• last updated 13 hours ago
Constraints: committers
Constraints: files
Constraints: dates
skip "-url" in "export_vars -url" since it is the default

  1. … 11 more files in changeset.
call directly ns_getform

improve spelling

  1. … 1 more file in changeset.
Deprecate trivial wrappers to the NaviServer API

Modern ns_getform will not return the empty string for empty requests, but only when we are operating outside of a connection. In such circumstances is arguably useful to manipulate the request parameters.

  1. … 2 more files in changeset.
Deprecate export_entire_form_as_url_vars and replace occurrences, add a new -formvars flag to export vars to implement the behavior of the proc, that is, export a subset of the variables coming from the current request

  1. … 5 more files in changeset.
new API call ::security::csp::add_static_resource_header

The API call set the CSP rule on the current connection for a static

resource depending on the MIME type.

# Sample definition for custom CSP rules for static files in the

# OpenACS configuration file.


# ns_section ns/server/$server/acs {

# ...

# ns_param StaticCSP {

# image/svg+xml "script-src 'none'"

# }

# ...

# }

bump version number of acs-tcl to 5.10.1d13

  1. … 3 more files in changeset.
remove commented out coude

Revert additional fallbacks, one should take care that ad_conn is invoked correctly

Provide further fallbacks for ad_conn

improve spelling and formulations

  1. … 2 more files in changeset.
Provide a fallback for vhost_url in ad_conn for code executed before this value has been set by the request processor

improve comment

avoid errors on attacks against request header field "Upgrade-Insecure-Requests"

added a partial backwards compatibility implementation of for ns_baseunit (as used in request processor)

  1. … 1 more file in changeset.
move broken procs based on undefined function to decprecated procs and comment it out

  1. … 2 more files in changeset.
Fix typo

Streamline idiom and merge if condition

mitigate attacks, where the referer header field is changed to a malicious value

The problem does not exist, when CSP is defined properly.

Many thanks to Frank Bergmann for sharing the pen-test protocol

  1. … 2 more files in changeset.
Add missing argument expansion and comply with automated test

prettify error message

fixed bug in redirects and disabled acs-testing package, changed node info from array to dict

Fix expression to the original intention: check if ns_conn url ends by ad_conn extra_url

fix once more handling of internal redirects in error cases

many thanks to thomas renner!

Fixed a bug in the request processor, when URL is /%3F

The problem was that /%3F corresponds to a URL which is literally '/?'

(question mark is not the separator for query variables). In this case

a "string match" operation to determine the suffix based on this

string will lead to unexpected characters since '?' is a match

character. This lead in turn to a problem with redirects to the

internally redirect of custom error pages. So, in this case (and

probably others) the custom error page was not displayed.

improve comments

added minor debugging aids, make disk-cache more similar to ns_cache

  1. … 2 more files in changeset.
Make api public, complies with acs-api-browser.graph__bad_calls automated test

  1. … 4 more files in changeset.
mark functions called only internally as private

  1. … 15 more files in changeset.
make use of built-in reverse proxy mode of newer versions of NaviServer

  1. … 1 more file in changeset.
make end of options explicit

  1. … 42 more files in changeset.