• last updated 7 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Added listing of application specific methods to object viewer in api-doc/proc-view

This improves documentation of the caches via api-doc

  1. … 3 more files in changeset.
Added code to skip suspicious looking query variables

On openacs.org, we are experiencing numerous requests with

multiply very long and strange query variables like in the example

below. So far, it is not clear, whether these requests are the

consequence of a double encoding or a deliberate attack. Many (most)

of the requests contain the query variable names containing the

(decoded) pattern "*amp;*".

This is a relatively new phenomenon. I cannot exclude that this is a

bug introduced lately in OpenACS, or a bug in an external bot, or

whatever. The problem with these query variables is that OpenACS

propagates these further, e.g., when updating query variables in

ad_dimensional, via export_vars, or return_urls.

Since OpenACS never uses these query-variables, these can be safely

skipped, without loosing functionality in OpenACS. It is possible to

construct examples, where skipping such variables can change the

semantics. Therefore, the change introduces a single function

util::suspicious_query_variable where in case of problems, the

skipping feature can be deactivated.

GET /api-doc/proc-browse?amp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3btype=All&amp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3borderby=name&type=All&amp%3btype=All&amp%3bamp%3btype=All&amp%3bamp%3bamp%3btype=All&amp%3bamp%3bamp%3bamp%3btype=All&amp%3bamp%3bamp%3bamp%3bamp%3btype=All&amp%3bamp%3bamp%3bamp%3bamp%3bamp%3btype=All&amp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3btype=All&amp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3btype=All&amp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3borderby=name&amp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3btype=Private&amp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3btype=All&amp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3btype=All&amp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3btype=All&amp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3borderby=name&amp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3bamp%3btype=All HTTP/1.1" 200 62378 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/605.1.15 (KHTML, like Gecko; compatible; FriendlyCrawler/1.0) Chrome/120.0.6099.216 Safari/605.1.15" "1729029614.331581 0.109805 0.000434 0.004026 0.215927

  1. … 6 more files in changeset.
merge from oacs-5-10

  1. … 8099 more files in changeset.
bumped version number from development version to release version

  1. … 93 more files in changeset.
Removed dependency on file-storage

- there was a "silent" dependency of xotcl core to the file-storage, since it

used many message keys from there. User-experience of xo* was bad when

no file-storage was installed.

- The message keys went to acs-content-repository and acs-kernel

- bumped version to 5.10.1b6

  1. … 2 more files in changeset.
Removed memory leaks in the regression test

- new function ::xo::aa_check_leftovers to detect leaks a soon as possible

- made ::xo::stats better reusable by returning a dict

- extended regression test

- bumped xotcl-core to 5.10.1b5

  1. … 3 more files in changeset.
Chat reform

The goal of these changes is to reduce the "mode" specific javascript code in the chat implementation and reduce server-side guessing of browser capabilities.

- In the MessageRelay class from xotcl-core, we rework the javascript code sent to the connection when doing scripted streaming to make less assumptions about the functions defined in the parent scope

- In the chat code from xowiki, we move most of the logics to guess the mode into javascript, where we can test the actual capabilities of the browser without relying on the user agent

- The previously 4 javascript files dependant on the chat mode have been made into one

  1. … 7 more files in changeset.
When the mode is "streaming", use Server Sent Events instead of a "plain" endless request

This has the advantage of a clearer, less hacky api, which, for instance, does not require manual parsing of the partial response.

  1. … 4 more files in changeset.
Implement a oneof value checker for xowiki query parameters

The ad_ filter was used to have a localized error message

  1. … 1 more file in changeset.
bumped version numbers to 5.10.1b1

  1. … 85 more files in changeset.
Factor out Package->process_init_parameter into package-custom-procs

This change makes it easier to provide instance specific customization.

In general, these package-custom-procs could also be kept in other

packages.

  1. … 4 more files in changeset.
Added nsf value checker "signed"

This value checker tests, whether the provided value was signed with

::security::parameter::signed. If so, and when it was called with

"signed,convert", it returns the value which was signed.

Bumped version number to 5.10.1d16

  1. … 1 more file in changeset.
Make use of new API "ad_mktmpdir" and "ad_opentmpfile" instead of "ad_tmpnam"

  1. … 5 more files in changeset.
Added support for passing parameter_name:value_constraint to xowiki::Package->get_parameter

- The get_parameter method can get values from query-parameters, therefore

we have to validate these.

- Use the new feature at several places (especially for boolean values)

- Still, more places should be checked

- bumped xowiki to 5.10.1d37

- bumped xotcl-core to 5.10.1d14

  1. … 10 more files in changeset.
new API call util::potentially_unsafe_eval_p

Check content of the string to identify potentially unsafe content

in the provided string. The content is unsafe, when it contains

externally provided content, which might be provided e.g. via

query variables, or via user values stored in the database. When

such content contains square braces, a "subst" command on

theses can evaluate arbitrary commands, which is dangerous.

The new API call is used in "::xo::Package->return_page", where the

"subst" command stripped from its command substitution capabilities.

In case, command subsitution is needed, perform this prior this call.

bumped acs-tcl to 5.10.1d23

bumped xotcl-core to 5.10.1d13

  1. … 3 more files in changeset.
xo::Table::Action: added property "CSSclass"

This property exists already for all other ::xo::Table::* widgets.

Bumped version number to 5.10.1d12

  1. … 1 more file in changeset.
new proc "ad_log_deprecated": unified interface for logging deprecated usages

The existing code used a larger variety of different messages to

denote invocations of deprecated procs and other

artifacts. "ad_log_deprecated" provides a unified interface, and

provides a usage hint what to use instead based on the API-doc

definitions in the log-file.

  1. … 11 more files in changeset.
Extended functionality of the DropZone widget

- added parameters "label", "disposition" and "file_name_prefix"

for better configurability

- added support for updating the current page with feedback of the

dropped files. This is used e.g. by the online exam in the exam

protocol to display incrementally thumbnails of feedback files.

- change property "uploader" to "disposition", since "uploader" is

somewhat ambiguous. "Disposition" defines, what happens after the

file was uploaded, e.g. whether the content has to be transformed,

etc.

- bumped version number to 5.10.1d35

  1. … 5 more files in changeset.
added proper handling of overfull recurrence rule lines

  1. … 2 more files in changeset.
Modernize ical support

Rewritten ical support based on NX instead of XOTcl, following

much closer to the the standards. The interface is compatible

with the old interface. Note that in case, applicatios have

subclassed/extended the xotcl-core ical support, it must be

as well ported to NX (which is an easy task).

Bumped verison number to 5.10.1d8

Make use of uniform styling based on adp:icon

  1. … 20 more files in changeset.
Added NSF value-checker "cr_item_of_package" for quick checks for valid parameters

This checker is especially useful when processing external values

(query-parameters etc). Since the check involves a DB lookup, it is

no suited inside busy loops.

bumped version number of xotcl-core to 5.10.1d6

  1. … 1 more file in changeset.
OrderedComposite->orderby: added argument "-type"

By the change, one can now specifiy the sorting type for the ordered

composite. The sorting type can be "integer", "real", "index" or

"dictionary" (default "dictionary"). If the sorting type is set to

"index", the mixin ::xo::OrderedComposite::IndexCompare is added

automatically.

Bump version number to 5.10.1d6

  1. … 1 more file in changeset.
Added API call "CrClass ad_proc id_belongs_to_package"

The new API call is useful for checking input validity, i.e.

whether to provided revision_id or item_id belongs to the specified package.

bump version number of xowiki to 5.10.1d21

bump version number of xotcl-core to 5.10.1d5

  1. … 3 more files in changeset.
make use of "from_cache_indicator" for the per_request_cache in instantiate_forms

  1. … 1 more file in changeset.
Provide an exception in case get_instance_from_db is called with an invalid argument combination.

Added convenience methods "::xo::db::CrClass->ensure_item_ids_instantiated"

  1. … 1 more file in changeset.
Separate csv formatting and csv sending to increase reusablity

  1. … 1 more file in changeset.
added slot type "range" similar to page-contract-filter for improved value checking

  1. … 1 more file in changeset.
fix release dates in .info files

  1. … 82 more files in changeset.
release work

  1. … 204 more files in changeset.