ACS 3.3.1 Release Notes

This release is a bugfix-only release for ACS 3.3. In order to use this release, you must use the latest Oracle driver (due to the use of bind variables). This release will be superseded fairly soon by ACS 3.4; in ACS 3.4, every module will be released in accordance with the DB API using bind variables. Notable fixes in this release include:

• improved support for server clustering with the addition of ad_canonical_server_p and a rewritten ad_schedule_proc that schedules procedures to run only on the canonical server by default
• the latest set of patches to the dynamic publishing system have been merged; the documentation has been updated
• patches to support international character sets in the ACS (requires AOLserver 3.0 + ad5 for international support; this patch should be released soon)
• minor scalability, feature, and bug fixes to various modules
• the Database Access API now uses bind variables. The new API also requires each statement to have a logical name; this requirement simplifies the ultimate goal of SQL abstraction. Custom code written using the original database API will not work with this upgrade.
• security fixes (for detailed instructions on how to patch legacy sites, see Eve Andersson's document):
  • implemented user input checking with check_for_form_variable_naughtiness; the following were patched to call check_for_form_variable_naughtiness
    • set_form_variables
    • set_the_usual_form_variables
    • set_form_variables_string_trim_DoubleApos
    • set_form_variables_string_trim
    • ad_page_variables
    • ad_form_set_variables in packages/form-manager/form-procs.tcl
    • util_getcheckboxvalues
  • tcl/ecommerce-defs.tcl in ec_return_product_file regexp should be: regexp {/product-file/([^/]+)$} $url match file_path
  • QQ form variables bug (fixed in check_for_form_variable_naughtiness, thanks to michael@cleverly.com)
  • Branimir/Carsten's filter that checks user inputs for SQL: ad_block_sql_urls.
  • DVR's ad_set_typed_form_variable_filter that performs type checking on user inputs.
  • upload files bug (fixed in check_for_form_variable_naughtiness, discovered by ben@mit.edu)
  • took away unnecessary calls to ec_redirect_to_https_if_necessary in:
    • /ecommerce/process-payment.tcl
    • /ecommerce/checkout-3.tcl
    • /ecommerce/credit-card-correction-2.tcl
    • /ecommerce/credit-card-correction.tcl
    • /ecommerce/finalize-order.tcl
    • /ecommerce/gift-certificate-finalize-order.tcl
    • /ecommerce/gift-certificate-order-3.tcl
    • /ecommerce/gift-certificate-order-4.tcl
    • /ecommerce/payment.tcl
    • /ecommerce/process-order-quantity-shipping.tcl
    • /ecommerce/process-payment.tcl
  • execs in user-editable ADP pages
  • security checks for search/search and bboard/search (note that the fix for this, the PL/SQL proc bboard_user_can_view_topic_p is fairly expensive)

    use ns_queryget unnecessarily

    These use ns_queryget unnecessarily and are replaced with calls to ad_page_variables.

  • www/admin/users/view-verbose.tcl
  • www/admin/users/view.tcl
  • www/bboard/q-and-a-post-reply-form.tcl
  • www/bboard/usgeospatial-post-reply-form.tcl
  • www/doc/template/show-source.tcl

• Additional security notes:
  • Some additional checks in check_for_form_variable_naughtiness have been commented out for the sake of backwards compatibility.
  • ad_block_sql_urls blocks SQL in URLs. To deactivate this filter, turn off the BlockSqlUrlsP parameter in the parameters .ini file. For more information, read the documentation.
  • ad_set_typed_form_variable_filter will require configuration for custom non-ACS modules. See packages/acs-core/security-init.tcl for examples. Note that this filter does somewhat hurt performance. At startup a large number of filters are registered with the system, which slows down startup. In addition, regular expressions are used to verify certain user inputs, which may cause problems when using AOLserver 3.0/Tcl8x.