@joe: can we add this in?
3,051 03/28/2017 04:55:48 pm
Re: Not exactly bug -Reference Auto Increment when prefix size is bigger (9 replies, posted in Report Bugs here)
3,052 03/26/2017 04:48:21 pm
Re: Not exactly bug -Reference Auto Increment when prefix size is bigger (9 replies, posted in Report Bugs here)
What is the sql statement after the variables get populated? Does the evaluation of the expressions match the desired sql output?
3,053 03/26/2017 07:55:27 am
Re: Payroll extension for practice (45 replies, posted in Modules Add-on's)
Check if the attachment is okay and matches your current repo state.
3,054 03/26/2017 07:44:22 am
Re: Advice for abattoir / butchers (3 replies, posted in Items and Inventory)
Manufacture is more like it.
Issue 1 cow (or 500 Kg cow)
Manufacture 40 Kg Rump Steak.
If the units are related, then use unit factor of input and output items:
Issue 500 Kg Cow
Unit Factor 0.08 Kg Cow = 1 Kg Rump Steak, ie., 40 Kg Rump Steak.
3,055 03/26/2017 07:39:05 am
Re: Not exactly bug -Reference Auto Increment when prefix size is bigger (9 replies, posted in Report Bugs here)
The prefix field is defined as CHAR in the original sql - why did you change it to VARCHAR?
Display the actual SQL statement after replacement of the variables and compare with the $ref_fld value. Refer Troubleshooting FA in the wiki.
3,056 03/25/2017 05:36:15 pm
Re: Advice for abattoir / butchers (3 replies, posted in Items and Inventory)
Assembly / Manufacture
3,057 03/25/2017 05:20:17 pm
Re: Not exactly bug -Reference Auto Increment when prefix size is bigger (9 replies, posted in Report Bugs here)
Are you referring to FA 2.4RC1 Setup => Transaction References ?
If so, you might want to increase the prefix size from the default of 5 in the table:
ALTER TABLE `0_reflines` CHANGE `prefix` `prefix` CHAR(10) DEFAULT '' NOT NULL; 3,058 03/23/2017 04:43:07 pm
Re: Memo Details doesn't appear in Full in Bank Statement (1 replies, posted in Reporting)
The Bank Statement has the Person/Item Column - is this the "Memo details" you are referring to? If so, alter the reporting/rep601.php file.
3,059 03/23/2017 04:33:04 pm
Re: Down payment (1 replies, posted in Accounts Payable)
Check the wiki.
3,060 03/23/2017 04:26:55 pm
Re: Table 'finance.0_bank_trans' doesn't exist (1 replies, posted in Banking and General Ledger)
What is the name of your FA's database for your company - is it "finance" ?
Check if it is the same in config_db.php for the company.
Also when using the dashboard - make sure that both the theme and the extension are installed and activated for the company you are using and permissions for the desired user roles enabled.
3,061 03/20/2017 03:39:43 am
Re: voiding transactions (3 replies, posted in Accounts Payable)
It may be some browser cache. Try to logout, clear cache and open the browser again (with no other browser instances open) and then login to void the delivery order and see what happens.
Also take a backup (1) and then create a delivery order and take a backup (2) and then void the delivery order and take a backup (3) and then compare the backups for what entries came in when the delivery order was created and what got taken out / modified when it was voided. Check as to what differences are there if the invoice too was created and voided and see what database changes exist and how it affects the FA processing.
3,062 03/19/2017 03:41:17 pm
Re: Various FA Vulnerabilities that need to be addressed (6 replies, posted in Report Bugs here)
This issue is now fully fixed in both versions in the official repo.
Those using the dashboard theme/extension and the dynamic and exclusive themes can make similar changes in the following files for FA 2.3 and where appropriate in the themes in FA 2.4:
Extensions
Line 92 in dashboard/widgets/customers.php - $filename = company_path(). "/pdf_files/". uniqid("").".png";
Line 92 in dashboard/widgets/dimensions.php - $filename = company_path(). "/pdf_files/". uniqid("").".png";
Line 97 in dashboard/widgets/glreturn.php - $filename = company_path(). "/pdf_files/". uniqid("").".png";
Line 98 in dashboard/widgets/items.php - $filename = company_path(). "/pdf_files/". uniqid("").".png";
Line 92 in dashboard/widgets/suppliers.php - $filename = company_path(). "/pdf_files/". uniqid("").".png";
Line 93 in import_transactions/includes/import_sales_cart_class.inc - $this->cart_id = uniqid(''); - Localised, so no change needed
Themes
Lines 306, 405, 506, 560, 623 in dynamic/renderer.php - $filename = company_path(). "/pdf_files/". uniqid("").".png";
Lines 265, 364, 465, 519, 582 in exclusive/renderer.php - $filename = company_path(). "/pdf_files/". uniqid("").".png";
The official repo for extension distribution for FA 2.3 will not be updated since it is EOL and if done will affect those with non-bleeding edge installs.
3,063 03/19/2017 11:24:51 am
Re: Various FA Vulnerabilities that need to be addressed (6 replies, posted in Report Bugs here)
Consistent Excel Report download SOLVED!
First we need to include the fix in post 4 of this thread.
The issue of filenames starting with a hyphen or underscore may need to be addressed.
The function clean_file_name() in includes/main.inc can also do the job.
Since we are now allowing underscores(_) and hyphens (-) in the random_id()'s filenames, we need to allow it for excel filenames for download too.
Lines 30 to 55 in FA 2.3's reporting/prn_redirect.php:
if (isset($_GET['xls']))
{
$filename = $_GET['filename'];
$unique_name = preg_replace('/[^0-9a-z.]/i', '', $_GET['unique']);
$path = company_path(). '/pdf_files/';
header("Content-type: application/vnd.ms-excel");
header("Content-Disposition: attachment; filename=$filename" );
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0,pre-check=0");
header("Pragma: public");
echo file_get_contents($path.$unique_name);
exit();
}
elseif (isset($_GET['xml']))
{
$filename = $_GET['filename'];
$unique_name = preg_replace('/[^0-9a-z.]/i', '', $_GET['unique']);
$path = company_path(). '/pdf_files/';
header("content-type: text/xml");
header("Content-Disposition: attachment; filename=$filename");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0,pre-check=0");
header("Pragma: public");
echo file_get_contents($path.$unique_name);
exit();
}can be replaced with:
if (isset($_GET['xls']) || isset($_GET['xml']))
{
$filename = $_GET['filename'];
$unique_name = preg_replace("/[^0-9_a-z.\-]/i", '', $_GET['unique']);
$path = company_path(). '/pdf_files/';
if (isset($_GET['xls'])) header("Content-type: application/vnd.ms-excel");
else header("content-type: text/xml");
header("Content-Disposition: attachment; filename=$filename" );
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0,pre-check=0");
header("Pragma: public");
echo file_get_contents($path.$unique_name);
exit();
}@joe: please update both repos.
PHP PCRE (Regular Expressions) - CheatSheet | Tutorial.
3,064 03/19/2017 10:18:36 am
Re: Various FA Vulnerabilities that need to be addressed (6 replies, posted in Report Bugs here)
The current commits for this issue breaks excel report formation consistency. Zero byte excel file downloads occur frequently and sometimes it works correctly.
The file includes/main.inc is "included" in the includes/session.inc file (apart from during installation in the install/isession.inc). It may have been possible that the file redirection (reporting/prn_redirect.php) to download the excel file did not have this initially - the said session file seems included though.
Line 719 in reporting/excel_report.inc:
meta_forward($path_to_root.'/reporting/prn_redirect.php', "xls=1&filename=$this->filename&unique=$this->unique_name");causes the redirection to download the excel file.
Line 33 in reporting/prn_redirect.php:
$unique_name = preg_replace('/[^0-9a-z.]/i', '', $_GET['unique']);seems to do some replacements that affect the downloaded filename.
@itronics / @joe: Is this necessary in the light of the current commits?
3,065 03/19/2017 09:22:21 am
Re: Various FA Vulnerabilities that need to be addressed (6 replies, posted in Report Bugs here)
@itronics: please replace line 372 in FA 2.3's includes/main.inc:
$id = strtr(base64_encode($bin), '+/', '-_'); // see RFC 4648 Section 5with
$id = strtr(base64_encode($bin), '+/=', '-_x'); // see RFC 4648 Section 5and likewise in FA 2.4. The pad character "=" can be got rid off this way.
Before your commit, it was a 13 character file base name and it is now 24 (multiples of 8).
The original filename was like:
dLPhO1A-K5vj5Dq4NxBA7w==.pdf
and the new file name will be like:
4vuNUMXvAVsQVuHEVzlrdwxx.pdf
3,066 03/18/2017 06:19:27 pm
Re: Various FA Vulnerabilities that need to be addressed (6 replies, posted in Report Bugs here)
As of 2015: PHP bug #70014 affects the reliability of openssl_random_pseudo_bytes(). paragonie/random_compat, backports random_bytes() from PHP 7 into PHP 5. One of the fallbacks it supports is openssl_random_pseudo_bytes(), but if it can read directly from /dev/urandom it will prefer that instead.
As of 2016: There's another bug with openssl_random_pseudo_bytes() (71915), which can result in duplicate values when you run it multiple times with the same process ID. Looks like it's fixed in 5.6.24.
3,067 03/18/2017 04:15:33 pm
Re: Various FA Vulnerabilities that need to be addressed (6 replies, posted in Report Bugs here)
@itronics: Thanks for the quick commits in FA 2.3 and FA 2.4. There seem to be some files left out.
The file includes/main.inc is expected to be included in every instance where it is used as the new function random_id() is defined there and it refers to a variable $cstrong which is not assigned yet. This is mostly okay as it is a return diagnostics value only. If there are any errors then just assign it a blank string before invocation as it is passed by reference.
The following files too use uniqid still and no changes in them yet in the commit done now:
1. includes/ui/ui_view.inc - $name = uniqid('_el',true);
2. reporting/includes/class.mail.inc - $this->boundary = md5(uniqid(time()));
3. reporting/includes/tcpdf.inc - $owner_pass = uniqid(rand());
4. sales/includes/cart_class.inc - $this->cart_id = uniqid(''); - This is just temporary cart id used to avoid erroneous concurrent edition inside single user session. This is not used in urls, so the security problem does not apply here.
In FA 2.4 additionally:
1. includes/dashboard.inc - $filename = company_path(). "/pdf_files/". uniqid("").".png"; - Fixed in this commit.
When changes are made to the files above, we need to make sure that the said new function random_id() is available therein. Those using it in extensions and using SOAP / RESTful APIs too need to take care by defining the function if it dows not exists at the point of invocation.
3,068 03/18/2017 10:20:07 am
Topic: Various FA Vulnerabilities that need to be addressed (6 replies, posted in Report Bugs here)
SecurityMaverick.com has listed a few and one such code that limits entropy is here.
Line 973 in reporting/includes/pdf_report.inc:
$fname = $dir.'/'.uniqid('').'.pdf';can be changed to
$fname = $dir.'/'.md5(uniqid(mt_rand(), true)).'.pdf';This improves the entropy from 10 to 29 bits but is still not good enough and is used in line 69 of includes/ui/ui_controls.inc.
Other places like this are in some repXXX.php files:
$filename = company_path(). "/pdf_files/". uniqid("").".png";that need similar changes. Several others files in FA use uniqid too and will need some changes like this.
With or without the more_entropy option, uniqid(), as represented in the PHP sample code and documentation, results in poor entropy and should not be used.
@joe: can we include this in both repos?
3,069 03/18/2017 05:45:48 am
Re: entries showing in red (6 replies, posted in Setup)
Check whether the expected value is 'visible' and is used as needed in the included file in your error.
3,070 03/18/2017 05:43:49 am
Re: TCPDF error: Not a JPEG file in the (Stock Check Sheet) (3 replies, posted in Reporting)
PM access details - let us have a look.
3,071 03/16/2017 08:51:42 pm
Re: TCPDF error: Not a JPEG file in the (Stock Check Sheet) (3 replies, posted in Reporting)
Make sure you have the php GD libs installed and the files are readable by the webserver user. Try to save the jpg file from some other graphics program.
3,072 03/16/2017 08:48:34 pm
Re: entries showing in red (6 replies, posted in Setup)
When arithmetic computations occur whether in the sql statement or in the php expressions, there is room for additional decimal places. These are rounded off and discarded if the DELTA is below a threshold. Search for the constant FLOAT_COMP_DELTA in the FA files and see what gives.
It is defined in includes/current_user.inc and is used in the suppliers and customers "_db.inc" files.
define('FLOAT_COMP_DELTA', 0.004);3,073 03/13/2017 02:32:53 am
Re: entries showing in red (6 replies, posted in Setup)
Have a look at the value 0.00 in the database tables and see if there is some 3rd decimal place error. If so, we may need to incorporate the DELTA difference makeover in the formula that computes it before triggering the red font. Provide the url part after the webroot that caused the error.
3,074 03/12/2017 10:34:57 am
Re: OPEN LINK IN A NEW TAB (1 replies, posted in FA Modifications)
The links are generated later after all lapp and rapp functions populate the menu array. If you need to open the link in a new tab/window you will either need to use the right click menu in your browser or create and use a new method in the application menu class.
3,075 03/07/2017 06:07:41 am
Re: Getting error message on form submission and ajax submission. (1 replies, posted in Report Bugs here)
Which version of PHP / FA are you using?