• last updated 3 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
remove useless semicolon

provde a global variable as transitional code for controlling passing of password as query variable

  1. … 2 more files in changeset.
don't pass sensitive information (e.g. password) as query variable, but use client properties instead.

see also issue #3344

  1. … 5 more files in changeset.
moved "populate_secrect" to "sec_*" prefix to reduce clobbering of global namespace

  1. … 6 more files in changeset.
addres kernel_id always via variable rathen than via method

backport security patch from oacs-5-10

  1. … 1 more file in changeset.
add IPv6 loopback address as well as "always accepted" for web testing

allow always 127.0.0.1 in logindata as valid peer

don't trust login_cookie, when no session_cookie is provided

improve cross references in apidoc

  1. … 1 more file in changeset.
improve spelling

  1. … 1 more file in changeset.
improve spelling

  1. … 15 more files in changeset.
use the random number generator from OpenSSL, when available

  1. … 1 more file in changeset.
make debugging line more meaningful

Delete unneeded line

improve protection against attacked cookies

CSP: allow frame-ancestors

CSP: add default rules for form-action and frame-ancestors

improve spelling

  1. … 14 more files in changeset.
improve spelling

  1. … 6 more files in changeset.
CSP: add connect-src default rule

keep chain on session_ids in case the sessions change

- ad_set_cookie: add option "-samesite" and use it, when the server supports it (NaviServer 4.99.18)

- use "-samesite strict" per default on signed cookies

Background from NaviServer commit:

ns_setcookie: add flag "-samesite" with values "strict|lax|none"

When the flag is set it prevents the browser from

sending this cookie along with cross-site requests to mitigate cross site

scripting attacks. Permissible values are [term strict], [term lax],

or [term none] (default). While the value [term strict] prevents

sending the cookie to the target site in all cross-site browsing

context, the value of [term lax] allows sending the cookie when the

user clicks on regular links. For details, see

https://www.owasp.org/index.php/SameSite

This cookie flag is not yet part of an RFC, but most major browsers

support it. Browsers that do not support it, ignore the flag

silently (see https://caniuse.com/#search=samesite).

Although most cookies should probably use the flags, in order to

provide backward compatibility, the flag can't be activated by

default on all cookies.

  1. … 2 more files in changeset.
activate warnings in case the old IE bug is still around

ad_sign: generalize last ad_sign handling to

allow user and csrf binding

  1. … 4 more files in changeset.
ad_sign: new optional parameter "user_binding"

The parameter user_binding allows to bind a signature to a user.

When the value is "-1" only the user who created the signature can

obtain the value again. A value of 0 (default) means no user binding.

The permissible values might be extended in the future.

bump version number to 5.10.0d24

  1. … 2 more files in changeset.
improve comments, make function private to avoid confusions

switch from security::nonce_token to ::security::csp::nonce and update comments

replace broken redirect with standard redirect function (auth::require_login)

no need for eagerly releasing handles