request-processor-procs.tcl

  • last updated 15 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
merge with missing files

  1. … 1464 more files in changeset.
merge from oacs-5-10

    • -209
    • +406
    ./request-processor-procs.tcl
  1. … 8099 more files in changeset.
improve source code documentation

fixed indentation of braces

  1. … 2 more files in changeset.
Improved comments and make code more robust in regards of legacy setups

improved spelling

  1. … 5 more files in changeset.
Extended "ad_conn behind_secure_proxy_p"

This test will be now true, when either the recieved request

contains one of those request header fields.

- "X-SSL-Request: 1"

- "X-Forwarded-Proto: https"

Before, only the first variant was accepted.

The AWS load balancer uses the second variant.

fix typo

Base "ad_conn behind_proxy_p" on "ns_conn details" when available

  1. … 1 more file in changeset.
skip "-url" in "export_vars -url" since it is the default

  1. … 11 more files in changeset.
call directly ns_getform

improve spelling

  1. … 1 more file in changeset.
Deprecate trivial wrappers to the NaviServer API

Modern ns_getform will not return the empty string for empty requests, but only when we are operating outside of a connection. In such circumstances is arguably useful to manipulate the request parameters.

  1. … 2 more files in changeset.
Deprecate export_entire_form_as_url_vars and replace occurrences, add a new -formvars flag to export vars to implement the behavior of the proc, that is, export a subset of the variables coming from the current request

  1. … 5 more files in changeset.
new API call ::security::csp::add_static_resource_header

The API call set the CSP rule on the current connection for a static

resource depending on the MIME type.

# Sample definition for custom CSP rules for static files in the

# OpenACS configuration file.

#

# ns_section ns/server/$server/acs {

# ...

# ns_param StaticCSP {

# image/svg+xml "script-src 'none'"

# }

# ...

# }

bump version number of acs-tcl to 5.10.1d13

  1. … 3 more files in changeset.
remove commented out coude

Revert additional fallbacks, one should take care that ad_conn is invoked correctly

Provide further fallbacks for ad_conn

improve spelling and formulations

  1. … 2 more files in changeset.
Provide a fallback for vhost_url in ad_conn for code executed before this value has been set by the request processor

improve comment

avoid errors on attacks against request header field "Upgrade-Insecure-Requests"

added a partial backwards compatibility implementation of for ns_baseunit (as used in request processor)

  1. … 1 more file in changeset.
move broken procs based on undefined function to decprecated procs and comment it out

  1. … 2 more files in changeset.
Fix typo

Streamline idiom and merge if condition

mitigate attacks, where the referer header field is changed to a malicious value

The problem does not exist, when CSP is defined properly.

Many thanks to Frank Bergmann for sharing the pen-test protocol

  1. … 2 more files in changeset.
Add missing argument expansion and comply with automated test

prettify error message

fixed bug in redirects and disabled acs-testing package, changed node info from array to dict