Forum OpenACS Q&A: Fixing charset issues when upgrading AOLserver 3.0+ad5

Request notifications

I am trying to upgrade an ACS classic 3.4.8-based system from
AOLserver 3.0+ad5 to 3.5.6 .  Everything is OK except that
TCL strings are sent back to HTTP clients as raw UTF8, so 8-bit
characters are expanded into multiple bytes.  I need to restore
the old behaviour.  The TCL-Oracle data interface has not changed,
it just the way

There is no shortage of articles about this, but there are so many
aspects to the problem my head is starting to spin and I am not
getting a clear picture of what I need to do.  It might help if I could
ask a few questions.

Should I upgrade all the way to AOLserver 4.0 (despite it apparently
being still in beta)?

Will I need to patch AOLserver 3.5.6 (eg. with Pierre Asselin's patches
at http://empoweringminds.mle.ie/openacs/ad13/i18n.patch.txt)?

Is the solution to fix the INI file with charset parameters, or do I
need to go through the TCL source adding calls to ns_startcontent
(or similar)?

Thanks in advance,

Jeremy Henty

Collapse
Posted by Jade Rubick on
I'd upgrade to Aolserver 3.3+ad13 instead.

Aolserver 4 if you don't need SSL.

Thanks Jade.  Are there any security issues with 3.3+ad13?  The
motivation for this upgrade is a security review that highlighted
several vulnerabilities in our current version.  Most were fixed
after 3.2, so upgrading to 3.3+ad13 is definitely a good idea,
but there is still this one: http://www.securityfocus.com/bid/4535
which seems to be utstanding for all versions.  Anyone know if
there is a patch?

Thanks again, this has been driving me nuts.

Jeremy

Having problems finding Aolserver 3.3+ad13 .  I am building
aolserver3.3oacs1.tar.gz .  Will this do the job?

Regards,

Jeremy

Collapse
Posted by Jade Rubick on
Yes
Collapse
6: AOLserver security (response to 3)
Posted by Andrew Piskorski on
Jeremy, the security issue you mention above has been discussed here many times, including in April 2002, Nov. 2002, and June 2003.

It's a small bug in the the external database driver interface, which AFAIK no one using OpenACS ever uses at all. The Oracle and PostgreSQL database drivers are "internal" drivers and are not effected. In the unlikely event that you are using an "external" database driver of some sort with AOLserver, then you might want to patch that bug.

To the best of my knowledge there are no known security problems with AOLserver 3.3+ad13, at least not as used by OpenACS.

Collapse
7: Re: AOLserver security (response to 6)
Posted by Jeremy Henty on
Thanks Andrew, that is really helpful!

Regards,

Jeremy Henty