• last updated 18 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
improve spelling

  1. … 9 more files in changeset.
New API "ad_mktmpdir" and "ad_opentmpfile"

Since "ns_mktemp" is deprecated (on the C level) and is prone

to vulnerabilities. This effects as well "ad_tmpnam" in OpenACS,

which uses "ns_mktemp".

Newer C-compilers complain about this more loudly:

Due to security concerns inherent in the design of mktemp(3),

it is highly recommended that you use mkstemp(3) instead.

The security concern is that when ns_mktemp() is used to generate a

(unique) file name, which is used for opening a file, an attacker can

intercept the running binary and sneak in a different file. Although

ns_mktemp() guarantees to return a unique file name, there is no

mechanism to prevent another process or an attacker from creating a

file with the same name before the application attempts to open it.

The problem with using mkstemp() instead is that it has different

semantics, since it returns the open file. So one cannot blindly

replace these calls, but it requires some refactoring. Unfortunately,

this also effects application code, since NaviServer offers

"ns_mktemp" on the Tcl level.

To make it short: one has to separate out different use_cases of

"ad_tmpnam":

(a) use it to obtain a name for creating a file, which is subsequently opened

(b) use it to obtain a name for creating a directory

(c) use it as a name, providing name as a unique name to some external programs.

Case (a) is similar to the "mkstemp(3)" recommendation above. For this

usage scenario, the call "file tmpfile..." in Tcl 8.6 can be used (but

it should also respect the configured tmp directory. This function

is also very similar to "ns_opentempdir" in NaviServer, which uses

as well "file tmpfile". Therefore, we have created a new API call

"ad_opentmpdir ..." which respects the OpenACS settings.

Case (b) can be addressed by "file tempdir" in Tcl 8.7, or by a function

in tcllib. The new API function "ad_mktmpdir" provides respects the

OpenACS settings, and works for Tcl 8.6 or newer.

Case (c) is somewhat different, since it just wants to create a unique name. This case has not received a special API so far

  1. … 1 more file in changeset.
Deescalation: the usage of the pairs in export_vars is not so dangerous as it looked at first sight.

The problem case was originating from the call

lappend __vars [lindex $_var 0] [uplevel subst [lindex $_var 1]]

which calls Tcl's "uplevel" with two arguments. In this case, the arguments

are concatenated and the evaluated in the caller's frame. There is a substitution

before the evaluation. When just one argument is passed in, this problem there

is only one evaluation:

lappend __vars [lindex $_var 0] [uplevel [list subst [lindex $_var 1]]]

  1. … 1 more file in changeset.
added warning to export_vars

make ad_sanitize_filename more robust to filenames with parentheses + extend automated tests

  1. … 1 more file in changeset.
new API call util::potentially_unsafe_eval_p

Check content of the string to identify potentially unsafe content

in the provided string. The content is unsafe, when it contains

externally provided content, which might be provided e.g. via

query variables, or via user values stored in the database. When

such content contains square braces, a "subst" command on

theses can evaluate arbitrary commands, which is dangerous.

The new API call is used in "::xo::Package->return_page", where the

"subst" command stripped from its command substitution capabilities.

In case, command subsitution is needed, perform this prior this call.

bumped acs-tcl to 5.10.1d23

bumped xotcl-core to 5.10.1d13

  1. … 3 more files in changeset.
don't create version directory in a checking function

Util user messages reform: do not store the messages persistently in the database, as they are volatile in nature

Util user message reform: when a message is repeated, do not create a new entry, but just increase a counter, which will be displayed when the message is retrieved

Increase test coverage

  1. … 1 more file in changeset.
Give people the chance to use OpenACS with WithDeprecatedCode set to 0

When OpenACS is configured to omit loading of long deprecated code

(WithDeprecatedCode set to 0) files like deprecated-procs.tcl are not

loaded. Therefore, these files should only contain code, which was

deprecated at LEAST ONE RELEASE EARLIER, such that site admins have

one release time to fix calls to deprecated code. This is especially

important for public procs.

  1. … 1 more file in changeset.
Document public api

  1. … 1 more file in changeset.
Add doc to public api, fix obvious bug

Document public api

  1. … 1 more file in changeset.
Deprecate util_get_current_url, superseded by ad_return_url

Deprecate export_entire_form_as_url_vars and replace occurrences, add a new -formvars flag to export vars to implement the behavior of the proc, that is, export a subset of the variables coming from the current request

  1. … 5 more files in changeset.
Deprecate export_ns_set_vars and extend export_vars to be able to export also a custom ns_set, which was the real added value provided by this api

  1. … 11 more files in changeset.
Reimplement util_subset_p

Deprecate util_report_successful_library_load

Deprecate util_commify_number, replace occurrences and translate automated tests

  1. … 9 more files in changeset.
Deprecate export_entire_form

Deprecate util_AnsiDatetoPrettyDate

  1. … 2 more files in changeset.
Deprecate util_report_library_entry

Formatting changes

Deprecate util::string_check_urlsafe

Simplify implementation

After some experiments, reinstate the faster version of util_sets_equal_p: this wins (~20% faster) in particular when the sets to be compared are larger

Cleanup duplicated and slower proc definition

Properly escape "<" and ">" in api-doc documentation.

Since all documentation is rendered via HTML, the characters

"<" and ">" have to be HTML-quoted, otherwise strange things

(omission, unintended renderings) might occur.

E.g. the sentence

Define an interface between a page and an

ADP <include> similar to the page_contract.

was rendered as

Define an interface between a page and an

ADP similar to the page_contract.

which is incorrect.

  1. … 13 more files in changeset.
Generalized "version_dir" handling a little for download specs

The problem was that bootstrap5 uses a version directory, which

consists of the version plus an extra string element. The previous

version assumed that the version is always used as a directory name.

Whe track now the versionDir information in the resource_info dict and

use this, when available (otherwise the version number is used as before).

The resource_info dict contains now the following path components:

# Provide paths for loading either via /resources/ or CDN

#

# "resourceDir" is the absolute path in the filesystem

# "resourceUrl" is the URL path provided to the request processor

# "versionDir" is the version-specific element both in the

# URL and in the filesystem.

#

bumped acs-tcl to 5.10.1d19

  1. … 2 more files in changeset.
Deprecate ad_apply, made obsolete in modern Tcl by the expansion operator "{*}"

  1. … 4 more files in changeset.