request-processor-procs.tcl

  • last updated 13 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
new API call ::security::csp::add_static_resource_header

The API call set the CSP rule on the current connection for a static

resource depending on the MIME type.

# Sample definition for custom CSP rules for static files in the

# OpenACS configuration file.

#

# ns_section ns/server/$server/acs {

# ...

# ns_param StaticCSP {

# image/svg+xml "script-src 'none'"

# }

# ...

# }

bump version number of acs-tcl to 5.10.1d13

  1. … 3 more files in changeset.
remove commented out coude

Revert additional fallbacks, one should take care that ad_conn is invoked correctly

Provide further fallbacks for ad_conn

improve spelling and formulations

  1. … 2 more files in changeset.
Provide a fallback for vhost_url in ad_conn for code executed before this value has been set by the request processor

improve comment

avoid errors on attacks against request header field "Upgrade-Insecure-Requests"

added a partial backwards compatibility implementation of for ns_baseunit (as used in request processor)

  1. … 1 more file in changeset.
move broken procs based on undefined function to decprecated procs and comment it out

  1. … 2 more files in changeset.
Fix typo

Streamline idiom and merge if condition

mitigate attacks, where the referer header field is changed to a malicious value

The problem does not exist, when CSP is defined properly.

Many thanks to Frank Bergmann for sharing the pen-test protocol

  1. … 2 more files in changeset.
Add missing argument expansion and comply with automated test

prettify error message

fixed bug in redirects and disabled acs-testing package, changed node info from array to dict

Fix expression to the original intention: check if ns_conn url ends by ad_conn extra_url

fix once more handling of internal redirects in error cases

many thanks to thomas renner!

Fixed a bug in the request processor, when URL is /%3F

The problem was that /%3F corresponds to a URL which is literally '/?'

(question mark is not the separator for query variables). In this case

a "string match" operation to determine the suffix based on this

string will lead to unexpected characters since '?' is a match

character. This lead in turn to a problem with redirects to the

internally redirect of custom error pages. So, in this case (and

probably others) the custom error page was not displayed.

improve comments

added minor debugging aids, make disk-cache more similar to ns_cache

  1. … 2 more files in changeset.
Make api public, complies with acs-api-browser.graph__bad_calls automated test

  1. … 4 more files in changeset.
mark functions called only internally as private

  1. … 15 more files in changeset.
make use of built-in reverse proxy mode of newer versions of NaviServer

  1. … 1 more file in changeset.
make end of options explicit

  1. … 42 more files in changeset.
improve spelling (follow LDP)

  1. … 15 more files in changeset.
avoid to try to return an error to client in request processor when connection was already closed

Prefer 'namespace which' over 'info commands', as it is faster (on local tests, around 2x) and returns a single value. Many thanks to Nathan Coulter.

  1. … 58 more files in changeset.
added "ad_conn bot_p" to check, whether request was initiated by a bot

This feature is based on a simple heuristic based on the user-agent

(which can be certainly extended). It is useful to avoid e.g. Google

bot to run into "notifications subscribe" + login attempts, which

are useful for not-logged-in user, but not for bots. These attemps

lead to failures in google statistics that might reduce the google

ranking of a web site.

  1. … 2 more files in changeset.
improve handling of errors, which are triggerd by the error template