• last updated 1 hour ago
Constraints: committers
Constraints: files
Constraints: dates
Reduced attack vectors for query and form variables while keeping semantics

- improve form_parameter and query variable validation

- revert partly change: it is intentional that in case of validation errors, the

instances variables of the in-memory object contain invalid data in order

to be able to show the use the invalid data in the form.

- prefer "string first" idiom over regular expression

Fix typo

Revert to an approach that will not change the [self] object, which has unexpected consequences

Use a better idiom to revert changes on the object, that e.g. will handle the same arrays and variables

Port of downstream modification:

do not restrict the format the user can supply. Sanitize the filename later and complain only if this is made exclusively of invalid characters.

get_form_data reform:

when validation fails, revert all changes performed on the object while filling up the form fields.

Rationale: when validation fails, we do not persist the data. The same we should not let unvalidated data sneak into the object, as this may be e.g. displayed on the page or be otherwise used by the system.

Do not retrieve extra_css from query_parameters, as this is vulnerable to injections

Many thanks to Markus Moser

Fix syntax of new oneof value checker

  1. … 1 more file in changeset.
Validate nls_language so that the only values allowed are existing enabled locales

  1. … 1 more file in changeset.
move "-destroy_on_cleanup" towards the end of the parameter list

This change improves protection about ambiguous user input

  1. … 8 more files in changeset.
use wordchar instead of word

intensify validation of form variables

  1. … 1 more file in changeset.
Update api

Use signed value for form_parameter "__object_name"

Bumped version number to 5.10.1d40

  1. … 3 more files in changeset.
increased value checking for paramter that might be influenced by user input

  1. … 8 more files in changeset.
improved checking of parameter values, which might be influenced via query parameters

  1. … 6 more files in changeset.
reduce verbosity

Added support for passing parameter_name:value_constraint to xowiki::Package->get_parameter

- The get_parameter method can get values from query-parameters, therefore

we have to validate these.

- Use the new feature at several places (especially for boolean values)

- Still, more places should be checked

- bumped xowiki to 5.10.1d37

- bumped xotcl-core to 5.10.1d14

  1. … 10 more files in changeset.
query_parameter_return_url is defined on the package

improve spelling

  1. … 7 more files in changeset.
Validate field names when these might come directly from the POST request and therefore contain arbitrary text

Fix typo in comment

Use existing api to tell whether a formfield is disabled or not and to set/unset disabled on a field, handle the case of checkboxes and select fields, where the attribute should not be set whe it is false (e.g. disabled=0 == disabled)

This fixes upstream automated tests on xowiki and xowf

  1. … 1 more file in changeset.
Fixed serious bug killing at least short-text questions in inclass exam

The bug was introduced in [1], by testing for the existence of the

disabled attribute, and when it exists, it was omitting values

reading. The problem is that when form-fields are reset, the

"disabled" attribute is set to 0, leading the exists check to

succeed. In essence, This change sets now the default value of the

form-field to "0", such that it is safe to test it everywhere.

Originally, it was not set by default to save resources (memory and

processing power), but this requires a more careful analysis when

changes happen.

[1] https://fisheye.openacs.org/browse/OpenACS/openacs-4/packages/xowiki/tcl/xowiki-www-procs.tcl?r1=1.368.2.125&r2=1.368.2.126

  1. … 1 more file in changeset.
rename "iconified file" to "thumbnail file"

  1. … 3 more files in changeset.
Extended functionality of the DropZone widget

- added parameters "label", "disposition" and "file_name_prefix"

for better configurability

- added support for updating the current page with feedback of the

dropped files. This is used e.g. by the online exam in the exam

protocol to display incrementally thumbnails of feedback files.

- change property "uploader" to "disposition", since "uploader" is

somewhat ambiguous. "Disposition" defines, what happens after the

file was uploaded, e.g. whether the content has to be transformed,


- bumped version number to 5.10.1d35

  1. … 5 more files in changeset.
Generalized handling of local_return_url

I am not fully happy with the handlings of "return_url" in exam workflows.

Maybe this can be reworked in a way such that "local_return_url" is not

neccsessary in the future.

  1. … 1 more file in changeset.
Skip processing for all formfields that are defined as disabled:

the browser should not send us these data in the first place.

undo part of last change

unfortunatly, the 0.9.3 issue can't be fixed so simple as hoped. The "-html" flag is necessary for dealing with autoclosed entries.

  1. … 1 more file in changeset.
for orthogonaly, remove "-html" flag from dom parse to avoid a potential top-level <html> element

  1. … 4 more files in changeset.