[freeside-users] New User Looking for version suggestions

Tim Yardley tyardley at pavlovmedia.com
Tue Jul 4 08:58:12 PDT 2006


dbdef-create also seems to fix this issue some of the time, so it is
probably a combination of problems.  The case that I ran into it, was
under 7.4.x but I was able to resolve the issue with dbdef-create and
some tweaking.

In regards to the javascript, there are obviously a number of ways to
fix the problem.  Do keep in mind that the error message is being
written out for tha javascript by mason from perl as a command to a
javascript function itself, so I'm sure you meant that the perl should
escape it for the javascript rather than the javascript itself.  Another
obvious way to fix it would be to encode the string, decode it, deal
with it in javascript, and then use it after.

Without escaping or another solution present, in its current form it
could be used for a type of XSS attack, assuming there is a place
somewhere in freeside that the user input or configured error strings
were tainted.  Out of curiousity, has anyone done a security audit of
freeside recently?

/tmy


----

Tim Yardley
Vice President of Research and Development
Pavlov Media, Inc.
(217) 353-3005

----
 
-----Original Message-----
From: freeside-users-bounces at sisd.com
[mailto:freeside-users-bounces at sisd.com] On Behalf Of Ivan Kohler
Sent: Monday, July 03, 2006 1:42 PM
To: Freeside users mailing list
Subject: Re: [freeside-users] New User Looking for version suggestions

On Tue, Jun 20, 2006 at 03:41:11PM -0500, Tim Yardley wrote:
> Robert;
> 
> I have also seen this error.  Ivan's code "fix" mentioned as a reply
to
> the previous thread doesn't solve this problem... As you have already
> seen.  Looking in cvs, I don't see a fix in general for it... But I
> could be missing it.
> 
> The problem lies in this call:
> my $default = $self->dbdef_table->column($primary_key)->default;
> 
> Which on a fresh clean install will return the string "ERROR: null
value
> in column".  This may be fixed in a number of ways, a manual insert
into
> the table which will then prime the sequence, for example.
>
> Ivan, do you have an approved workaround for this?

Sorry, nope.  I haven't run into this problem myself.  Seems to be only 
Pg 8.1 (8.0?).  I'd be happy to apply any patches and make the fix 
"approved" if you or someone else wants to work on it, of course.  :)

> Side note, any place that returned text is going to be leveraged by
> javascript (in the little pop-up display for example), should not use
an
> apostrophe.  If it does, it will break the javascript function call.

No - the javascript function that uses the text should escape it 
properly instead.

-- 
_ivan



> -----Original Message-----
> From: freeside-users-bounces at sisd.com
> [mailto:freeside-users-bounces at sisd.com] On Behalf Of Robert Smith
> Sent: Tuesday, June 13, 2006 7:25 PM
> To: Freeside users mailing list
> Subject: Re: [freeside-users] New User Looking for version suggestions
> 
> Sorry, should have mentioned I'd already read through the lists and
had 
> tried that.  I didn't use the Record.pm version there, but got the 
> latest that was posted.  No change.  (The latest version seemed to
have 
> all of the same changes in it.  I scanned it but did not read it line 
> for line.)
> 
> Robert
> 
> John wrote:
> 
> >Sorry Robert, this may be closer to the mark-
> >http://www.sisd.com/pipermail/freeside-users/2006-January/004961.html
> >
> >
> >
> >
> >  
> >
> >>I'm trying to get Freeside running for the first time.
> >>
> >>Using FreeBSD 6
> >>PostgreSQL 8.1 (Didn't disable OID's, so assume they are there.)
> >>Freeside 1.5.8
> >>Apache22
> >>Perl 5.8.8
> >>DBI 1.51
> >>DBD-Pg-1.49
> >>
> >>Everytime I try to add the initial svc_domain, I get " (progress of
> job 
> >>#can't parse queue.jobnum default value for sequence name: )"
> >>
> >>Any suggestions are welcome, to include a preferred list of versions
> to 
> >>run on FreeBSD.
> >>
> >>Robert Smith
> >>
_______________________________________________
freeside-users mailing list
freeside-users at sisd.com
http://420.am/cgi-bin/mailman/listinfo/freeside-users


More information about the freeside-users mailing list