Forum OpenACS Development: OpenACS 5.10 Roadmap?

Posted by Frank Bergmann on 05/12/20 02:12 PM

Hi,

Gustaf wrote in the thread about "XSS / Reflection with return_url":

Yes it is true, that OpenACS 5.9 had some potential security flaws (you can say this about every web application package released a few years ago)

I've seen that there is a new oacs-5-10 branch, but I didn't see a roadmap or a list of issues that are missing? Do you have a proposed release date, or similar information?

I understand that we'd have to upgrade ]po[ to OpenACS 5.10 in order to get these CSP security features?

Cheers
Frank

2: Re: OpenACS 5.10 Roadmap? (response to 1)

Posted by Gustaf Neumann on 05/12/20 06:49 PM

Our plan was to have oacs-5-10 ready at the time of the joint EuroTcl/OpenACS conference in July. We were side-tracked the last weeks by the COVID-19 crisis, we might have to reconsider that date, when we want to get everything into that release.

OTOH, the current version in the oacs-5-10 branch is very stable. We use this in production in the LEARN system of WU, it is also on use on openacs.org. So when we strip down our goals for the release, we will be able to meet our original plans.

The best summary we have right now is:
https://openacs.org/xowiki/openacs-todo

3: Re: OpenACS 5.10 Roadmap? (response to 2)

Posted by Frank Bergmann on 05/19/20 09:09 PM

Hi!

There are quite a number of ToDos...
I understand you going to stay upward compatible, for example on these planned parameter improvements?

In ]po[ we'd be mainly interested in these security improvements with CSP and ad_page_contract, in order to produce a ]project-open[ V5.1 exclusively with security focus. And not break the running system with incompatibilities...

But from what I see that may still take quite a while, is that correct?

Cheers
Frank

4: Re: OpenACS 5.10 Roadmap? (response to 3)

Posted by Gustaf Neumann on 05/20/20 12:34 PM

Most of the items of the agenda page are already done; a few elements are moved to postponed, i think, there is just one open item. The largest missing effort is the usual release work (summarizing the changes, documentation updates, testing, packaging, ...).

There is no paved way to cherry pick all the CSP and security improvements from oacs-5-10. The basic CSP infrastructure is already in OpenACS 5.9.1. The forthcoming release contains numerous changes especially in the application packages (also some core improvements). I would expect that for ]po[ most work will be the adoption for the application packages which are not part of the ~100 packages of oacs-5-10. Adoption means here to disallow "javascript:" URIs, or "on*" event handlers (see e.g. [1]) for build restrictive CSPs (certain features can be selectively allowed in case on dependencies on external packages, but the default should be restrictive).

all the best -g
[1] https://openacs.org/xowiki/CSP

5: Re: OpenACS 5.10 Roadmap? (response to 4)

Posted by Frank Bergmann on 05/20/20 01:41 PM

Hi Gustaf,

I don't worry much about the application packages, because we don't use much of them, and do not customize them.

We also have very few "embedded" JavaScript. We do have all those Sencha widgets, but I understand these are not affected.

We've got one special problem with a number of *.js.adp files. This is to use the OpenACS localization infrastructure for JavaScript files. Also we sometimes "embedd" small pieces of data from the database in a Sencha "store" (=table) in JSON code generated in the .tcl part of such pages.

The problem is that we need to make OpenACS to produce a JavaScript MIME type for these files, instead of text/html...

Cheers
Frank

6: Re: OpenACS 5.10 Roadmap? (response to 5)

Posted by Benjamin Brink on 05/20/20 05:18 PM

Hi Frank,

Have you tried putting this in the .js.tcl part of the file?

ns_adp_mime "text/javascript"

cheers,
Ben

7: Re: OpenACS 5.10 Roadmap? (response to 6)

Posted by Frank Bergmann on 05/20/20 06:16 PM

Thank you Ben!