OpenACS / openacs-4 / packages / acs-tcl / tcl

security-procs.tcl

Tools

Line History

Line Count Graph
Line Count Graph

Stats

Commits this week: 0
Total Committers: 20
Last Commit: 11 Feb 19
Commits this week: 0
Total Lines of Code (LoC): 2,822
Net change in LoC this week: 0

Commit Activity

Commits By Day In Week
52 week commits volume
Commits By Day In Week
Commits by day
Commits By Day In Week
Commits by hour
Commits By Hour In Day
Commit calendar
 

Most active committers (90 days)

loading
loading
  • last updated 16 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Sunday 26 Jan
6:10 pm

gustafn

remove useless semicolon

Options
    • -6
    • +6
    ./security-procs.tcl
Thursday 28 Nov 2019
1:10 pm

gustafn

provde a global variable as transitional code for controlling passing of password as query variable

Options
    • -1
    • +11
    ./security-procs.tcl
  2. … 2 more files in changeset.
12:06 pm

gustafn

don't pass sensitive information (e.g. password) as query variable, but use client properties instead.

see also issue #3344

Options
    • -1
    • +18
    ./security-procs.tcl
  2. … 5 more files in changeset.
Saturday 16 Nov 2019
4:45 pm

gustafn

moved "populate_secrect" to "sec_*" prefix to reduce clobbering of global namespace

Options
    • -7
    • +7
    ./security-procs.tcl
  2. … 6 more files in changeset.
Wednesday 13 Nov 2019
6:04 pm

gustafn

addres kernel_id always via variable rathen than via method

Options
    • -11
    • +32
    ./security-procs.tcl
Tuesday 05 Nov 2019
11:12 am

gustafn

backport security patch from oacs-5-10

Options
    • -1
    • +12
    ./security-procs.tcl
  2. … 1 more file in changeset.
Monday 04 Nov 2019
6:30 pm

gustafn

add IPv6 loopback address as well as "always accepted" for web testing

Options
    • -2
    • +2
    ./security-procs.tcl
Saturday 02 Nov 2019
5:09 pm

gustafn

allow always 127.0.0.1 in logindata as valid peer

Options
    • -5
    • +5
    ./security-procs.tcl
Thursday 31 Oct 2019
7:15 pm

gustafn

don't trust login_cookie, when no session_cookie is provided

Options
    • -1
    • +13
    ./security-procs.tcl
7:11 pm

gustafn

improve cross references in apidoc

Options
    • -4
    • +16
    ./security-procs.tcl
  2. … 1 more file in changeset.
Monday 19 Aug 2019
12:44 pm

gustafn

improve spelling

Options
    • -11
    • +11
    ./security-procs.tcl
  2. … 1 more file in changeset.
Saturday 10 Aug 2019
4:33 pm

gustafn

improve spelling

Options
    • -2
    • +2
    ./security-procs.tcl
  2. … 15 more files in changeset.
Tuesday 16 Jul 2019
9:01 pm

gustafn

use the random number generator from OpenSSL, when available

Options
    • -6
    • +7
    ./security-procs.tcl
  2. … 1 more file in changeset.
Wednesday 03 Jul 2019
7:32 pm

gustafn

make debugging line more meaningful

Options
    • -3
    • +3
    ./security-procs.tcl
Thursday 25 Apr 2019
8:53 am

michaela

Delete unneeded line

Options
    • -2
    • +1
    ./security-procs.tcl
Wednesday 24 Apr 2019
6:29 pm

gustafn

improve protection against attacked cookies

Options
    • -3
    • +3
    ./security-procs.tcl
Monday 25 Mar 2019
7:38 pm

hectorr

CSP: allow frame-ancestors

Options
    • -3
    • +3
    ./security-procs.tcl
Monday 18 Mar 2019
4:09 pm

gustafn

CSP: add default rules for form-action and frame-ancestors

Options
    • -1
    • +4
    ./security-procs.tcl
Sunday 10 Mar 2019
10:34 pm

gustafn

improve spelling

Options
    • -3
    • +3
    ./security-procs.tcl
  2. … 14 more files in changeset.
10:12 pm

gustafn

improve spelling

Options
    • -2
    • +2
    ./security-procs.tcl
  2. … 6 more files in changeset.
Saturday 23 Feb 2019
3:31 pm

gustafn

CSP: add connect-src default rule

Options
    • -1
    • +2
    ./security-procs.tcl
Tuesday 19 Feb 2019
10:49 pm

gustafn

keep chain on session_ids in case the sessions change

Options
    • -14
    • +20
    ./security-procs.tcl
Sunday 17 Feb 2019
1:19 pm

gustafn

- ad_set_cookie: add option "-samesite" and use it, when the server supports it (NaviServer 4.99.18)

- use "-samesite strict" per default on signed cookies

Background from NaviServer commit:

ns_setcookie: add flag "-samesite" with values "strict|lax|none"

When the flag is set it prevents the browser from

sending this cookie along with cross-site requests to mitigate cross site

scripting attacks. Permissible values are [term strict], [term lax],

or [term none] (default). While the value [term strict] prevents

sending the cookie to the target site in all cross-site browsing

context, the value of [term lax] allows sending the cookie when the

user clicks on regular links. For details, see

https://www.owasp.org/index.php/SameSite

This cookie flag is not yet part of an RFC, but most major browsers

support it. Browsers that do not support it, ignore the flag

silently (see https://caniuse.com/#search=samesite).

Although most cookies should probably use the flags, in order to

provide backward compatibility, the flag can't be activated by

default on all cookies.

Options
    • -1
    • +3
    ./security-procs.tcl
  2. … 2 more files in changeset.
Friday 15 Feb 2019
5:27 pm

gustafn

activate warnings in case the old IE bug is still around

Options
    • -2
    • +6
    ./security-procs.tcl
2:25 pm

gustafn

ad_sign: generalize last ad_sign handling to

allow user and csrf binding

Options
    • -18
    • +29
    ./security-procs.tcl
  2. … 4 more files in changeset.
12:03 pm

gustafn

ad_sign: new optional parameter "user_binding"

The parameter user_binding allows to bind a signature to a user.

When the value is "-1" only the user who created the signature can

obtain the value again. A value of 0 (default) means no user binding.

The permissible values might be extended in the future.

bump version number to 5.10.0d24

Options
    • -10
    • +39
    ./security-procs.tcl
  2. … 2 more files in changeset.
Monday 11 Feb 2019
12:52 pm

gustafn

improve comments, make function private to avoid confusions

Options
    • -2
    • +9
    ./security-procs.tcl
Wednesday 30 Jan 2019
10:16 pm

gustafn

switch from security::nonce_token to ::security::csp::nonce and update comments

Options
    • -9
    • +9
    ./security-procs.tcl
Tuesday 15 Jan 2019
7:30 pm

gustafn

replace broken redirect with standard redirect function (auth::require_login)

Options
    • -9
    • +8
    ./security-procs.tcl
Saturday 22 Dec 2018
11:24 am

gustafn

no need for eagerly releasing handles

Options
    • -2
    • +1
    ./security-procs.tcl