Forum OpenACS Development: OpenACS 5.10 Roadmap?

Request notifications

Collapse
Posted by Frank Bergmann on
Hi,

Gustaf wrote in the thread about "XSS / Reflection with return_url":

Yes it is true, that OpenACS 5.9 had some potential security flaws (you can say this about every web application package released a few years ago)

I've seen that there is a new oacs-5-10 branch, but I didn't see a roadmap or a list of issues that are missing? Do you have a proposed release date, or similar information?

I understand that we'd have to upgrade ]po[ to OpenACS 5.10 in order to get these CSP security features?

Cheers
Frank

Collapse
2: Re: OpenACS 5.10 Roadmap? (response to 1)
Posted by Gustaf Neumann on
Our plan was to have oacs-5-10 ready at the time of the joint EuroTcl/OpenACS conference in July. We were side-tracked the last weeks by the COVID-19 crisis, we might have to reconsider that date, when we want to get everything into that release.

OTOH, the current version in the oacs-5-10 branch is very stable. We use this in production in the LEARN system of WU, it is also on use on openacs.org. So when we strip down our goals for the release, we will be able to meet our original plans.

The best summary we have right now is:
https://openacs.org/xowiki/openacs-todo

Collapse
3: Re: OpenACS 5.10 Roadmap? (response to 2)
Posted by Frank Bergmann on
Hi!

There are quite a number of ToDos...
I understand you going to stay upward compatible, for example on these planned parameter improvements?

In ]po[ we'd be mainly interested in these security improvements with CSP and ad_page_contract, in order to produce a ]project-open[ V5.1 exclusively with security focus. And not break the running system with incompatibilities...

But from what I see that may still take quite a while, is that correct?

Cheers
Frank

Collapse
4: Re: OpenACS 5.10 Roadmap? (response to 3)
Posted by Gustaf Neumann on
Most of the items of the agenda page are already done; a few elements are moved to postponed, i think, there is just one open item. The largest missing effort is the usual release work (summarizing the changes, documentation updates, testing, packaging, ...).

There is no paved way to cherry pick all the CSP and security improvements from oacs-5-10. The basic CSP infrastructure is already in OpenACS 5.9.1. The forthcoming release contains numerous changes especially in the application packages (also some core improvements). I would expect that for ]po[ most work will be the adoption for the application packages which are not part of the ~100 packages of oacs-5-10. Adoption means here to disallow "javascript:" URIs, or "on*" event handlers (see e.g. [1]) for build restrictive CSPs (certain features can be selectively allowed in case on dependencies on external packages, but the default should be restrictive).

all the best -g
[1] https://openacs.org/xowiki/CSP

Collapse
5: Re: OpenACS 5.10 Roadmap? (response to 4)
Posted by Frank Bergmann on
Hi Gustaf,

I don't worry much about the application packages, because we don't use much of them, and do not customize them.

We also have very few "embedded" JavaScript. We do have all those Sencha widgets, but I understand these are not affected.

We've got one special problem with a number of *.js.adp files. This is to use the OpenACS localization infrastructure for JavaScript files. Also we sometimes "embedd" small pieces of data from the database in a Sencha "store" (=table) in JSON code generated in the .tcl part of such pages.

The problem is that we need to make OpenACS to produce a JavaScript MIME type for these files, instead of text/html...

Cheers
Frank

Collapse
6: Re: OpenACS 5.10 Roadmap? (response to 5)
Posted by Benjamin Brink on
Hi Frank,

Have you tried putting this in the .js.tcl part of the file?

ns_adp_mime "text/javascript"

cheers,
Ben

Collapse
7: Re: OpenACS 5.10 Roadmap? (response to 6)
Posted by Frank Bergmann on
Thank you Ben!