• last updated 18 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Fix variable name after refactoring

fixed typo

Updated location handling

- make use of "ns_server hosts" when available

- refactored and simplified code

- keep validated locations in an nsv array

- added support for extra white-listed hosts

in case, every other configuration fails

(should not be necessary)

ns_section ns/server/$server/acs {

ns_param whitelistedHosts {...}

}

- updated inline documentation

The new code is supposed to handle in combination of a recent NaviServer

all complex host header validation scenarios, include running behind a proxy,

in a container or cluster.

Updated icanuse registry

- added "ns_ip", "ns_subnetmatch", and "ns_server hosts"

- sorted commands alphabetically

whitespace changes

modernize code

moved long time deprecated function "ad_approval_system_inuse_p" to deprecated-procs

Improved comments and make code more robust in regards of legacy setups

Added support for relative redirects

RFC 2616 requires an absolute URI in the "Location" header field. So

if someone calls "ns_returnredirect /", NaviServer transforms it on

the fly into an absolute URL by prefixing it with the location

(e.g. https://openacs.org/). NaviServer (and OpenACS) has some complex

code to compute the location value, especially when virtual servers

are involved (or for "host-node mapped" subsites in OpenACS). The

situation is further complicated when running behind a reverse proxy

and/or in a containerized environment. In such cases, the location is

computed from the "host" request header field, which must be

validated, otherwise an attacker could hijack a session and redirect

it to a spoofed site.

The situation changed 10 years ago (June 2014) with the introduction

of RFC 7231, which allows relative redirects (see

https://www.rfc-editor.org/rfc/rfc7231#section-7.1.2). Using relative

redirects greatly simplifies configuration and closes the attack

vector using the host header field. RFC 7231 has been superseded by

RFC 9110 (June 2022), which also supports relative redirects via the

"location" response header field (see

https://www.rfc-editor.org/rfc/rfc9110#field.location).

Since OpenACS prefixed always the URL with a location, when it

encounters are relative URL in a "ad_returnredirect", this change

makes use of the new feature of NaviServer 5.

Make sure to use a current version of NaviServer, where the support

was added recently.

improved robustness during bootstrap

improved speling

improved spelling

  1. … 1 more file in changeset.
Extended "ad_conn behind_secure_proxy_p"

This test will be now true, when either the recieved request

contains one of those request header fields.

- "X-SSL-Request: 1"

- "X-Forwarded-Proto: https"

Before, only the first variant was accepted.

The AWS load balancer uses the second variant.

fix typo

Permit "lang::message::cache" in acs::clusterwide operations

improvement for ACS clusters

Incorporated changes as suggested by Jonathan Kelley

For details, see https://openacs.org/forums/message-post?parent_id=5814308

  1. … 1 more file in changeset.
Base "ad_conn behind_proxy_p" on "ns_conn details" when available

Make test more robust in setups where we cache permissions

Improved readability of configuration parameter "parameterSecret"

- Switched to camelCase for better readabilty and uniformity

- NaviServer configuration parameters are case insensitive, so no danger for backward compatibility

  1. … 2 more files in changeset.
Expand permission test suite to include definition of custom privileges in a couple of setups

    • -11
    • +221
    ./test/test-permissions-procs.tcl
Provide an automated test of "advanced" permission features: permission inheritance via group, or via the permission context

    • -1
    • +203
    ./test/test-permissions-procs.tcl
Untangle if logics

Reject URLs displaying multiple protocols

Test further improvement of injection attempt by penetration tests

Strenghten validation against smarter attempts to disguise the javascript: protocol

Replicate a smarter attempt by a penetration tool to disguise the javascript: protocol

Added default dbn to database drivers (acs::dc)

Align behavior with recent change in the xo::db inteface

Remove duplicated entry

removed legacy code from apm_transfer_file

util::http::get should be everywhere available

Rework of util::which

The new version deals now correctly with absolute paths,

where just the extensions are added, and it is checked

whether the program is executable.

Extended regression test to deal with optional and required

external dependencies. Missing optional external programs

produce warnings.