Forum OpenACS Q&A: OpenACS 3.2.4 Security and Details

It appears that OpenACS 3.2.4 was originally scheduled for July 20th release. The OpenACS main page implied a release date of about July 8th with the security fixes. So which is correct? Ha -- the 8th is gone...:)

It appears that Arsdigita is also dealing with the security problems. I found this interesting link on their work with the Classic ACS 3.4 upgrade.

WimpyPoint: ACS 3.4 Upgrade { www.arsdigita.com/wp/display/9605/ }

Their goals are: "We want an overhaul of the ACS, and a few other things:

  • Use the new Database Access API: prevent SQL smuggling attacks by using bind variables, instead of Tcl string interpolation, in all SQL statements. Also, we'll lay the groundwork for SQL abstraction by giving logical names to all SQL statements.
  • Remove ns_write, and use ns_return.
  • Naughty HTML checking.
  • In doing the above, we'll also get many people familiar with new ACS coding standards, and with the ACS itself."

Is it still the plan that OpenACS will skip all the "classic" stuff until version 4.0, expected on October 1st?

Thank you. -Bob

Collapse
Posted by Don Baccus on
I expect 3.4 to be pretty unstable.  What we'll probably want to do is
to start investigating just how we can tap into things like the new database API, named queries, etc to ease our porting problems in the future.  We'll have systemic things to worry about as aD is making more and more use of SQLJ, which means we need Dan's nsjava AOLserver module working portably and robustly enough so any 'ole fool (like me)
can install it and have it work reliably.

Etc etc.

So I'd expect us to start working on porting issues as 3.4 rolls out, but not to attempt a full port but rather concentrate on 4.0.  For instance, we need to decide what to do about bind variables.  The latest style guide for aD has them buried in the API in a way that we can kludge for PG to our hearts content, but not all DB calls in the ACS will be able to make use of that style.  That style's just evolved  in the last week or so - this moving-target aspect will undoubtably live on after 3.4 is released, before things get glued down for 4.0.