Dashboard

security-procs:

- fix broken comparisons when "UseHostnameDomainforReg" is set

(see also issue #3293).

- don't use string match/regesub when manipulating URLs

(causes troubles with IP-literal notation). Instead, us

"eq" or "util::split_location"/"util::join_location"

- added means to ease debugging of login_urls and login_cookie:

variables "::security::log(login_url)" and

"::security::log(login_cookie)" contain the log severity.

by setting these to e.g. "notice", this does not require

to activate full debugging (setting severity to debug) in order

to obtain log output.

- added new function "util::join_location" as counterpart of

"util::split_location" to use IP-literal notation when necessary

(IPv6). The function can be used in connection with

"util::split_location" to substitute hostnames/ports etc. in full

urls instead of insecure regsub operations.

- function "util::external_url_p":

* don't use "string match" for comparing locations, since this

will fail with IP-literal notation

* no need to compare with encoded name (if needed, on should provide

an option).

- update dependcies, otherwise the update order in large updates is not correct

- get rid of the pesky "MISSING FORMWIDGET: ...formbutton:ok" message

- address bug #3293: actual code in oacs-5-9 used full host header

(from request header fields) which might contain port.

db-query is now performed without the optional port

- improve Tcl coding (use defaults, break long lines)

Prefer ns_quotehtml over ad_quotehtml, and quote fixing.

Value of within ad_quotehtml to avoid possible XSS attacks.

Added subst fixing acs_ListCheckAll variable substitutions not working.

hidden_p is a boolean noe, therefore rewriting the case clause of portal::configure_dispatch.toggle_tab_visibility

file upgrade-2.9.1d2-2.9.1d3.sql was initially added on branch oacs-5-9.

Deleting old definition of portal_page__new/11

- removing dead assignment

- security::validated_host_header: Handle aliases for locations, which cannot be determined from config files, but which are supposed to be ok

- fix for openacs.org site bug #101

Improving root_of_host_

- reduce dependency of the paths in the configuration script

- treat not only http, but as well https locations

- improve comments

- don't report urls in security::locations obtained form https drivers which loaded but not listening (identifiable via port number 0)

- don't add explicit permissions for swa users on permission

- add etp__create_extlink/5 as in use on openacs.org

- add backwards compatible stub etp__create_extlink/4

- bump version number to 1.9d5

- fix spelling of variable name

- don't complain in rp_lookup_node_from_host when pass-in host is emtpy (return empty node_id as well)

- Make parsing of "Accept-Language" header fields more robust:

ignore spaces after the comma, ignore wildcard value "*"

- Accept locales as syntactically correct when these contain numeric values (such as e.g. "es_419" for “Latin American Spanish”).

Since lang::conn::valid_locale_p is used in lang::conn::get_accept_language_header, OpenACS throws exceptions

on invalid locales, these caused problem even when these are low on the preference list of the Accept-Language header field.

- modernize SQL

- reflow long lines

- quote subst-ed values

- fix bug showing up with acs-messaging: some installation did not have wrapper version for acs_message__new/16. red rid of it and use default in /17 version

file upgrade-5.9.0-5.9.1d1.sql was initially added on branch oacs-5-9.

Fixed missing $

- proc get_referrer: add optional flag "-relative" to return the referrer without protocol and host

+CVS: ----------------------------------------------------------------------

- make sure to release all unused handles before finalize