• last updated 8 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
improved comments

removed deprecated "ns_set new" by "ns_set create"

  1. … 1 more file in changeset.
Extend user_message feature so that a "severity" information can be passed alongside the message

This allows theme templates to color code messages according to their severity. Severity follows the Bootstrap nomenclature of "info", "success", "warning" and "danger".

Default severity has been set to "success" consistent with styling applied so far by OpenACS to the user messages.

  1. … 8 more files in changeset.
make use of new NaviServer command: ns_joinurl

the implementation provides a fallback when used with older versions of

NaviServer

  1. … 1 more file in changeset.
improved inline documentation

  1. … 1 more file in changeset.
improved API documentation

  1. … 1 more file in changeset.
fixed test cases and improve documentation, added :util::block_request

Added code to skip suspicious looking query variables

On openacs.org, we are experiencing numerous requests with

multiply very long and strange query variables like in the example

below. So far, it is not clear, whether these requests are the

consequence of a double encoding or a deliberate attack. Many (most)

of the requests contain the query variable names containing the

(decoded) pattern "*amp;*".

This is a relatively new phenomenon. I cannot exclude that this is a

bug introduced lately in OpenACS, or a bug in an external bot, or

whatever. The problem with these query variables is that OpenACS

propagates these further, e.g., when updating query variables in

ad_dimensional, via export_vars, or return_urls.

Since OpenACS never uses these query-variables, these can be safely

skipped, without loosing functionality in OpenACS. It is possible to

construct examples, where skipping such variables can change the

semantics. Therefore, the change introduces a single function

util::suspicious_query_variable where in case of problems, the

skipping feature can be deactivated.

GET /api-doc/proc-browse?amp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3btype=All&amp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3borderby=name&type=All&amp%3btype=All&amp%3bamp%3btype=All&amp%3bamp%3bamp%3btype=All&amp%3bamp%3bamp%3bamp%3btype=All&amp%3bamp%3bamp%3bamp%3bamp%3btype=All&amp%3bamp%3bamp%3bamp%3bamp%3bamp%3btype=All&amp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3btype=All&amp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3btype=All&amp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3borderby=name&amp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3btype=Private&amp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3btype=All&amp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3btype=All&amp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3btype=All&amp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3borderby=name&amp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3btype=All HTTP/1.1" 200 62378 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/605.1.15 (KHTML, like Gecko; compatible; FriendlyCrawler/1.0) Chrome/120.0.6099.216 Safari/605.1.15" "1729029614.331581 0.109805 0.000434 0.004026 0.215927

  1. … 6 more files in changeset.
merge with missing files

  1. … 1464 more files in changeset.
merge from oacs-5-10

    • -1307
    • +1701
    ./utilities-procs.tcl
  1. … 8099 more files in changeset.
Use "ns_mkdtemp" when available to create temporary directories

  1. … 1 more file in changeset.
align nameing with 'resource_info_procs'

  1. … 7 more files in changeset.
Fix potential problems when calling polymorphic SQL functions from Tcl

Some functions are defined in the database with the same number of

arguments but different types, e.g., first argument "package_key"

(type text) or "package_id" (type integer). This is fine from the SQL

standpoint, but when calling from Tcl via bind-vars

(e.g. ":package_id"), everything is passed as a string, and

potentially, the wrong function is called.

Now, all the automatically generated subs are generated with casts,

when the integer based variant must be called.

Some examples:

Before:

set s [ns_pg_bind 0or1row $__DB {select apm__set_value(:package_id,:parameter_name,:attr_value)}]

set s [ns_pg_bind 0or1row $__DB {select apm__get_value(:package_id,:parameter_name)}]

Now:

set s [ns_pg_bind 0or1row $__DB {select apm__set_value(CAST(:package_id AS integer),:parameter_name,:attr_value)}]

set s [ns_pg_bind 0or1row $__DB {select apm__get_value(CAST(:package_id AS integer),:parameter_name)}]

- bumped version number to 5.10.1b11

  1. … 2 more files in changeset.
More resource-info updates:

- fixed wrong and inconsistent naming of dict members (many thanks to Sebastian Scheder for figuring this out)

- removed duplicated slashes in resource paths

- fixed incorrect paths when CDN is used

- simplified handling of cspMaps

- added test checking consistency of resource-info dicts

  1. … 10 more files in changeset.
::util::resources::resource_info_procs: function to improve roustness of fetching of resource info procs

bumped version number to 5.10.1b10

  1. … 1 more file in changeset.
added link to snyk advisor (bumped version to 5.10.1b9)

  1. … 3 more files in changeset.
Further simplify handling of resource_info specs

- Added convenience function "::util::resources::register_urns" to

register all URNs with CSP handling provided by a package (denoted

by its top level namespace)

- made parameter "version" in "check-installed" include optional

- bumped version number to 5.10.1b8

  1. … 2 more files in changeset.
factored out vulerability check to make it reusable

- New proc ::util::resources::check_vulnerability

- bumped verison number to 5.10.1b7

  1. … 3 more files in changeset.
improved spelling

  1. … 4 more files in changeset.
added comment

Latest released NaviServer still requires for servers using SNI that the -hostname flag is specified with ns_http, while it seems that in latest code we can omit it

The wrapper utility already takes care of this

Ease management of external js packages to automate admin tasks

- provide explicit information about optional package paramters

- make these accessible from site-wide admin pages

- provide information, how the configuration of the version number happend

- improve design of site-wide admin pages with action items

- further streamlined handling of external js packages

  1. … 18 more files in changeset.
js-libraries: improved naming of variables

Changed name "installedVersion" to "configuredVersion", since

the former might lead to the impression, that it refers only

to the locally installed version. Instead, this refers as well

to a CDN version (when available)

  1. … 18 more files in changeset.
js-libraries: removed variable "resourceUrl"

The variable "resourceUrl" was always used in a single branch but set

for all branches before. To ease maintenance and simplify

comprehension, it was removed.

  1. … 10 more files in changeset.
In essence, this change renames "version_dir" to "version_segment" as

well as "versionDir" to "versionSegment" to reflect the fact, that

this variable does not denote a directory, but a part of the path

appended to path "resourceDir".

  1. … 4 more files in changeset.
various small fixes for js libraries

- fixed page contract in case a non-default version is downloaded

- provide always an argument "-version" to resource_info procs

- obtain current version number always via resource_info.installedVersion

(it refers to CDN and locally installed version)

- pass always versionDir via resource_info to ::util::resources::download

- always obtain version_dir from resource_info

  1. … 25 more files in changeset.
Improved resource information for external libraries

- added vulnerability check for a particular version

- centralized URL generation for cdnjs URLS (will reduce maintenance work, when external URL changes)

- improve behavior when running without an Internet connection

  1. … 11 more files in changeset.
Include available version number and vulnerability check on swa pages

This eases the use of external JavaScript libraries by adding

the available version number and a link for vulnerability checks

on the site-wide admin pages (when this information is available)

- bumped version number to 5.10.1b6

  1. … 3 more files in changeset.
Made download helper more modular and added support for a version_API

a protocol relative URL is not complete, but it can be understood as external

  1. … 1 more file in changeset.