SSL-Request: 1"

- "X-Forwarded-Proto: https"

Before, only the first variant was accepted.

The AWS load balancer uses the second variant.

Options
    • -2
    • +5
    ./request-processor-procs.tcl
Wednesday 22 May
10:34 am

trenner

fix typo

Options
    • -2
    • +2
    ./request-processor-procs.tcl
Friday 17 May
7:04 pm

gustafn

Permit "lang::message::cache" in acs::clusterwide operations

Options
    • -0
    • +1
    ./cluster-procs.tcl
7:01 pm

gustafn

improvement for ACS clusters

Incorporated changes as suggested by Jonathan Kelley

For details, see https://openacs.org/forums/message-post?parent_id=5814308

Options
    • -1
    • +2
    ./memoize-procs-naviserver.tcl
  2. … 1 more file in changeset.
4:05 pm

gustafn

Base "ad_conn behind_proxy_p" on "ns_conn details" when available

Options
    • -1
    • +6
    ./00-icanuse-procs.tcl
    • -10
    • +27
    ./request-processor-procs.tcl
Thursday 25 Apr
3:50 pm

antoniop

Make test more robust in setups where we cache permissions

Options
    • -2
    • +39
    ./test/test-permissions-procs.tcl
Friday 05 Apr
10:28 am

gustafn

Improved readability of configuration parameter "parameterSecret"

- Switched to camelCase for better readabilty and uniformity

- NaviServer configuration parameters are case insensitive, so no danger for backward compatibility

Options
    • -4
    • +4
    ./security-init.tcl
    • -6
    • +6
    ./security-procs.tcl
    • -4
    • +4
    ./tcl-documentation-procs.tcl
    • -2
    • +2
    ./utilities-procs.tcl
  5. … 2 more files in changeset.
Wednesday 27 Mar
12:46 pm

antoniop

Expand permission test suite to include definition of custom privileges in a couple of setups

Options
    • -11
    • +221
    ./test/test-permissions-procs.tcl
Tuesday 26 Mar
10:10 am

antoniop

Provide an automated test of "advanced" permission features: permission inheritance via group, or via the permission context

Options
    • -1
    • +203
    ./test/test-permissions-procs.tcl
Tuesday 19 Mar
11:47 am

antoniop

Untangle if logics

Options
    • -23
    • +30
    ./text-html-procs.tcl
11:46 am

antoniop

Reject URLs displaying multiple protocols

Options
    • -1
    • +27
    ./text-html-procs.tcl
11:44 am

antoniop

Test further improvement of injection attempt by penetration tests

Options
    • -0
    • +10
    ./test/text-html-procs.tcl
Monday 18 Mar
2:13 pm

antoniop

Strenghten validation against smarter attempts to disguise the javascript: protocol

Options
    • -10
    • +17
    ./text-html-procs.tcl
2:12 pm

antoniop

Replicate a smarter attempt by a penetration tool to disguise the javascript: protocol

Options
    • -11
    • +24
    ./test/text-html-procs.tcl
Thursday 29 Feb
12:21 pm

gustafn

Added default dbn to database drivers (acs::dc)

Align behavior with recent change in the xo::db inteface

Options
    • -5
    • +12
    ./acs-db-00-procs.tcl
Tuesday 27 Feb
5:17 pm

hectorr

Remove duplicated entry

Options
    • -5
    • +4
    ./test/acs-tcl-test-procs.tcl
Monday 26 Feb
12:54 pm

gustafn

removed legacy code from apm_transfer_file

util::http::get should be everywhere available

Options
    • -57
    • +3
    ./apm-file-procs.tcl
12:09 pm

gustafn

Rework of util::which

The new version deals now correctly with absolute paths,

where just the extensions are added, and it is checked

whether the program is executable.

Extended regression test to deal with optional and required

external dependencies. Missing optional external programs

produce warnings.

Options
    • -30
    • +46
    ./utilities-procs.tcl
    • -31
    • +91
    ./test/acs-tcl-test-procs.tcl
12:05 pm

gustafn

Reduced redundancy

call text_templates::create_pdf_from_html from

text_templates::create_pdf_content instead of replicating logic

Options
    • -31
    • +27
    ./pdf-procs.tcl
Sunday 25 Feb
6:25 pm

gustafn

Cleanup of external binaries: always use "util::which" to resolve binaries

Background: it is important to always use the same binaries of some

programs. This is important for security reasons, consistency, and

configurability (some operating systems have read-only file systems,

which might be on the path and should be avoided for some operations).

Options
    • -2
    • +2
    ./test/http-client-procs.tcl
5:13 pm

gustafn

Cleanup of external binaries: always use "util::which" to resolve binaries

Background: it is important to always use the same binaries of some

programs. This is important for security reasons, consistency, and

configurability (some operating systems have read-only file systems,

which might be on the path and should be avoided for some operations).

Options
    • -2
    • +2
    ./http-client-procs.tcl
  2. … 3 more files in changeset.
4:46 pm

gustafn

Use GNU grep when available

GNU grep is now used for the lookup of message keys using the

"--include=" parameter. This improves the speed of the command

significantly and reduces the number of external dependencies (no

"find", or "xargs" needed).

Options
    • -8
    • +9
    ./00-icanuse-procs.tcl
  2. … 1 more file in changeset.
11:49 am

gustafn

Cleanup of external binaries: always use "util::which" to resolve binaries

Options
    • -3
    • +3
    ./apm-file-procs.tcl
Friday 23 Feb
2:14 pm

antoniop

Improve test:

whether the html filter will accept or not a script tag is configuration-dependent. We now enforce that the outcome is consistent with the security check for HTML used in the filter itself.

Options
    • -1
    • +1
    ./test/acs-tcl-test-procs.tcl
Friday 16 Feb
12:38 pm

antoniop

Manually replace the ":" entity to prevent attempts at disguising "javascript:" links

Options
    • -1
    • +17
    ./text-html-procs.tcl
12:36 pm

antoniop

Replicate injection attempt by penetration tools

Options
    • -0
    • +14
    ./test/text-html-procs.tcl