OpenACS / openacs-4 / packages / acs-tcl / tcl

security-procs.tcl

Tools

Line History

Line Count Graph
Line Count Graph

Stats

Commits this week: 0
Total Committers: 23
Last Commit: 09 Jul
Commits this week: 0
Total Lines of Code (LoC): 3,761
Net change in LoC this week: 0

Commit Activity

Commits By Day In Week
52 week commits volume
Commits By Day In Week
Commits by day
Commits By Day In Week
Commits by hour
Commits By Hour In Day
Commit calendar
 

Most active committers (90 days)

loading
loading
  • last updated 19 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Thursday 12 Jun
7:05 pm

gustafn

improved clarity of the code and simplified structure

Options
    • -16
    • +16
    ./security-procs.tcl
Wednesday 11 Jun
11:36 am

gustafn

fix for using fallback interface and wrong results for non TLS installation

Many thanks to Antonio for flagging this and provide insights

Options
    • -3
    • +8
    ./security-procs.tcl
Monday 05 May
6:37 pm

gustafn

backport from HEAD

Options
    • -2
    • +23
    ./security-procs.tcl
6:36 pm

gustafn

fix for "security::get_secure_qualified_url" when no an old-style servername is used

Options
    • -6
    • +27
    ./security-procs.tcl
Tuesday 29 Apr
3:11 pm

gustafn

don't raise an exception, when invalid host header field is provided

Since this happens often with introsion attempts, provide a security warning.

Options
    • -2
    • +9
    ./security-procs.tcl
Wednesday 12 Mar
10:45 am

gustafn

Enhanced security logging and debugging in security-procs.tcl

- Updated the internal log procedure to accept multiple arguments (using join) for more flexible logging.

- Replace several ns_log calls with ::security::log to standardize logging of session_id, login_cookie, timeout, and other events.

- Add additional log statements in critical functions (e.g. sec_handler, sec_setup_session, __ad_verify_signature, and CSRF token handling)

to provide better traceability of session allocation, cookie generation, session invalidation, and signature verification.

- Improve debug output for CSRF token generation and verification, including logging differences in computed hash values.

Options
    • -14
    • +32
    ./security-procs.tcl
Sunday 19 Jan
10:01 am

gustafn

reapplied post 5-10 release fix

Many thanks to Claudio Pasolini for reporting and identifying the problem!

Options
    • -2
    • +2
    ./security-procs.tcl
9:54 am

gustafn

fixed bug security::validated_host_header

Many thanks to Claudio Pasolini for reporting and identifying the problem!

Options
    • -2
    • +2
    ./security-procs.tcl
Friday 13 Dec 2024
10:53 am

gustafn

avoid triggering exception, when provided host header field cannot be resolved.

Options
    • -2
    • +8
    ./security-procs.tcl
Tuesday 26 Nov 2024
9:18 am

gustafn

Avoid calls to deprecated NaviServer functions

Options
    • -22
    • +1
    ./security-procs.tcl
  2. … 3 more files in changeset.
Wednesday 11 Sep 2024
8:11 am

gustafn

merge with missing files

Options
    • -0
    • +0
    ./security-procs.tcl
  2. … 1464 more files in changeset.
Tuesday 03 Sep 2024
5:37 pm

gustafn

merge from oacs-5-10

Options
    • -421
    • +1324
    ./security-procs.tcl
  2. … 8099 more files in changeset.
2:59 pm

gustafn

small fix, when cookie times out and dotlrn is active

Options
    • -1
    • +4
    ./security-procs.tcl
Thursday 25 Jul 2024
2:50 pm

mischa

Fix default https port in security::configured_driver_info

Options
    • -2
    • +2
    ./security-procs.tcl
Thursday 18 Jul 2024
10:44 am

gustafn

Provide an API to check/set/clear the state of the regression test

The new calls are:

- aa_test_running_p

- aa_test_start

- aa_test_end

Options
    • -3
    • +3
    ./security-procs.tcl
  2. … 1 more file in changeset.
Monday 15 Jul 2024
2:04 pm

gustafn

improved spelling

Options
    • -2
    • +2
    ./security-procs.tcl
  2. … 14 more files in changeset.
Tuesday 02 Jul 2024
5:00 pm

trenner

use original provided host-header-field in log statement

Options
    • -2
    • +2
    ./security-procs.tcl
1:09 pm

trenner

escape variable in log statement

Options
    • -2
    • +2
    ./security-procs.tcl
8:45 am

trenner

Fix another variable name after refactoring

Options
    • -2
    • +2
    ./security-procs.tcl
Thursday 13 Jun 2024
4:26 pm

antoniop

Fix variable name after refactoring

Options
    • -2
    • +2
    ./security-procs.tcl
Tuesday 11 Jun 2024
7:04 pm

gustafn

fixed typo

Options
    • -2
    • +2
    ./security-procs.tcl
11:26 am

gustafn

Updated location handling

- make use of "ns_server hosts" when available

- refactored and simplified code

- keep validated locations in an nsv array

- added support for extra white-listed hosts

in case, every other configuration fails

(should not be necessary)

ns_section ns/server/$server/acs {

ns_param whitelistedHosts {...}

}

- updated inline documentation

The new code is supposed to handle in combination of a recent NaviServer

all complex host header validation scenarios, include running behind a proxy,

in a container or cluster.

Options
    • -79
    • +183
    ./security-procs.tcl
Friday 05 Apr 2024
10:28 am

gustafn

Improved readability of configuration parameter "parameterSecret"

- Switched to camelCase for better readabilty and uniformity

- NaviServer configuration parameters are case insensitive, so no danger for backward compatibility

Options
    • -6
    • +6
    ./security-procs.tcl
  2. … 5 more files in changeset.
Thursday 15 Feb 2024
5:47 pm

gustafn

security::validated_host_header: Made acceptance of configured vhosts the first check

Under certain conditions (such as running in a container, or reverse

proxy situations) the admin of a server wants to specify accepted host

names. This can be achieved in the "*/servers" section of a network

driver. These values are used now first for accepting host header

fields. This change avoids unexpected redirects to, e.g., internal

server addresses.

Options
    • -35
    • +41
    ./security-procs.tcl
Friday 01 Dec 2023
11:33 am

gustafn

improved spelling

Options
    • -2
    • +2
    ./security-procs.tcl
Thursday 05 Oct 2023
5:52 pm

gustafn

added standard parameterizations for Argon2 when supported.

Options
    • -1
    • +52
    ./security-procs.tcl
  2. … 2 more files in changeset.
Wednesday 14 Jun 2023
10:40 am

antoniop

Disable tests to check for executables on the system

Options
    • -1
    • +2
    ./security-procs.tcl
  2. … 7 more files in changeset.
Tuesday 06 Jun 2023
11:07 am

gustafn

improve spelling

Options
    • -2
    • +2
    ./security-procs.tcl
  2. … 7 more files in changeset.
Thursday 25 May 2023
11:19 am

antoniop

Document public api

Options
    • -6
    • +9
    ./security-procs.tcl
Tuesday 23 May 2023
2:36 pm

gustafn

refactor login cookie handling

The old code required repeated execption handlers.

Now, these exception handlers are on one place, and

users of sec_login_read_cookie can rely that a dict

is returned

Options
    • -97
    • +81
    ./security-procs.tcl