• last updated 9 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Deescalation: the usage of the pairs in export_vars is not so dangerous as it looked at first sight.

The problem case was originating from the call

lappend __vars [lindex $_var 0] [uplevel subst [lindex $_var 1]]

which calls Tcl's "uplevel" with two arguments. In this case, the arguments

are concatenated and the evaluated in the caller's frame. There is a substitution

before the evaluation. When just one argument is passed in, this problem there

is only one evaluation:

lappend __vars [lindex $_var 0] [uplevel [list subst [lindex $_var 1]]]

avoid subst in export_vars when not necessary

avoid subst in export_vars when not necessary

avoided subst in export_vars when not necessary

added warning to export_vars

Added support for passing parameter_name:value_constraint to xowiki::Package->get_parameter

- The get_parameter method can get values from query-parameters, therefore

we have to validate these.

- Use the new feature at several places (especially for boolean values)

- Still, more places should be checked

- bumped xowiki to 5.10.1d37

- bumped xotcl-core to 5.10.1d14

    • -3
    • +3
    /openacs-4/packages/xowiki/xowiki.info
    • -1
    • +1
    /openacs-4/packages/xowiki/tcl/folder-procs.tcl
    • -12
    • +29
    /openacs-4/packages/xowiki/tcl/package-procs.tcl
    • -13
    • +13
    /openacs-4/packages/xowiki/tcl/xowiki-procs.tcl
add missing brackets

added optional parameter "-timeout" to "CACHE eval ..." method

make ad_sanitize_filename more robust to filenames with parentheses + extend automated tests

ensure year has only 4 digits

new API call util::potentially_unsafe_eval_p

Check content of the string to identify potentially unsafe content

in the provided string. The content is unsafe, when it contains

externally provided content, which might be provided e.g. via

query variables, or via user values stored in the database. When

such content contains square braces, a "subst" command on

theses can evaluate arbitrary commands, which is dangerous.

The new API call is used in "::xo::Package->return_page", where the

"subst" command stripped from its command substitution capabilities.

In case, command subsitution is needed, perform this prior this call.

bumped acs-tcl to 5.10.1d23

bumped xotcl-core to 5.10.1d13

    • -2
    • +2
    /openacs-4/packages/acs-tcl/acs-tcl.info
check queuing situation for every connection pool

Allow to deactivate client-side double click prevention by setting DefaultPreventDoubleClickTimeoutMs to 0

Add vtt mime type to CR

file upgrade-5.10.1d4-5.10.1d5.sql was initially added on branch oacs-5-10.

generalize handling of premature ends of request processing at client side

added package parameter DefaultPreventDoubleClickTimeoutMs for default timeout of double click handler

added double-click prevention class to submit widget

allow passing of template variables as icon name (which are resolved later)

more beautification of admin pages, make interface more consistent

There is no year zero in the Gregorian calendar

prefer dict over anonymous array

prefer usage of parameter::get_from_package_key over plain parameter::get

bumped version numbers to reflect dependency on sitemap icon

file sitemap.svg was initially added on branch oacs-5-10.

added sitemap icon

modernized appearance of sitemap

bumped version number to 5.10.1d10

modernized appearance of acs-admin

bumped version to 5.10.1d4

Remember pool settings for the number-of-lines filter

Added pool filtering and improved layout for Bootstrap 5

- added filter option for pools on "long-calls" page

- added support for Bootstrap 5

- added adp:icon for parameter

- Bumped version to 0.65