• last updated 15 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
merge with missing files

  1. … 1464 more files in changeset.
merge from oacs-5-10

    • -1307
    • +1701
    ./utilities-procs.tcl
  1. … 8099 more files in changeset.
Use "ns_mkdtemp" when available to create temporary directories

  1. … 1 more file in changeset.
align nameing with 'resource_info_procs'

  1. … 7 more files in changeset.
Fix potential problems when calling polymorphic SQL functions from Tcl

Some functions are defined in the database with the same number of

arguments but different types, e.g., first argument "package_key"

(type text) or "package_id" (type integer). This is fine from the SQL

standpoint, but when calling from Tcl via bind-vars

(e.g. ":package_id"), everything is passed as a string, and

potentially, the wrong function is called.

Now, all the automatically generated subs are generated with casts,

when the integer based variant must be called.

Some examples:

Before:

set s [ns_pg_bind 0or1row $__DB {select apm__set_value(:package_id,:parameter_name,:attr_value)}]

set s [ns_pg_bind 0or1row $__DB {select apm__get_value(:package_id,:parameter_name)}]

Now:

set s [ns_pg_bind 0or1row $__DB {select apm__set_value(CAST(:package_id AS integer),:parameter_name,:attr_value)}]

set s [ns_pg_bind 0or1row $__DB {select apm__get_value(CAST(:package_id AS integer),:parameter_name)}]

- bumped version number to 5.10.1b11

  1. … 2 more files in changeset.
More resource-info updates:

- fixed wrong and inconsistent naming of dict members (many thanks to Sebastian Scheder for figuring this out)

- removed duplicated slashes in resource paths

- fixed incorrect paths when CDN is used

- simplified handling of cspMaps

- added test checking consistency of resource-info dicts

  1. … 10 more files in changeset.
::util::resources::resource_info_procs: function to improve roustness of fetching of resource info procs

bumped version number to 5.10.1b10

  1. … 1 more file in changeset.
added link to snyk advisor (bumped version to 5.10.1b9)

  1. … 3 more files in changeset.
Further simplify handling of resource_info specs

- Added convenience function "::util::resources::register_urns" to

register all URNs with CSP handling provided by a package (denoted

by its top level namespace)

- made parameter "version" in "check-installed" include optional

- bumped version number to 5.10.1b8

  1. … 2 more files in changeset.
factored out vulerability check to make it reusable

- New proc ::util::resources::check_vulnerability

- bumped verison number to 5.10.1b7

  1. … 3 more files in changeset.
improved spelling

  1. … 4 more files in changeset.
added comment

Latest released NaviServer still requires for servers using SNI that the -hostname flag is specified with ns_http, while it seems that in latest code we can omit it

The wrapper utility already takes care of this

Ease management of external js packages to automate admin tasks

- provide explicit information about optional package paramters

- make these accessible from site-wide admin pages

- provide information, how the configuration of the version number happend

- improve design of site-wide admin pages with action items

- further streamlined handling of external js packages

  1. … 18 more files in changeset.
js-libraries: improved naming of variables

Changed name "installedVersion" to "configuredVersion", since

the former might lead to the impression, that it refers only

to the locally installed version. Instead, this refers as well

to a CDN version (when available)

  1. … 18 more files in changeset.
js-libraries: removed variable "resourceUrl"

The variable "resourceUrl" was always used in a single branch but set

for all branches before. To ease maintenance and simplify

comprehension, it was removed.

  1. … 10 more files in changeset.
In essence, this change renames "version_dir" to "version_segment" as

well as "versionDir" to "versionSegment" to reflect the fact, that

this variable does not denote a directory, but a part of the path

appended to path "resourceDir".

  1. … 4 more files in changeset.
various small fixes for js libraries

- fixed page contract in case a non-default version is downloaded

- provide always an argument "-version" to resource_info procs

- obtain current version number always via resource_info.installedVersion

(it refers to CDN and locally installed version)

- pass always versionDir via resource_info to ::util::resources::download

- always obtain version_dir from resource_info

  1. … 25 more files in changeset.
Improved resource information for external libraries

- added vulnerability check for a particular version

- centralized URL generation for cdnjs URLS (will reduce maintenance work, when external URL changes)

- improve behavior when running without an Internet connection

  1. … 11 more files in changeset.
Include available version number and vulnerability check on swa pages

This eases the use of external JavaScript libraries by adding

the available version number and a link for vulnerability checks

on the site-wide admin pages (when this information is available)

- bumped version number to 5.10.1b6

  1. … 3 more files in changeset.
Made download helper more modular and added support for a version_API

a protocol relative URL is not complete, but it can be understood as external

  1. … 1 more file in changeset.
Make util_complete_url_p recognize protocl-relative URLs

After further consideration, ns_absoluteurl is actually sufficient to preform location header completion on its own and does not need a wrapper utility

  1. … 3 more files in changeset.
Streamline terminology with other occurrences in OpenACS and NaviServer/AOLserver

- the term "location" is usually used in OpenACS/NaviServer/AOLserver for the

part of a URL before the path (i.e. SCHEME+HOST+PORT)

- the new function util::absolute_url is a value-added version of NaviServer's "ns_absoluteurl".

This is now documented with its differences, and aligned with its terminology

  1. … 2 more files in changeset.
Introduce util::complete_location

This utility is meant to require the value of the Location header in an HTTP response to be completed vith the host coming from a reference complete URL, which is normally that of the redirected request.

It is intended for use in the context of HTTP client APIs, where we want to handle server responses affected by https://www.rfc-editor.org/rfc/rfc7231#section-7.1.2

  1. … 3 more files in changeset.
Added support for relative redirects

RFC 2616 requires an absolute URI in the "Location" header field. So

if someone calls "ns_returnredirect /", NaviServer transforms it on

the fly into an absolute URL by prefixing it with the location

(e.g. https://openacs.org/). NaviServer (and OpenACS) has some complex

code to compute the location value, especially when virtual servers

are involved (or for "host-node mapped" subsites in OpenACS). The

situation is further complicated when running behind a reverse proxy

and/or in a containerized environment. In such cases, the location is

computed from the "host" request header field, which must be

validated, otherwise an attacker could hijack a session and redirect

it to a spoofed site.

The situation changed 10 years ago (June 2014) with the introduction

of RFC 7231, which allows relative redirects (see

https://www.rfc-editor.org/rfc/rfc7231#section-7.1.2). Using relative

redirects greatly simplifies configuration and closes the attack

vector using the host header field. RFC 7231 has been superseded by

RFC 9110 (June 2022), which also supports relative redirects via the

"location" response header field (see

https://www.rfc-editor.org/rfc/rfc9110#field.location).

Since OpenACS prefixed always the URL with a location, when it

encounters are relative URL in a "ad_returnredirect", this change

makes use of the new feature of NaviServer 5.

Make sure to use a current version of NaviServer, where the support

was added recently.

  1. … 1 more file in changeset.
improved spelling

  1. … 5 more files in changeset.
Improved readability of configuration parameter "parameterSecret"

- Switched to camelCase for better readabilty and uniformity

- NaviServer configuration parameters are case insensitive, so no danger for backward compatibility

  1. … 5 more files in changeset.
Rework of util::which

The new version deals now correctly with absolute paths,

where just the extensions are added, and it is checked

whether the program is executable.

Extended regression test to deal with optional and required

external dependencies. Missing optional external programs

produce warnings.

  1. … 1 more file in changeset.