• last updated 5 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Don't write error to system log due to failed DML call to error log on forseeable conditions

On calls with exception handlers on duplicate name entries, we do not

want to see entries in the sytem log

skip empty entries in mc2 choices

Many thanks to Monika Andergasse for the suggestion

removed hard-coded styling to improver stylability via CSS on admin page

Many thanks to Monika Andergasse for the suggestion

    • -2
    • +2
    /openacs-4/packages/xowiki/www/admin/list.tcl
Whitespace cleanup

Cleanup vars

    • -5
    • +3
    /openacs-4/packages/news/www/preview.tcl
Use modern contract and formfield features to avoid manual date validation

    • -9
    • +9
    /openacs-4/packages/news/www/item-create.tcl
    • -39
    • +10
    /openacs-4/packages/news/www/preview.tcl
Harden page contract, fix exporting of multiple revision ids

Use modern date formfields to avoid manual validation and handling of dates, harden page contract

    • -11
    • +7
    /openacs-4/packages/news/www/item-create.tcl
Clarify idiom, improve markup

Fix typo

Modernize idiom

Harden page contract, use modern date widget to avoid custom date parsing

Fix spec syntax

Cleanup variables never used and form never rendered

    • -15
    • +1
    /openacs-4/packages/calendar/www/mini-calendar.tcl
Harden and modernize page contract, remove reference to non-existing database columns from ancient downstream installations

Rework api to avoid extra checks

Reimplement conversion to and from Julian dates using modern Tcl api

Reinstate lost comment

Use modern date and time form input types so that the time values validated by the contract are the same used by the UI and no different values can be supplied to the form via the pseudo-fields for e.g. year, day and so on...

    • -81
    • +27
    /openacs-4/packages/calendar/www/cal-item-new.tcl
Improve validation

Cleanup leftover, fix typos

lc_time_tz_convert reform:

- enforce that only dates in the ISO format "%Y-%m-%d %H:%M:%S" are accepted

- apply clock api normalization to seemingly out of range time_values, as per https://www.tcl.tk/man/tcl/TclCmd/clock.html#M25

- return the empty string every time input is invalid or a conversion cannot be determined

- return a value, as ISO date, only when conversion is successful

- prefer the clock api to perform the conversion, but fall back to the ref-timezones datamodel when the timezone is not supported by Tcl

Introduce a thorough test of the lc_time_tz_convert api checking:

- dates in the distant past

- dates in the distant future

- daylight saving for different times of the year across the two timezones

- historical circumstances (e.g. Pre-timezones US)

- Invalid input

The test shows that the current api does not behave consistently in certain circumstances:

- the same time_value is sometimes returned with invalid input

- the empty string is sometimes returned with valid input

- for dates where the ref-timezones package does not provide information, no result is returned

Performance improvements:

- add with_headers flag to ::xo::dc list_of_lists behaving like the db_list_of_lists counterpart

- use ::xo::dc list_of_lists as internal for ::xo::dc foreach and ::xo::dc multirow to reduce the need for ns_sets

Collect all query results before executing the code to avoid the out-of-pools bug

Implement a test making sure ::xo::dc "loop code-executing" api is not subject to the "out of pools" bug

-prepare flag must not be supplied when not available

Fix regression: the reimplementation of ::xo::dc foreach reintroduced the old "out of pools bug"

The fix makes again use of the ns_set api to free the handle before the code is executed

set return_url via ::xo::cc to avoid "connection socket is detached" error

Adding one more safety belt for potential DOS attacks

For cases, where request blocking is activated (returning 429 status

code for repeated requests), one more check was added: When such a

block happens more than 15 times in a minute on the same URL from the

same user, more requests for the same URL and user will be blocked

until the minute is over. The user seese the message "This web server

is only open for interactive usage".

Background: While request blocking works well for interactive users,

it might not be sufficient for web clients running wild. Normally,

after a 429, the user can reload the page to receive the content of a

page. This leads to a sequence of requests of interleaved 200 and 429

status codes, which might be ignored by a bot (or ad DOS attack). When

the requested page is slow, this can bring a server to its knees.

When request blocking is deactivated, this change has no effect.