Forum Release Management: acs-core (changes between 5.10.0 and 5.10.1)

Changes in the acs-core packages between OpenACS 5.10.0 and 5.10.1

New Features

  • Security and Privacy Posture Overview: As expressed as a wish from OpenACS users at the last OpenACS conference, a "Security and Privacy Posture Overview" was added that offers a quick overview of the state of the system and eases access to the parameters scattered over different packages in the system. The page offers:
    • Quick overview
    • Check of security and privacy relevant package parameters
    • Permission and accessibility check of mounted packages
    • Response header check
    • External library check (CDN vs local usage, vulnerable or outdated libraries) The page is linked from the site-wide-admin page (/acs-admin)
  • Stronger Password Hashes for OpenACS (commit fe2bdb547, 8eee6a932, 52d2c997e, 62d969c85): Introduction of new password hash functions alongside the pre-exiting "salted-sha1". The new algorithms are named "scram-sha-256", "scrypt-16384-8-1", "argon2-argon2-12288-3-1", "argon2-rfc9106-high-mem", and "argon2-rfc9106-low-mem". These algorithms can be specified via the kernel package parameter "PasswordHashAlgorithm". The algorithms require a recent version of NaviServer and a recent version of OpenSSL, which serves as a crypto library. This feature enhances security against brute-force attacks on password hashes (when db is compromised). Preferences of the password hash algorithms can be set via kernel package parameter "PasswordHashAlgorithm", the first available algorithm is taken from the preference list, hash re-coding happens automatically at the next login.
  • Setting of CSP rules based on MIME types (commit 6bc253f1e, commit 94b8513ae). This is necessary to mitigate certain attacks on static SVG files uploaded to, e.g., the content repository. For example, set the following to the ns/server/$server/acs section of your NaviServer configuration file: ns_param StaticCSP { image/svg+xml "script-src 'none'" }
  • Cookie Namespaces (commit ce1573ed8): Important, when multiple OpenACS instances are served from the same domain name, but different cookies have to be used.
  • New Tags for Templating (commit c129c89ec, 996740672, e9cae22dc, c7705c68b, a85ea7301, 58ad43055, 737da5514, a05813ec7, 110b2f5d6, 7011c8fd9, 286fd9e58, 927d9d5ef): Added new ADP tags adp:icon and adp:toggle_button for rendering icons and toggles homogeneous theming and appearance.
  • Better Automated Site Configurability: Support for installing themes from install.xml (commit 2f9761160).
  • Dynamic Cluster Nodes and Cluster Infrastructure (commit 5738761db, 7cbc3e63c, 1a7a7656c, 3faceddc4, 5fba13c0f, 7cbc3e63c, 3faceddc4, 1a7a7656c): Added support for dynamically adding and removal of nodes in an OpenACS cluster. In contrast to static cluster nodes, the IP addresses of dynamic cluster nodes do not have to be provided at startup time. The changes introduce new admin pages and further configuration options.
  • Caching Deactivation (commit 75c3f2b25): It is possible to deactivate caching via the ns_cache infrastructure when the NaviServer configuration variable cachingmode is set to none. The change modifies per_thread_cache to behave like a per_connection_cache. This option is useful for cluster configurations, when legacy components do not handle cache coherency (e.g. via acs::clusterwide)
  • Support for Cloud Identity Providers (commit e506dee05, fd7af8d17, 06954d83b). Additional Identity providers can be added as secondary registries (e.g., MS Azure via oauth2), to support e.g. logins via the classical register page and via a cloud registry (requires package xooauth for full functionality)
  • Client-side double click prevention: This change makes it possible to provide a double click prevention for HTML elements via the CSS class "prevent-double-click". The double click prevention deactivates a button or an anchor element after clicking for a short time (per default for 1s) and ignores in this time window further clicks. The time window can be specified via the data element oacs-timeout. (commit 5f2edeec2a9a831, 916d365aa11f2d)

Reforms

  • lc_time_tz_convert: Enforce ISO format for dates and other changes (commit 9a5b5cd97).
  • template::element validation reform to improve validation on fields (commit 87919f923).
  • Provide timeouts for caching operations to improve liveliness also when certain calls are hanging (commit 22cd530d4).
  • Form widget attributes reform consolidating logics for merging tag attributes (commit 3a7fc6a8e).
  • Streamlined resource_info handling by adding versioning and better management of external library dependencies. External libraries can be used from CDN or downloaded, the versions are checked for vulnerabilities, which are reported via posture overview and package-specific site-wide admin pages.

Configuration Changes

  • Set the (default) theme package on the subsite upon installation (commit 0ff7101b3).
  • Improved clusterwide operations with new configuration parameters (commit 5738761db).
  • New configuration options CSSToolkit and IconSet for acs-subsite (commit fc56a275b).
  • Support specification of allowed tags/attributes/protocols via global package parameters (commit 657cef99a,fc46466e3).
  • Made ad_html_security_check configurable (commit bc63ee424).
  • Support for memory units as default cache sizes (commit 68c853abd).

Bug Fixes

  • Fixed missing update_content-lob.set_content (commit a3effac23, 4ce8e9fae).
  • Fixed incorrect HTTP status code on result page (commit 636226cb2).
  • Fixed signature of service contract implementation (commit b9f0c541c).
  • Fixed implementation of ad_acs_admin_node (commit 34a823c51).
  • Fixed reference in doc (commit e596b46f8).
  • Fixed ad_approval_system_inuse_p implementation (commit bd8afdeeb).
  • Fixed self-inflicted bug in form variable specification (commit 79e6df943).
  • Fixed a bug in db_multirow_group_last_row_p (commit aafd1db58).
  • Fixed issue with ns_parseurl in util::split_location (commit aee571ad1).
  • Various fixes for Oracle 19c compatibility issues (numerous commits).
  • Fixed broken function_args definition and other issues (commit 83e45f9b5, d166927d2, etc.).
  • Fixed a bug in db_driverkey when OpenACS connects to multiple databases, involving the removal of per-thread caching (commit 18e656b00).
  • Fixed and generalized version_dir handling for download of external resources (commit 8e9a6a5c8).
  • Fixed selector for click all list callback in core.js (commit 00b9db614).
  • Fixed a bug in db_foreach with -column_set flag (commit 95e8970d7).
  • Handle null dates in core.js (commit 1dd928238).
  • Fixed issues in SQL function calling to avoid incorrect function selection due to typecasting issues (commit bc33e9938).
  • Corrected problems with session handling in cluster mode and fixed cache coherency issues in clustered environments (commit c0a1cf7b9).

Improvements

  • Performance Improvements

    • New partial index for a common query in acs-tcl (commit aaaf86adb).
    • Implemented ad_html_security_check based on ns_parsehtml (commit 387f3de3e).
    • Added support for NaviServer built-in ns_trim -prefix (commit 500099e0).
    • Change in storing and displaying util user messages (commit bb0702bf3).
  • Security Improvements

    • New API ad_mktmpdir and ad_opentmpfile (commit a10b55d3d).
    • Added support for elliptic curve certificates (ecdsa) when the lets-encrypt module from NaviServer is used (commit 2c40f1d9d).
    • Hardened page contracts, added many constraints to address potential SQI and XQL etc. attacks (many commits, e.g. 8eee6a932, d4846d106)
    • Warn warning when parametersecret is not set (commit 0ec8f0183).
    • Safe creation of temporary directories (commit d25ff6593).
    • Upgraded internal use of JavaScript and HTML standards to improve security and performance (commit e68a73c92).
  • Additional Filters for Page Contracts

    • Introduced ad_page_contract filter object type (commit 2f9d127a0).
    • Introduced a new clock page contract filter (commit 5544faffc).
    • Introduced new tmpfile page contract filter (commit 1a179e9bc).
    • Allow more characters in argument specs (commit f952d9d5e).
  • Code Refactoring

    • Added a new procedure ad_log_deprecated for unified logging of deprecated usages (commit 0e03b3358).
    • Improved configurability of LockfreeCache (commit 9bc412576).
    • Reform of site-nodes-procs for improved clarity and ease of maintenance, esp. Oracle (commit 3fe93032e).
    • Update of SQL function calls via API, made it callable during initial bootstrap (commit ad97aa747).
    • Modernization of idioms and cleanup of deprecated code (e.g., commit a5c537515, e68a73c92, 1d1ff8c4e).
    • Improved documentation, localization updates, and typo fixes (e.g., commit 5c23325a3, f3590415f, 7a97e0ea0).
    • Phased out outdated procedures and functions that were superseded by more efficient and secure implementations (e.g., commit 6272226b6).
    • Deprecated old APIs that no longer align with modern security practices or performance standards (commit cd0af7373).
    • Removed legacy support for certain outdated browser features and replaced them with modern alternatives (commit a1a7c22a7).
    • Further reduced divergence between Oracle and Postgres SQL. Target version of Oracle could be 12.*, as Extended support ends in 2022 (see https://www.oracle.com/us/support/library/lifetime-support-technology-069183.pdf). This change implies:
    • change "limit ... rownum ..." to standard "fetch first ..."
    • use Postgres schemas where available for stored procedures so that they can be invoked with the same Oracle idiom
  • Miscellaneous

    • Message keys for content repository (commit 2f89a971a).
    • Make util::join_location usable for UDP and SMTP (commit 01b5c0d61).
    • Zero-dependency implementations of Modal and Tooltip using CSS and JavaScript (commit db0f52664, 02bfffbb2).
    • Deprecation of specific functions and APIs in favor of modern replacements (e.g., commit 4493f07b9, 6db041083, 94c505b01).
    • Extended API: Introduced new API functions like ad_unless_script_abort, aa_silence_log_entries, and util::json2dict to enhance error handling and logging cleanliness (commit aeb027aeb, f455d60c6, e9298cf02).
    • Expanded timezone data and improved internationalization features, including better locale management and updated localization data (commit 828ab0bd4, 47d478bcf).
    • Added Support for listing registered URNs (per package on the site-wide admin page of a package, full set on the adm page of acs-templating)
    • Added support for relative redirects (commit 867d9441e).
  • Regression Test:

    • The regression test was substantially extended and in part overworked
    • The test includes now checks for resource leaks (tDOM documents and nodes, temporary objects, ...) and leaves less garbage in the /tmp directory
    • For the major packages (core and application packages), the tests run without reporting errors.
    • For these packages, the system.log is now also free of error messages (e.g. when handling cases in the test that are supposed to fail)

New Packages

  • bootstrap-icons
  • caldav
  • captcha
  • fa-icons
  • highcharts
  • openacs-bootstrap5-theme
  • For a description of all packages, see: https://openacs.org/repository/5-10/

Version requirements

  • Require NaviServer (i.e. drop AOLserver support). Rationale: AOLserver cannot be compiled with the required modules with recent Tcl versions. Trying to backport NaviServer compatibility functions seems to be an overkill for the OpenACS project.
  • Bootstrap 3 reached EOL in 2019, Bootstrap 4 had EOL 2022, so we should migrate to Bootstrap 5 (details: https://github.com/twbs/release)
  • Require Tcl 8.6.2, XOTcl 2.1, PostgreSQL 12 (PostgreSQL 11 EOL: November 23), tdom 0.9
  • Support for fresh installations on Oracle 19c (for details, see: oacs-5-10-on-oracle-19c)