• last updated 6 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
- ad_set_cookie: add option "-samesite" and use it, when the server supports it (NaviServer 4.99.18)

- use "-samesite strict" per default on signed cookies

Background from NaviServer commit:

ns_setcookie: add flag "-samesite" with values "strict|lax|none"

When the flag is set it prevents the browser from

sending this cookie along with cross-site requests to mitigate cross site

scripting attacks. Permissible values are [term strict], [term lax],

or [term none] (default). While the value [term strict] prevents

sending the cookie to the target site in all cross-site browsing

context, the value of [term lax] allows sending the cookie when the

user clicks on regular links. For details, see

https://www.owasp.org/index.php/SameSite

This cookie flag is not yet part of an RFC, but most major browsers

support it. Browsers that do not support it, ignore the flag

silently (see https://caniuse.com/#search=samesite).

Although most cookies should probably use the flags, in order to

provide backward compatibility, the flag can't be activated by

default on all cookies.

activate warnings in case the old IE bug is still around

ad_sign: generalize last ad_sign handling to

allow user and csrf binding

  1. … 3 more files in changeset.
ad_sign: new optional parameter "user_binding"

The parameter user_binding allows to bind a signature to a user.

When the value is "-1" only the user who created the signature can

obtain the value again. A value of 0 (default) means no user binding.

The permissible values might be extended in the future.

bump version number to 5.10.0d24

  1. … 1 more file in changeset.
Bring files on oacs-5-10 in sync with HEAD

  1. … 158 more files in changeset.
Whitespace changes + editor hints

  1. … 19 more files in changeset.
Replace/remove deprecated proc 'db_null' and update doc accordingly

  1. … 30 more files in changeset.
Deprecate 'db_nullify_empty_string', essentially just returning the same string it receives

Deprecate 'db_null'

parameter::get_from_package_key: check as well in "global" package parameter

and make clear, that lookup from non-singleton packages does not make

sense.

fix typos

improve comments, make function private to avoid confusions

improve comment

follow usual naming conventions

  1. … 1 more file in changeset.
Ease usage of util_memoize during startup. let util_memoize succeed,

even when the cache is not yet created

use separate urlspace for site-node cache to reduce lock contention

prefer inline SQL over generic xql to make apm code usable during initialization

ad_form reform:

- use actual flags instead of parsing arguments all the time

- retrieve proc flags from ad_proc definition (TODO: have some api for this?)

- follow the thread of peculiar ad_form logic to fix new csrf signing feature

- improve documentation using @param instead of manual formatting

- leave some note to travellers in the code

    • -243
    • +229
    ./form-processing-procs.tcl
Fix typo (thanks to Thomas Renner)

reflow overlong lines in comments

ad_form: Add optional parameter -csrf_protection_p (defaults to false)

white space changes

simplify code

Cleanup not more relevant comments, remove idiom meant to work in the context of a db_with_handle we are not using anymore

Reuse already existing db_list_of_ns_sets inside db_foreach and db_list_of_lists, as it uses the most native return type: the ns_set

reduce verbosity

Operate on the original list to not incur in possible memory foortprint inflation via lrange

Exploit new -with_headers flag in db_list_of_lists to reimplement db_foreach in a way that only one db handle is used

Advantages:

- api is now transaction safe (with respect to database operations executed in the code block)

- nested db_foreach statements won't risk to occupy all available handles anymore

Possible drawbacks:

- query result needs to be completely stored inside a list before looping

- calling stack is now one level deeper...

This passes automated tests

Reduce code duplication

Introduce -with_headers flag in db_list_of_lists so names of returned column values can be returned as well as the first list in the result