• last updated 14 hours ago
Constraints: committers
Constraints: files
Constraints: dates
Improve test:

whether the html filter will accept or not a script tag is configuration-dependent. We now enforce that the outcome is consistent with the security check for HTML used in the filter itself.

Manually replace the ":" entity to prevent attempts at disguising "javascript:" links

Replicate injection attempt by penetration tools

page filters with NUL value

Prefer "string first" over "regexp" since this is twice as fast.

security::validated_host_header: Made acceptance of configured vhosts the first check

Under certain conditions (such as running in a container, or reverse

proxy situations) the admin of a server wants to specify accepted host

names. This can be achieved in the "*/servers" section of a network

driver. These values are used now first for accepting host header

fields. This change avoids unexpected redirects to, e.g., internal

server addresses.

bugfix: fixed test test_ad_register_proc when running in a container

When runnig in a container, one cannot use util_current_localtion, which refers

to the URL to reach the server from the container host. To address the server

inside the container, acs::test::url should be used.

This change does not matter for non-containerized applications

    • -2
    • +2
Provide facilities to validate against invalid SQL strings

We introduce a new page contract filter and nsf validator called "dbtext". They implement enforcing of a value to be useable in an SQL query. Currently, this means that the value should not contain the NUL character, but the definition may change in the future or become database-specific.

The html contract filter has also be extended to reject the NUL character.

The test suite has been updated/extended to reflect the changes.

  1. … 1 more file in changeset.
Reform of error handling in ad_page_contract when template recursion is detected

A "complaint recursion" happens if a validation error takes place in one of the templates used while rendering the error page (for instance, anything we include in the master template or the master template itself).

Previously, we would give up complaining after 10 recursions were detected. This had the consequence that after 10 attempt, the failing template involved in rendering the complaint would be fed the invalid data we were trying to reject.

Now, we complain and stop the execution as soon as a recursion is detected. The error will be rendered in a very basic way that overrides the templating system, so that we can exit the recursion cycle.

In practice, only malicious page manipulation attempts should be affected by this change.

    • -35
    • +60
improved portability: some versions of "gzip" do not support option "-S"

improved spelling

improved logging output from install.xml files

Removed "-debug" flag

improved robustness of "try_cache"

Added handling of "-per_request" option

Move test from acs-kernel to acs-tcl, add remarks

  1. … 1 more file in changeset.
clear diry editor buffer

added support to install theme from install.xml

Added support for automatic disconnect when a dynamic cluster node is shut down

When the dynamic cluster configuration has scale for certain

occasions, it makes sense to provide down scaling support when these

occasions are over, which does not rely on the configured cluster

disconnect timeout (ClusterAutodeleteInterval). The new code will send

automatically a disconnect request when a dynamic cluster node is

terminating gracefully.

Depending on the configuration, a new version of NaviServer will be

necessary to reliably execute disconnect requests. Appropriate changes

are in the NaviServer release/4.99 and main branches.

- Bumped version numbers:

* acs-tcl to 5.10.1b4

* acs-admin to 5.10.1b4

  1. … 2 more files in changeset.
Adding auto-deletion of dynamic cluster nodes and small refactoring

- New kernel parameter "ClusterAutodeleteInterval" to specify, when a

dynamic cluster node is not regarded as temporarily unavailable but

as definitely gone. The default value for this parameter is 2m (2


- small refactoring to reduce duplicated logic

- Bumped version numbers:

* acs-kernel to 5.10.1b4

* acs-tcl to 5.10.1b3

* acs-admin to 5.10.1b3

  1. … 3 more files in changeset.
Small update for cluster support

- Improved visualization of cluster nodes that we lost contact to

- New kernel parameters to reduce hard-coded values and to make purpose more explicit

* new parameter ClusterHeartbeatInterval (default 20s),

was hardcoded before to the new default value

* renamed PreferredLocationRegexp -> ClusterPreferredLocationRegexp

* renamed EnableLoggingP -> ClusterEnableLoggingP

- Bumped version numbers:

* acs-kernel to 5.10.1b3

* acs-tcl to 5.10.1b2

* acs-admin to 5.10.1b2

acs-kernel acs-admin acs-tcl/

  1. … 5 more files in changeset.
improved spelling

provide the version directory instead of the version on the admin page

Earlier versions had just the version, but not the version directory, which is

the precise information

CVS: ----------------------------------------------------------------------

cluster setup: use qualified location as well for the local host

added new flag to util::join_location to avoid removing the default port

this addresses the bug reported by Jonathan Kelley in the openacs.org Q&A forum

provide qualified_location for incoming join requests

Many thanks for Jonathan Kelley reporting this problem

When using ad_dom_sanitize_html to validate markup, treat failure to parse as a normal validation failure, rather than an error

db_multirow: fall back to -local behavior, when used outside of an ADP file

The old behavior was, that when "db_multirow" was called outside an ADP

environment, an error was generated, since the uplevel was determined

without the "-local" flag by [template::adp_level]. Outside ADP,

the result of the function is empty, leading to an error that

a level "#" is invalid. Depending on an optional flag is strange

for a "db_*" command.

Now, the default behavior outside ADP file is local (i.e., when

calling outside ADP, the output variables are set in the calling

scope, unless a different "upvar_level" is specified).

remove encoding switching command

the command was there for the deactivated test "exec_binary_input".

The way, how encoding switching was performed, was unreliable,

since the nruns value of the proxy might expire between the

switching commands. If this is really necessary, a different solution

has to be designed

use "ns_set stats" when available in memory statistics of ::xo::stats

  1. … 1 more file in changeset.
Make URLs assumed to be hosted on openacs.org absolute

  1. … 3 more files in changeset.
Flushing the cache completely is actually the right thing to do if we want to be more robust to cache pollution: see e.g. executing acs-authentication and acs-tcl automated tests during the same request