OpenACS 5.10.1 Change Summary

• Security:
  • Stronger password hashes for OpenACS
    • New password hashes in addition to the classical "salted-sha1"
      • "scram-sha-256": SCRAM (RFC 7677) with parameter recommendation from RFC 7677; requires OpenSSL 1.1.1 and NaviServer 4.99.23 or newer
      • "scrypt-16384-8-1": SCRYPT (RFC 7914) with parameter "-n 16384 -r 8 -p 1"; requires OpenSSL 3.0 and NaviServer 4.99.23 or newer
      • "argon2-argon2-12288-3-1": Argon2 (RFC9106), Parameterization recommendation from OWASP: m=12288 (12 MiB), t=3, p=1; requires OpenSSL 3.2 and NaviServer 5.0 or newer
      • "argon2-rfc9106-high-mem": Argon2 (RFC9106), first (memory intense) recommendation from RFC 9106; requires OpenSSL 3.2 and NaviServer 5.0 or newer
      • "argon2-rfc9106-low-mem": Argon2 (RFC9106), second recommendation from RFC 9106; requires OpenSSL 3.2 and NaviServer 5.0 or newer
    • Preferences of the password hash algorithms can be set via kernel package parameter "PasswordHashAlgorithm", the first available algorithm is taken from the preference list, hash re-coding happens automatically at the next login.
    • See https://openacs.org/forums/message-view?message_id=5537869
       
    • Added optional CSP rules based on MIME types. This is important for user-contributed content. When users upload e.g. SVG-files to the file storage, and the content is served from there, it poses a potential security hole. One can now define an additional parameter called "StaticCSP" in the section "ns/server/$server/acs" of the OpenACS configuration file to deactivate execution of script files from static content.
      
      ns_param StaticCSP {
    image/svg+xml "script-src 'none'"
}
       
    • Cookie-Namespace: When multiple OpenACS instances are served from the same domain name, the same cookies (e.g. ad_session_id, ad_login, ...) are set to all servers. For sensible cases, a cookie-namespace can be used, which can be used as a replacement of the traditional "ad_" prefix. This can be as well set in the section "ns/server/$server/acs" of the OpenACS configuration file
      
      # Provide optionally a different cookie namespace
# (used for prefixing OpenACS cookies)
ns_param CookieNamespace "ad_"
       
• Improved templating:
  • Client-side double click prevention
  • Support for generic icon names, which can be mapped differently depending on the installed packages and themes: The generic names are supported via <adp:icon name="NAME" title=...>. By using this feature, one can use font-based icons (like e.g. glyphicons of Bootstrap5, bootstrap-icons, fa-icons, ...) instead of the old-style .gif and .png images. This makes the appearance more uniform, has better resizing behavior, and works more efficiently (fewer requests for embedded resources). Most of the occurrences of the old-style images in standard core and non-core packages in oacs-5-10 are already replaced.
  • Support for listing registered URNs
     
• Require NaviServer (i.e. drop AOLserver support).
  Rationale: AOLserver cannot be compiled with the required modules with recent Tcl versions. Trying to backport NaviServer compatibility functions seems to be an overkill for the OpenACS project.
   
• Further reduce divergence between Oracle and Postgres SQL. Target version of Oracle could be 12.*, as Extended support ends in 2022 (see https://www.oracle.com/us/support/library/lifetime-support-technology-069183.pdf)
  • limit / rownum -> fetch first
  • use Postgres schemas for stored procedures so that they can be invoked with the same Oracle idiom
     
• Bootstrap 3 reached EOL in 2019, Bootstrap 4 had EOL 2022, so we should migrate to Bootstrap 5 (details: https://github.com/twbs/release)
   
• New Packages:
  • openacs-bootstrap5
  • bootstrap-icons
  • fa-icons
  • highcharts
     
• Potential incompatibility with OpenACS 5.10.0: "permission::permission_p" returns Boolean values as "t" and "f" and not "1" and "0". Avoid literal comparisons of the result and use boolean tests available in Tcl/OpenACS.
   
• Support for fresh installations on Oracle 19c (for details, see: oacs-5-10-on-oracle-19c)
• Require Tcl 8.6.2, XOTcl 2.1, PostgreSQL 12 (PostgreSQL 11 EOL: November 23), tdom 0.9