• last updated 19 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
improved clarity of the code and simplified structure

fix for using fallback interface and wrong results for non TLS installation

Many thanks to Antonio for flagging this and provide insights

backport from HEAD

fix for "security::get_secure_qualified_url" when no an old-style servername is used

don't raise an exception, when invalid host header field is provided

Since this happens often with introsion attempts, provide a security warning.

Enhanced security logging and debugging in security-procs.tcl

- Updated the internal log procedure to accept multiple arguments (using join) for more flexible logging.

- Replace several ns_log calls with ::security::log to standardize logging of session_id, login_cookie, timeout, and other events.

- Add additional log statements in critical functions (e.g. sec_handler, sec_setup_session, __ad_verify_signature, and CSRF token handling)

to provide better traceability of session allocation, cookie generation, session invalidation, and signature verification.

- Improve debug output for CSRF token generation and verification, including logging differences in computed hash values.

reapplied post 5-10 release fix

Many thanks to Claudio Pasolini for reporting and identifying the problem!

fixed bug security::validated_host_header

Many thanks to Claudio Pasolini for reporting and identifying the problem!

avoid triggering exception, when provided host header field cannot be resolved.

Avoid calls to deprecated NaviServer functions

  1. … 3 more files in changeset.
merge with missing files

  1. … 1464 more files in changeset.
merge from oacs-5-10

  1. … 8099 more files in changeset.
small fix, when cookie times out and dotlrn is active

Fix default https port in security::configured_driver_info

Provide an API to check/set/clear the state of the regression test

The new calls are:

- aa_test_running_p

- aa_test_start

- aa_test_end

  1. … 1 more file in changeset.
improved spelling

  1. … 14 more files in changeset.
use original provided host-header-field in log statement

escape variable in log statement

Fix another variable name after refactoring

Fix variable name after refactoring

fixed typo

Updated location handling

- make use of "ns_server hosts" when available

- refactored and simplified code

- keep validated locations in an nsv array

- added support for extra white-listed hosts

in case, every other configuration fails

(should not be necessary)

ns_section ns/server/$server/acs {

ns_param whitelistedHosts {...}

}

- updated inline documentation

The new code is supposed to handle in combination of a recent NaviServer

all complex host header validation scenarios, include running behind a proxy,

in a container or cluster.

Improved readability of configuration parameter "parameterSecret"

- Switched to camelCase for better readabilty and uniformity

- NaviServer configuration parameters are case insensitive, so no danger for backward compatibility

  1. … 5 more files in changeset.
security::validated_host_header: Made acceptance of configured vhosts the first check

Under certain conditions (such as running in a container, or reverse

proxy situations) the admin of a server wants to specify accepted host

names. This can be achieved in the "*/servers" section of a network

driver. These values are used now first for accepting host header

fields. This change avoids unexpected redirects to, e.g., internal

server addresses.

improved spelling

added standard parameterizations for Argon2 when supported.

  1. … 2 more files in changeset.
Disable tests to check for executables on the system

  1. … 7 more files in changeset.
improve spelling

  1. … 7 more files in changeset.
Document public api

refactor login cookie handling

The old code required repeated execption handlers.

Now, these exception handlers are on one place, and

users of sec_login_read_cookie can rely that a dict

is returned