• last updated 12 hours ago
Constraints: committers
Constraints: files
Constraints: dates
Reject URLs displaying multiple protocols

Test further improvement of injection attempt by penetration tests

Harden page contract

Strenghten validation against smarter attempts to disguise the javascript: protocol

Replicate a smarter attempt by a penetration tool to disguise the javascript: protocol

Add new extension mjs, for Javascript modules, to the Javascript mime type

file upgrade-5.10.1b3-5.10.1b4.sql was initially added on branch oacs-5-10.

file upgrade-0.6.2d6-0.6.2d7.sql was initially added on branch oacs-5-10.

added missing function args

reduce verbosity

Harden page contracts

Prefer more robust colon notation to quote database values

    • -1
    • +1
We replace spaces with "&nbsp" for Safari, but then convert will fail in the test... clean up the entities before trying to convert

Fix variable name

Calculate the width before quoting is applied and refine the heuristic

Fix capctha rendering on iOS devices, where apparently spaces need to be translated to entities

    • -3
    • +10
Fix captcha responsiveness

Update italian localization

    • -2
    • +2
Introduce server-side validation for HTML5 date and time formfields

A "formats" parameter can be specified on the formfields indicating one or more formats that we want to enforce. The syntax for any of such format is that of the Tcl clock command.

Default values have been set according to the expected behavior of each form field type.

Empty values are always considered valid. If a field is required, this will be enforced in its own validator.

    • -2
    • +2
Test behavior of HTML5 date and time formfields when invalid values are submitted

Quote error message to better protect against XSS attacks

Added default dbn to database drivers (acs::dc)

Align behavior with recent change in the xo::db inteface

Added parameter to define a default dbn to a database connection

By this change, one can now define a default dbn at the creation time

of a database connection object. Before, it was necessary to pass

the "-dbn" value to every single command. The parameter can still be

used for particular queries as before to overrule the default.

Example for defining a connection context to a pool named "legacy"

using the PostgreSQL database interface

::xo::db::DB-postgresql create ::xo::dc1 -dialect postgresql -dbn legacy

lappend _ [::xo::dc1 get_value . {select count(*) from acs_objects}]

lappend _ [::xo::dc get_value . {select count(*) from acs_objects}]

#> 660 51606

"An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can remove its sandboxing"

See e.g. https://cloud.google.com/blog/products/data-analytics/iframe-sandbox-tutorial

We set in xooauth/tcl/lti-procs.tcl a restrictive default (all sandboxing restrictions are applied by default). Users should relax it according to their embedded application.

xooauth/www/admin/lti-test.tcl is not really a productive file, so we set the already hardcoded value to no-sandboxing and note that this would be appropriate.

Remove duplicated entry

download-archive reform

File-Storage used to generate downloaded archives in tgz format, to then switch to zip, more user-friendly, in particular outside the Linux world (See https://openacs.org/forums/message-view?message_id=557561). To ease the transition, a couple of parameters and relative API were introduced that would allow to choose the preferred command one should use. During this reform however, default parameter values in the tcl code became inconsistent with those in the info file. Furthermore, the chosen defaults were set as absolute paths to the executable, which is not friendly to non-linux environments, or other scenarios where the "typical" Linux filesystem structure cannot be assumed (e.g. containers, MacOS...).

The only usage of this parameters/api was in fact in the download-archive vuh. In upstream codebase, no package references this file, not even the file-storage itself. Upon review, one could see that the file would also allow to specify a custom download filename via the path, which could be considered questionable. It would also execute the command in a way that once again assumes some form of Linux environment (e.g. invoking bash).

Save for the ability to customize the archive format and the anti-feature of being able to manipulate the archive filename via the path, the script largely relplicates www/download-zip, in a better shape after a few reforms hinted by e.g. penetration tools.

Given the aformentioned considerations, I have decided to make download-archive a simple redirect to download-zip. Specifying the object_id via the path will keep working, while URLs out there expecting the name to change will not fail, but the name will not be modified. The archive format will from now on be assumed to be zip.

removed legacy code from apm_transfer_file

util::http::get should be everywhere available

Rework of util::which

The new version deals now correctly with absolute paths,

where just the extensions are added, and it is checked

whether the program is executable.

Extended regression test to deal with optional and required

external dependencies. Missing optional external programs

produce warnings.

Reduced redundancy

call text_templates::create_pdf_from_html from

text_templates::create_pdf_content instead of replicating logic

    • -31
    • +27
Use for new installation relative path names for external programs per default

    • -1
    • +1