OpenACS / openacs-4 / packages / xotcl-core / tcl

context-procs.tcl

Tools

Line History

Line Count Graph
Line Count Graph

Stats

Commits this week: 0
Total Committers: 5
Last Commit: 14 May
Commits this week: 0
Total Lines of Code (LoC): 822
Net change in LoC this week: 0

Commit Activity

Commits By Day In Week
52 week commits volume
Commits By Day In Week
Commits by day
Commits By Day In Week
Commits by hour
Commits By Hour In Day
Commit calendar
 

Most active committers (90 days)

loading
loading
  • last updated 16 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Wednesday 16 Oct 2024
11:21 am

gustafn

Added code to skip suspicious looking query variables

On openacs.org, we are experiencing numerous requests with

multiply very long and strange query variables like in the example

below. So far, it is not clear, whether these requests are the

consequence of a double encoding or a deliberate attack. Many (most)

of the requests contain the query variable names containing the

(decoded) pattern "*amp;*".

This is a relatively new phenomenon. I cannot exclude that this is a

bug introduced lately in OpenACS, or a bug in an external bot, or

whatever. The problem with these query variables is that OpenACS

propagates these further, e.g., when updating query variables in

ad_dimensional, via export_vars, or return_urls.

Since OpenACS never uses these query-variables, these can be safely

skipped, without loosing functionality in OpenACS. It is possible to

construct examples, where skipping such variables can change the

semantics. Therefore, the change introduces a single function

util::suspicious_query_variable where in case of problems, the

skipping feature can be deactivated.

GET /api-doc/proc-browse?amp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3btype=All&amp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3borderby=name&type=All&amp%3btype=All&amp%3bamp%3btype=All&amp%3bamp%3bamp%3btype=All&amp%3bamp%3bamp%3bamp%3btype=All&amp%3bamp%3bamp%3bamp%3bamp%3btype=All&amp%3bamp%3bamp%3bamp%3bamp%3bamp%3btype=All&amp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3btype=All&amp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3btype=All&amp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3borderby=name&amp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3btype=Private&amp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3btype=All&amp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3btype=All&amp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3btype=All&amp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3borderby=name&amp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3btype=All HTTP/1.1" 200 62378 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/605.1.15 (KHTML, like Gecko; compatible; FriendlyCrawler/1.0) Chrome/120.0.6099.216 Safari/605.1.15" "1729029614.331581 0.109805 0.000434 0.004026 0.215927

Options
    • -6
    • +12
    ./context-procs.tcl
  2. … 6 more files in changeset.
Tuesday 08 Oct 2024
5:04 pm

antoniop

Prefer unset to array unset when the whole array should be deleted

See https://wiki.tcl-lang.org/page/Dict+VS+Array+Speed

Options
    • -2
    • +2
    ./context-procs.tcl
  2. … 7 more files in changeset.
Wednesday 11 Sep 2024
8:11 am

gustafn

merge with missing files

Options
    • -0
    • +0
    ./context-procs.tcl
  2. … 1464 more files in changeset.
Tuesday 03 Sep 2024
5:37 pm

gustafn

merge from oacs-5-10

Options
    • -178
    • +403
    ./context-procs.tcl
  2. … 8099 more files in changeset.
Tuesday 27 Aug 2024
12:06 pm

gustafn

whitespace changes

Options
    • -2
    • +2
    ./context-procs.tcl
  2. … 15 more files in changeset.
Thursday 29 Feb 2024
1:04 pm

gernst

Quote error message to better protect against XSS attacks

Options
    • -2
    • +2
    ./context-procs.tcl
Thursday 30 Nov 2023
7:07 pm

gustafn

avoid double quoting

Options
    • -2
    • +2
    ./context-procs.tcl
Tuesday 30 May 2023
12:01 pm

gustafn

improved spelling

Options
    • -11
    • +21
    ./context-procs.tcl
  2. … 10 more files in changeset.
Monday 27 Feb 2023
7:39 pm

gustafn

Added support for form_parameter specs with value checkers

Options
    • -8
    • +30
    ./context-procs.tcl
Sunday 27 Nov 2022
6:28 pm

gustafn

improve spelling

Options
    • -5
    • +4
    ./context-procs.tcl
  2. … 8 more files in changeset.
Tuesday 08 Nov 2022
2:24 pm

gustafn

Added support for passing parameter_name:value_constraint to xowiki::Package->get_parameter

- The get_parameter method can get values from query-parameters, therefore

we have to validate these.

- Use the new feature at several places (especially for boolean values)

- Still, more places should be checked

- bumped xowiki to 5.10.1d37

- bumped xotcl-core to 5.10.1d14

Options
    • -29
    • +52
    ./context-procs.tcl
  2. … 10 more files in changeset.
Saturday 20 Aug 2022
5:19 pm

gustafn

reduce verbosity

Options
    • -2
    • +1
    ./context-procs.tcl
Friday 19 Aug 2022
2:11 pm

gustafn

Fixed bug with value-constraints query parameters

Previous versions had a problem with calls like

:query_parameter name:SOMECONSTRAINT

since the implementation clobbered the name variable. Versions of NSF

later than 2022-01-21 support "nsf::parseargs" with the "-asdict"

option, which can use all the nsf::parseargs options and avoids

clobbering.

Added tests of "xo::cc query_parameters" to the regression test suite.

Options
    • -16
    • +41
    ./context-procs.tcl
  2. … 1 more file in changeset.
Friday 04 Mar 2022
4:24 pm

antoniop

Require form_parameter array consistently in the commands that need it

Options
    • -5
    • +8
    ./context-procs.tcl
Tuesday 08 Feb 2022
5:28 pm

gustafn

whitespace changes

Options
    • -9
    • +21
    ./context-procs.tcl
5:22 pm

gustafn

reduce verbosity

Options
    • -2
    • +2
    ./context-procs.tcl
5:21 pm

gustafn

fix messed up commit

Options
    • -8
    • +9
    ./context-procs.tcl
4:15 pm

antoniop

It seems that param has the minus, while declared_parameters do not

Fixes downstream pipeline

Options
    • -2
    • +2
    ./context-procs.tcl
Monday 07 Feb 2022
2:23 pm

gustafn

Export by default only the declared query variables

Varibles are declared via package specification or in the includelet

definition. Previously, all query variables where exported.

Options
    • -13
    • +36
    ./context-procs.tcl
Saturday 29 Jan 2022
7:04 pm

gustafn

Make creation of ::xo::cc more robust

In case the argument processing of

ConnectionContext create ::xo::cc -p1 ... -p2 ....

::xo::cc destroy_on_cleanup

runs into an exception leading to an ad_script_abort, the half-in

initialized object without cleanup definition will survive. At later

times, this object might be reused, containing potentially

cached results from earlier runs, which can cause troubles in error

cases.

This change takes care that errors during argument processing will

not leave half-initialized objects behind.

Options
    • -10
    • +32
    ./context-procs.tcl
Monday 24 Jan 2022
7:23 pm

gustafn

improve documentation and streamline code

Options
    • -2
    • +2
    ./context-procs.tcl
  2. … 2 more files in changeset.
Saturday 22 Jan 2022
1:09 pm

gustafn

Modernize parameter parsing (query and includelet paramters)

- handle invalid UTF-8 exception that might be triggered by

"ns_parsequery" in newer versions of NaviServer

- the new code is about 4 times faster than the old one

- replaced array by dict

- don't create helper procs on the fly but use "nsf::parseargs" if possible

- added icanuse rules for

* "nsf::parseargs -asdict"

* "ns_parsequery -charset"

Options
    • -31
    • +49
    ./context-procs.tcl
  2. … 1 more file in changeset.
Monday 22 Nov 2021
12:56 pm

gustafn

fix dirty buffer of last commit

Options
    • -2
    • +2
    ./context-procs.tcl
12:08 pm

gustafn

Added support for multiplicity in value constraints of "query_parameter"

Calls like e.g.

set id [:query_parameter some_id:int32]

are actually equivalent to

set id [:query_parameter some_id:int32 ""]

and accept therefore as result also an empty value. By being able to

specify an explicit multiplicity, we can force non-empty values:

set id [:query_parameter some_id:int32,1..1]

This means effectively that the default multiplicity is "0..1".

Options
    • -4
    • +12
    ./context-procs.tcl
Tuesday 20 Apr 2021
11:35 am

gustafn

avoid subst in export_vars by using xo::update_query

Options
    • -7
    • +10
    ./context-procs.tcl
  2. … 1 more file in changeset.
Tuesday 09 Mar 2021
10:27 pm

gustafn

Use built-in "ns_parsequery" instead of manual parsing of query parameters.

Note, that this change might alter query processing, since previously

query parameter without explicit values were treated as boolean values

(like in HTML), now these are treated like "x=" before. The new version is

about 10x faster.

Furthermore, new tests of the regression tests were added for query parameter

processing.

Options
    • -38
    • +21
    ./context-procs.tcl
  2. … 1 more file in changeset.
Tuesday 05 Jan 2021
10:38 am

gustafn

improve spelling

Options
    • -2
    • +2
    ./context-procs.tcl
  2. … 1 more file in changeset.
Friday 18 Dec 2020
3:38 pm

gustafn

improve comments

Options
    • -2
    • +4
    ./context-procs.tcl
  2. … 1 more file in changeset.
Tuesday 08 Dec 2020
4:53 pm

gustafn

replace array by dict, provide error message, when someone tries to setup a connection context without a proper url

Options
    • -10
    • +22
    ./context-procs.tcl
Monday 07 Dec 2020
7:50 pm

antoniop

Provide a fallback empty URL when one tries to require the connection context without one and outside of a connection

Options
    • -2
    • +2
    ./context-procs.tcl