• last updated 22 mins ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Harden page contract

  1. … 2 more files in changeset.
download-archive reform

File-Storage used to generate downloaded archives in tgz format, to then switch to zip, more user-friendly, in particular outside the Linux world (See https://openacs.org/forums/message-view?message_id=557561). To ease the transition, a couple of parameters and relative API were introduced that would allow to choose the preferred command one should use. During this reform however, default parameter values in the tcl code became inconsistent with those in the info file. Furthermore, the chosen defaults were set as absolute paths to the executable, which is not friendly to non-linux environments, or other scenarios where the "typical" Linux filesystem structure cannot be assumed (e.g. containers, MacOS...).

The only usage of this parameters/api was in fact in the download-archive vuh. In upstream codebase, no package references this file, not even the file-storage itself. Upon review, one could see that the file would also allow to specify a custom download filename via the path, which could be considered questionable. It would also execute the command in a way that once again assumes some form of Linux environment (e.g. invoking bash).

Save for the ability to customize the archive format and the anti-feature of being able to manipulate the archive filename via the path, the script largely relplicates www/download-zip, in a better shape after a few reforms hinted by e.g. penetration tools.

Given the aformentioned considerations, I have decided to make download-archive a simple redirect to download-zip. Specifying the object_id via the path will keep working, while URLs out there expecting the name to change will not fail, but the name will not be modified. The archive format will from now on be assumed to be zip.

  1. … 4 more files in changeset.
Improved consistency with external programs

Since "unzip" is used as well on various other places,

use it as well in the file storage. This means that

the parameter "UnzipBinary" for the file-storage package

is now obsolete.

  1. … 1 more file in changeset.
strengthen boolean parameters in page contracts

  1. … 23 more files in changeset.
Make values optional, as the user should supply them via the form

Reintroduce "short_name" list element in the folder-chunk, used in the list format and not exactly equivalent to "name"

regenerated documentation

  1. … 294 more files in changeset.
Sign the return_url we set when we generate a zip file to prevent tampering

Make sure, that also when the number of days is supplied as empty, we set it to a valid default

harden page_contract

Deprecate trivial fs::get_archive_extension and inline its only upstream occurrence

  1. … 1 more file in changeset.
check permission before adding file to zip directory

Improve validation

Fix typo

Refactor the query in the folder-chunk page so that on postgres one can enforce permissions in bulk, rather than for each file

Make use of new API "ad_mktmpdir" and "ad_opentmpfile" instead of "ad_tmpnam"

  1. … 2 more files in changeset.
Make use of new API "ad_mktmpdir" and "ad_opentmpfile" instead of "ad_tmpnam"

  1. … 4 more files in changeset.
provided a helper proc to query the mapping of a generic icon name to a concrete

This function is necessary in boundary cases, where e.g. a display_template passes the generic

name of the icon via template variables which have to be

@-substituted before adp-tag resolution, which performs the

regular icon name mapping (otherwise, the tag resolver receives

e.g. ...name=@icon@...)

  1. … 3 more files in changeset.
prefer adp:icon over old-style .gif images

  1. … 2 more files in changeset.
Don't go to the cache to tell if a command is available

Don't go to the cache to tell if commands are available

Don't go to the cache to tell if the views package is installed

Test the behavior of the file-storage when a malicious user would try to store a pre-existing file on the server as its own

The fix for the file-storage is a simple validation to make sure that the tmpfile exists, however, for the generic case of the file widget, we cannot trust the tmpfile value when this was not generated by the server. This will probably cause regression when one wants to show a "preview" of a form, to be continued.

  1. … 2 more files in changeset.
Prevent names made only of invalid characters to end up null after sanitization, as done in other UIs in this package

improve validation

provide missing value for inform widget

improve validation

Make use of util::file_content_check and check also in other cases

This change also covers the case, where the checkmark for uploading

zip files was added marked in "upload file". It will also report

errors which were silently swalled before.

Bumped version number to 5.10.1d1

  1. … 1 more file in changeset.
provide value attribute

added validator for zip files