OpenACS / openacs-4 / packages / acs-tcl / tcl

utilities-procs.tcl

Tools

Line History

Line Count Graph
Line Count Graph

Stats

Commits this week: 0
Total Committers: 33
Last Commit: 31 Jan 19
Commits this week: 0
Total Lines of Code (LoC): 4,264
Net change in LoC this week: 0

Commit Activity

Commits By Day In Week
52 week commits volume
Commits By Day In Week
Commits by day
Commits By Day In Week
Commits by hour
Commits By Hour In Day
Commit calendar
 

Most active committers (90 days)

loading
loading
  • last updated 18 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Sunday 27 Nov 2022
6:55 pm

gustafn

improve spelling

Options
    • -7
    • +7
    ./utilities-procs.tcl
  2. … 9 more files in changeset.
Saturday 26 Nov 2022
5:46 pm

gustafn

New API "ad_mktmpdir" and "ad_opentmpfile"

Since "ns_mktemp" is deprecated (on the C level) and is prone

to vulnerabilities. This effects as well "ad_tmpnam" in OpenACS,

which uses "ns_mktemp".

Newer C-compilers complain about this more loudly:

Due to security concerns inherent in the design of mktemp(3),

it is highly recommended that you use mkstemp(3) instead.

The security concern is that when ns_mktemp() is used to generate a

(unique) file name, which is used for opening a file, an attacker can

intercept the running binary and sneak in a different file. Although

ns_mktemp() guarantees to return a unique file name, there is no

mechanism to prevent another process or an attacker from creating a

file with the same name before the application attempts to open it.

The problem with using mkstemp() instead is that it has different

semantics, since it returns the open file. So one cannot blindly

replace these calls, but it requires some refactoring. Unfortunately,

this also effects application code, since NaviServer offers

"ns_mktemp" on the Tcl level.

To make it short: one has to separate out different use_cases of

"ad_tmpnam":

(a) use it to obtain a name for creating a file, which is subsequently opened

(b) use it to obtain a name for creating a directory

(c) use it as a name, providing name as a unique name to some external programs.

Case (a) is similar to the "mkstemp(3)" recommendation above. For this

usage scenario, the call "file tmpfile..." in Tcl 8.6 can be used (but

it should also respect the configured tmp directory. This function

is also very similar to "ns_opentempdir" in NaviServer, which uses

as well "file tmpfile". Therefore, we have created a new API call

"ad_opentmpdir ..." which respects the OpenACS settings.

Case (b) can be addressed by "file tempdir" in Tcl 8.7, or by a function

in tcllib. The new API function "ad_mktmpdir" provides respects the

OpenACS settings, and works for Tcl 8.6 or newer.

Case (c) is somewhat different, since it just wants to create a unique name. This case has not received a special API so far

Options
    • -65
    • +42
    ./utilities-procs.tcl
  2. … 1 more file in changeset.
Tuesday 08 Nov 2022
7:04 pm

gustafn

Deescalation: the usage of the pairs in export_vars is not so dangerous as it looked at first sight.

The problem case was originating from the call

lappend __vars [lindex $_var 0] [uplevel subst [lindex $_var 1]]

which calls Tcl's "uplevel" with two arguments. In this case, the arguments

are concatenated and the evaluated in the caller's frame. There is a substitution

before the evaluation. When just one argument is passed in, this problem there

is only one evaluation:

lappend __vars [lindex $_var 0] [uplevel [list subst [lindex $_var 1]]]

Options
    • -5
    • +5
    ./utilities-procs.tcl
  2. … 1 more file in changeset.
2:59 pm

gustafn

added warning to export_vars

Options
    • -1
    • +8
    ./utilities-procs.tcl
10:55 am

trenner

make ad_sanitize_filename more robust to filenames with parentheses + extend automated tests

Options
    • -4
    • +7
    ./utilities-procs.tcl
  2. … 1 more file in changeset.
Monday 07 Nov 2022
2:34 pm

gustafn

new API call util::potentially_unsafe_eval_p

Check content of the string to identify potentially unsafe content

in the provided string. The content is unsafe, when it contains

externally provided content, which might be provided e.g. via

query variables, or via user values stored in the database. When

such content contains square braces, a "subst" command on

theses can evaluate arbitrary commands, which is dangerous.

The new API call is used in "::xo::Package->return_page", where the

"subst" command stripped from its command substitution capabilities.

In case, command subsitution is needed, perform this prior this call.

bumped acs-tcl to 5.10.1d23

bumped xotcl-core to 5.10.1d13

Options
    • -1
    • +40
    ./utilities-procs.tcl
  2. … 3 more files in changeset.
Sunday 23 Oct 2022
8:19 pm

gustafn

don't create version directory in a checking function

Options
    • -1
    • +6
    ./utilities-procs.tcl
Tuesday 11 Oct 2022
11:12 am

antoniop

Util user messages reform: do not store the messages persistently in the database, as they are volatile in nature

Options
    • -3
    • +3
    ./utilities-procs.tcl
11:04 am

antoniop

Util user message reform: when a message is repeated, do not create a new entry, but just increase a counter, which will be displayed when the message is retrieved

Increase test coverage

Options
    • -3
    • +6
    ./utilities-procs.tcl
  2. … 1 more file in changeset.
Wednesday 28 Sep 2022
10:20 am

gustafn

Give people the chance to use OpenACS with WithDeprecatedCode set to 0

When OpenACS is configured to omit loading of long deprecated code

(WithDeprecatedCode set to 0) files like deprecated-procs.tcl are not

loaded. Therefore, these files should only contain code, which was

deprecated at LEAST ONE RELEASE EARLIER, such that site admins have

one release time to fix calls to deprecated code. This is especially

important for public procs.

Options
    • -2
    • +107
    ./utilities-procs.tcl
  2. … 1 more file in changeset.
Tuesday 13 Sep 2022
11:33 am

antoniop

Document public api

Options
    • -2
    • +3
    ./utilities-procs.tcl
  2. … 1 more file in changeset.
11:27 am

antoniop

Add doc to public api, fix obvious bug

Options
    • -3
    • +11
    ./utilities-procs.tcl
Monday 12 Sep 2022
6:23 pm

antoniop

Document public api

Options
    • -1
    • +11
    ./utilities-procs.tcl
  2. … 1 more file in changeset.
Tuesday 06 Sep 2022
1:43 pm

antoniop

Deprecate util_get_current_url, superseded by ad_return_url

Options
    • -2
    • +7
    ./utilities-procs.tcl
1:17 pm

antoniop

Deprecate export_entire_form_as_url_vars and replace occurrences, add a new -formvars flag to export vars to implement the behavior of the proc, that is, export a subset of the variables coming from the current request

Options
    • -4
    • +31
    ./utilities-procs.tcl
  2. … 5 more files in changeset.
11:44 am

antoniop

Deprecate export_ns_set_vars and extend export_vars to be able to export also a custom ns_set, which was the real added value provided by this api

Options
    • -7
    • +19
    ./utilities-procs.tcl
  2. … 11 more files in changeset.
10:15 am

antoniop

Reimplement util_subset_p

Options
    • -39
    • +25
    ./utilities-procs.tcl
9:42 am

antoniop

Deprecate util_report_successful_library_load

Options
    • -2
    • +2
    ./utilities-procs.tcl
9:40 am

antoniop

Deprecate util_commify_number, replace occurrences and translate automated tests

Options
    • -2
    • +14
    ./utilities-procs.tcl
  2. … 9 more files in changeset.
7:48 am

antoniop

Deprecate export_entire_form

Options
    • -2
    • +2
    ./utilities-procs.tcl
7:21 am

antoniop

Deprecate util_AnsiDatetoPrettyDate

Options
    • -2
    • +7
    ./utilities-procs.tcl
  2. … 2 more files in changeset.
7:09 am

antoniop

Deprecate util_report_library_entry

Options
    • -2
    • +9
    ./utilities-procs.tcl
6:55 am

antoniop

Formatting changes

Options
    • -14
    • +30
    ./utilities-procs.tcl
Monday 05 Sep 2022
6:43 pm

antoniop

Deprecate util::string_check_urlsafe

Options
    • -2
    • +6
    ./utilities-procs.tcl
6:32 pm

antoniop

Simplify implementation

Options
    • -54
    • +6
    ./utilities-procs.tcl
5:57 pm

antoniop

After some experiments, reinstate the faster version of util_sets_equal_p: this wins (~20% faster) in particular when the sets to be compared are larger

Options
    • -15
    • +2
    ./utilities-procs.tcl
5:19 pm

antoniop

Cleanup duplicated and slower proc definition

Options
    • -13
    • +1
    ./utilities-procs.tcl
Tuesday 23 Aug 2022
8:44 pm

gustafn

Properly escape "<" and ">" in api-doc documentation.

Since all documentation is rendered via HTML, the characters

"<" and ">" have to be HTML-quoted, otherwise strange things

(omission, unintended renderings) might occur.

E.g. the sentence

Define an interface between a page and an

ADP <include> similar to the page_contract.

was rendered as

Define an interface between a page and an

ADP similar to the page_contract.

which is incorrect.

Options
    • -7
    • +6
    ./utilities-procs.tcl
  2. … 13 more files in changeset.
Thursday 11 Aug 2022
3:49 pm

gustafn

Generalized "version_dir" handling a little for download specs

The problem was that bootstrap5 uses a version directory, which

consists of the version plus an extra string element. The previous

version assumed that the version is always used as a directory name.

Whe track now the versionDir information in the resource_info dict and

use this, when available (otherwise the version number is used as before).

The resource_info dict contains now the following path components:

# Provide paths for loading either via /resources/ or CDN

#

# "resourceDir" is the absolute path in the filesystem

# "resourceUrl" is the URL path provided to the request processor

# "versionDir" is the version-specific element both in the

# URL and in the filesystem.

#

bumped acs-tcl to 5.10.1d19

Options
    • -1
    • +27
    ./utilities-procs.tcl
  2. … 2 more files in changeset.
Tuesday 12 Jul 2022
5:15 pm

antoniop

Deprecate ad_apply, made obsolete in modern Tcl by the expansion operator "{*}"

Options
    • -3
    • +8
    ./utilities-procs.tcl
  2. … 4 more files in changeset.