ACS 3.3.1 Release Notes
by Richard Li
This release is a bugfix-only release for ACS
3.3. In order to use this release, you must use the latest Oracle
driver (due to the use of bind variables). This release will be
superseded fairly soon by ACS 3.4; in ACS 3.4, every module will be
released in accordance with the DB API using bind
variables. Notable fixes in this release include:
- improved support for server clustering with the addition of
ad_canonical_server_p
and a rewritten ad_schedule_proc
that schedules procedures to run only on the canonical server by
default
- the latest set of patches to the dynamic
publishing system have been merged; the documentation has been
updated
- patches to support international character sets in the ACS
(requires AOLserver 3.0 +
ad5 for international support; this patch should be released soon)
- minor scalability, feature, and bug fixes to various modules
- the Database
Access API now uses bind variables. The new API also requires each
statement to have a logical name; this requirement simplifies the
ultimate goal of SQL abstraction. Custom code written using the
original database API will not work with this upgrade.
- security fixes (for detailed instructions on how to patch legacy sites, see Eve Andersson's document):
- implemented user input checking with
check_for_form_variable_naughtiness; the following were
patched to call check_for_form_variable_naughtiness
- set_form_variables
- set_the_usual_form_variables
- set_form_variables_string_trim_DoubleApos
- set_form_variables_string_trim
- ad_page_variables
- ad_form_set_variables in packages/form-manager/form-procs.tcl
- util_getcheckboxvalues
- tcl/ecommerce-defs.tcl in ec_return_product_file regexp should be: regexp {/product-file/([^/]+)$} $url match file_path
- QQ form variables bug (fixed in check_for_form_variable_naughtiness, thanks to michael@cleverly.com)
- Branimir/Carsten's filter that checks user inputs for SQL: ad_block_sql_urls.
- DVR's ad_set_typed_form_variable_filter
that performs type checking on user inputs.
- upload files bug (fixed in
check_for_form_variable_naughtiness, discovered by ben@mit.edu)
- took away unnecessary calls to
ec_redirect_to_https_if_necessary in:
- /ecommerce/process-payment.tcl
- /ecommerce/checkout-3.tcl
- /ecommerce/credit-card-correction-2.tcl
- /ecommerce/credit-card-correction.tcl
- /ecommerce/finalize-order.tcl
- /ecommerce/gift-certificate-finalize-order.tcl
- /ecommerce/gift-certificate-order-3.tcl
- /ecommerce/gift-certificate-order-4.tcl
- /ecommerce/payment.tcl
- /ecommerce/process-order-quantity-shipping.tcl
- /ecommerce/process-payment.tcl
- execs in user-editable ADP pages
- security checks for search/search and bboard/search (note that
the fix for this, the PL/SQL proc
bboard_user_can_view_topic_p is fairly expensive)
use ns_queryget unnecessarily
These use ns_queryget unnecessarily and are replaced with calls to
ad_page_variables.
- www/admin/users/view-verbose.tcl
- www/admin/users/view.tcl
- www/bboard/q-and-a-post-reply-form.tcl
- www/bboard/usgeospatial-post-reply-form.tcl
- www/doc/template/show-source.tcl
- Additional security notes:
- Some additional checks in
check_for_form_variable_naughtiness have been commented out
for the sake of backwards compatibility.
- ad_block_sql_urls
blocks SQL in URLs. To deactivate this filter, turn off the
BlockSqlUrlsP parameter in the parameters .ini file. For more
information, read the documentation.
- ad_set_typed_form_variable_filter
will require configuration for custom non-ACS modules. See
packages/acs-core/security-init.tcl for examples. Note that this
filter does somewhat hurt performance. At startup a large number of
filters are registered with the system, which slows down startup. In
addition, regular expressions are used to verify certain user inputs,
which may cause problems when using AOLserver 3.0/Tcl8x.
As always, please report bugs to
bugs@arsdigita.com.
richardl@arsdigita.com
