It is official, Boost.Locale on its way to formal review
Now it is official, Boost.Locale is scheduled for a formal review at April 7-16.
Boost.Locale is important part of CppCMS as was developed for its needs, however I had found that this library was so important and useful that I decided to "Boostify" and make it ready for a formal review for Boost.
What does it provides:
- Message formatting based on gettext dictionaries
- Localized numbers, dates, currency formatting and parsing (and more)
- Collation
- Text manipulations like case handing and Unicode normalization
- Text Boundary analysis
- Support of non-Gregorian calendars like Hebrew calendar.
- And much more
Most of these features are based on the state-of-the-art Unicode library ICU but it also allows to handle many of them using only standard operating system API significantly reducing its size and requirements of external components.
Most important is that is provides platform independent and uniform interface
for C++ localization and internationalization tightly integrated to C++ iostreams
and existing std::locale framework.
The most up-to-date version of the library and documentation would be released soon.
Security Issue Fix Release: 0.99.6 and 0.0.8
This release fixes security issue existing in CppCMS 1.x.x version <= 0.99.5 and CppCMS 0.0.x <= 0.0.7.
The Issue
Who is affected?
Users who use AES encrypted cookies for session data storage
What is the risk
Attackers may create a session data that wasn't generated by the CppCMS application - so basically attacker may change the content of the session to something else. And potentially, for example, gain some rights that he does not have.
What is not exposed
The privacy of the data stored in the session is not affected.
Recommendations
It is recommended to upgrade to latest CppCMS version.
Workaround
If it is not possible and you are using AES encrypted cookies as sessions storage, do one of the following:
- Switch to "hmac" signed cookies if the data that is stored in cookies is not confidential.
- Switch to server side session storage.
Detailed Description
The Problem Description
The redundancy check of AES encrypted session cookies was too weak, allowing attacker to create cookies that would look like valid cookies generated by CppCMS but they would contain an invalid content.
More detailed, the cookies where created as following:
Where k is secret key, P is the encoded data and C the cookies stored at client side.
However this scheme is weak and does not really protect against creation of invalid content. There are known attacks against 
, I assume attacks against the scheme above can be created as well.
The Fix Provided
The cookies data is now encrypted and signed as:
Where MAC is HMAC-SHA1 k1, k2 are keys that are either provided or generated from the source key k as 
Additional Configuration Options (CppCMS 1.x.x)
Added a way to provide explicit MAC and encryption algorithm:
- session.client.hmac - the HMAC algorithm: md5, sha1, sha192, sha256, sha384 and sha512
- session.client.hmac_key - the key for MAC
- session.client.cbc - the encryption algorithm aes, aes128, aes192, aes256
- session.client.cbc_key - the key for encryption algorithm
You may specify only hmac and hmac_key and then the cookies would be only "signed", of you specify cbc and cbc_key they would be also encrypted.
When you use the current method specifying session.client.encryptor with "aes" then HMAC-SHA1 would be used ensure authentication and the MAC and encryption keys would be generated from the provided session.client.key.
You may also store the key in file and use:
session.client.hmac_key_filesession.client.cbc_key_filesession.client.key_file
Instead of
session.client.hmac_keysession.client.cbc_keysession.client.key
The file pointed by this value is a text file that holds hexadecimal representation of the key you need to use.
These keys are read before switching the user and forking allowing to make these keys files to be non-readable in the normal run-time.
CppCMS 0.0.8 AES Encryption
It uses AES128 for secrecy and HMAC-SHA1 for authentication, the keys for each one of them are generated from the single key provided in the configuration file.
Additional Bug Fixes:
- Fixed incorrect url-encoding that also included buffer overflow in CppCMS 1.x.x
- Fixed bas64_urlencode filter.
CppDB changes license.
I had decided to change the license of CppDB (the SQL Connectivity Library) to permissive one.
Now CppDB is dual licensed under Boost Software License or MIT License.
I actually would like to release it under BSL only, but unfortunately the MySQL connector does not have a GPL exception for this license - so if you use GPL MySQL connector with CppDB you should follow the MIT license terms.
This was the step I had planned to do from the beginning as it would bring more potential users for this specific part of CppCMS project and as it would probably allow it being integrated to the Boost project in future.
Due to license change CppDB 0.0.3 was released that has exactly the same code as CppDB 0.0.2 but has BSL/MIT license instead of LGPLv3.
Of course the CppCMS itself remains licensed under LGPLv3 and this is not going to be changed.
CppDB 0.0.2 Released
New Features:
- Performance optimizations in connection opening when using pool.
- Added advanced MySQL options support, patch from Krzysztof (kyku)
Bugs:
- Fixed crash on process shutdown when connections pool is used. The crash was caused by incorrect order of unloading the driver and closing shared object.
- Added missing copy constructor.
- Fixed error reporting in PostgreSQL backend when statement preparation fails.
CppCMS 0.99.5 released
Changelog:
New Features:
New XSS Filer. It is very new and experimental feature. It allows to validate and filter the HTML input that comes from untrusted source to ensure that it does not include malicious code. This is very common case when we want to integrate in the applications tools like TinyMCS.
It is based on white-list of tags and HTML attributes values that are allowed to be included.
The filter and filtering rules can be found under cppcms::xss namespace.
Currently XSS filter is used only on CppCMS's wiki. So you are welcome to try to bypass it editing the wiki's Sandbox and if you succeed please report me immediately.
Support Windows Vista/Windows 7 API. It allows to build CppCMS on Windows without pthreads-win32 library.
Note: you need to use CMake's option:
-DUSE_WINDOWS6_API=ONas by default CppCMS targeted for Windows XP and above.Changed default number of worker threads to depend on number of physical CPUs
Bugs Fixes:
- Fixed incorrect mutex configuration that caused deadlocks in preforking mode
- Some fixed in CMake scripts that caused libraries not being found in some situations.
- Some fixes to allow CppCMS to work with uclibc
- Fixed problem in URL dispatching to sub application that caused inability to redefine main function of them
- Some bug fixes in response handling
