[freeside-users] New User Looking for version suggestions

Ivan Kohler ivan at 420.am
Tue Jul 4 10:53:15 PDT 2006 

On Tue, Jul 04, 2006 at 10:58:12AM -0500, Tim Yardley wrote:
> dbdef-create also seems to fix this issue some of the time, so it is
> probably a combination of problems.

>From what I can tell there isn't a combination of problems so much as 
several very different problems getting mixed up because the symptoms 
are similar.

If dbdef-create fixes the problem, there's not really anything left for 
us to fix.  Current (1.5.8 and HEAD) freeside-setup already runs the 
equivalent after creating the schema.  Any problems still being reported 
that are fixed by dbdef-create or freeside-upgrade are probably from 
folks trying to use old databases.

> The case that I ran into it, was under 7.4.x but I was able to 
> resolve the issue with dbdef-create and some tweaking.

I've never run into this problem with 7.4, and I don't think it affects 
8.0 either.

I'm unsure if there's still an outstanding issue with 8.1 that's not 
fixed by 
http://www.sisd.com/cgi-bin/viewcvs.cgi/freeside/FS/FS/Record.pm?r1=1.116&r2=1.117

The quality of error reporting from users on this issue has been pretty 
dismal; if someone actually provided a good problem report that allowed 
me (or an interested contributor) to duplicate the problem with 
FREESIDE_1_5_BRANCH or HEAD, it would be far more likely to hold my 
attention.

> In regards to the javascript, there are obviously a number of ways to
> fix the problem.  Do keep in mind that the error message is being
> written out for tha javascript by mason from perl as a command to a
> javascript function itself, so I'm sure you meant that the perl should
> escape it for the javascript rather than the javascript itself.

Yes, I know.  I wrote it.  Patches appriciated far more than armchair 
commentary.  :)

> Without escaping or another solution present, in its current form it
> could be used for a type of XSS attack, assuming there is a place
> somewhere in freeside that the user input or configured error strings
> were tainted.

XSS "attacks" are overrated, and the threat of employees spoofing other 
employees' browsers is not the same sort of threat as things like 
privledge escallation or information exposure, but yes.
 
> Out of curiousity, has anyone done a security audit of freeside recently?

The software is developed with an very careful eye towards security (how 
could it not be, considering its function?) and I wouldn't expect 
serious problems with common webapp exploits like SQL injection, but 
there hasn't been a formal security audit by a third party.  Are you 
interested in sponsoring this?

-- 
_ivan


> -----Original Message-----
> From: freeside-users-bounces at sisd.com
> [mailto:freeside-users-bounces at sisd.com] On Behalf Of Ivan Kohler
> Sent: Monday, July 03, 2006 1:42 PM
> To: Freeside users mailing list
> Subject: Re: [freeside-users] New User Looking for version suggestions
> 
> On Tue, Jun 20, 2006 at 03:41:11PM -0500, Tim Yardley wrote:
> > Robert;
> > 
> > I have also seen this error.  Ivan's code "fix" mentioned as a reply
> to
> > the previous thread doesn't solve this problem... As you have already
> > seen.  Looking in cvs, I don't see a fix in general for it... But I
> > could be missing it.
> > 
> > The problem lies in this call:
> > my $default = $self->dbdef_table->column($primary_key)->default;
> > 
> > Which on a fresh clean install will return the string "ERROR: null
> value
> > in column".  This may be fixed in a number of ways, a manual insert
> into
> > the table which will then prime the sequence, for example.
> >
> > Ivan, do you have an approved workaround for this?
> 
> Sorry, nope.  I haven't run into this problem myself.  Seems to be only 
> Pg 8.1 (8.0?).  I'd be happy to apply any patches and make the fix 
> "approved" if you or someone else wants to work on it, of course.  :)
> 
> > Side note, any place that returned text is going to be leveraged by
> > javascript (in the little pop-up display for example), should not use
> an
> > apostrophe.  If it does, it will break the javascript function call.
> 
> No - the javascript function that uses the text should escape it 
> properly instead.
> 
> -- 
> _ivan
> 
> 
> 
> > -----Original Message-----
> > From: freeside-users-bounces at sisd.com
> > [mailto:freeside-users-bounces at sisd.com] On Behalf Of Robert Smith
> > Sent: Tuesday, June 13, 2006 7:25 PM
> > To: Freeside users mailing list
> > Subject: Re: [freeside-users] New User Looking for version suggestions
> > 
> > Sorry, should have mentioned I'd already read through the lists and
> had 
> > tried that.  I didn't use the Record.pm version there, but got the 
> > latest that was posted.  No change.  (The latest version seemed to
> have 
> > all of the same changes in it.  I scanned it but did not read it line 
> > for line.)
> > 
> > Robert
> > 
> > John wrote:
> > 
> > >Sorry Robert, this may be closer to the mark-
> > >http://www.sisd.com/pipermail/freeside-users/2006-January/004961.html
> > >
> > >
> > >
> > >
> > >  
> > >
> > >>I'm trying to get Freeside running for the first time.
> > >>
> > >>Using FreeBSD 6
> > >>PostgreSQL 8.1 (Didn't disable OID's, so assume they are there.)
> > >>Freeside 1.5.8
> > >>Apache22
> > >>Perl 5.8.8
> > >>DBI 1.51
> > >>DBD-Pg-1.49
> > >>
> > >>Everytime I try to add the initial svc_domain, I get " (progress of
> > job 
> > >>#can't parse queue.jobnum default value for sequence name: )"
> > >>
> > >>Any suggestions are welcome, to include a preferred list of versions
> > to 
> > >>run on FreeBSD.
> > >>
> > >>Robert Smith
> > >>

More information about the freeside-users mailing list