August 2021 - users - lists.freelock.com

by Erik Huelsmann

The LedgerSMB development team is happy to announce yet another new version of its open source ERP and accounting application. This release contains the following fixes and improvements: Changelog for 1.7.25 * Faster GL account tree consistency check * Maintain consistency between ar/ap/gl and transactions tables on delete * Fix CSV import of inventory adjustment For installation instructions and system requirements, see https://github.com/ledgersmb/LedgerSMB/blob/1.7.25/README.md The release can be downloaded from our download site at https://download.ledgersmb.org/f/Releases/1.7.25 The release can be downloaded from GitHub at https://github.com/ledgersmb/LedgerSMB/releases/tag/1.7.25 Or pulled from Docker Hub using the command $ docker pull ledgersmb/ledgersmb:1.7.25 These are the sha256 checksums of the uploaded files: 3d457b1f107719baed7210c4ad04140acfb3d16aa5106de2a3862911cc026ecb ledgersmb-1.7.25.tar.gz 4ce17568cd2800ccece2cc7adb0a101c6103a00ffe0c1832784873b382295f42 ledgersmb-1.7.25.tar.gz.asc

1 year, 7 months

2
1
0 0

'Making Tax Digital' and HMRC in the UK

by Lyn St George

Hallo, I see WebService::HMRC on cpan with a note that it was originally developed for LedgerSMB, but I can find no reference to it in the list archives. Is there an existing implementation of this? Cheers Lyn

1 year, 8 months

3
4
0 0

LedgerSMB 1.8.19 released

by Erik Huelsmann

Unfortunately, the fixes for the security vulnerabilities released on Monday August 23 regressed some functionalities. This release fixes those regressions: Changelog for 1.8.19 * Follow-up for the fix to CVE-2021-3693; fix bulk-posting payments * Follow-up for the fix to CVE-2021-3693; fix incorrectly backported change For installation instructions and system requirements, see https://github.com/ledgersmb/LedgerSMB/blob/1.8.19/README.md The release can be downloaded from our download site at https://download.ledgersmb.org/f/Releases/1.8.19 The release can be downloaded from GitHub at https://github.com/ledgersmb/LedgerSMB/releases/tag/1.8.19 Or pulled from Docker Hub using the command $ docker pull ledgersmb/ledgersmb:1.8.19 These are the sha256 checksums of the uploaded files: 4f818690b39a974680c6264727ddf3ab445a5db780294cad407869d54ed1fb0c ledgersmb-1.8.19.tar.gz ffc79cb40181b2cf94fcda63afdfaa2b63fd1703502a86f4bbb76a7bfdcb37a0 ledgersmb-1.8.19.tar.gz.asc

2 years, 3 months

1
0
0 0

LedgerSMB 1.7.34 released

by Erik Huelsmann

Unfortunately, the fixes for the security vulnerabilities released on Monday August 23 regressed some functionalities. This release fixes those regressions: Changelog for 1.7.34 * Follow-up to fix for CVE-2021-3693 to fix display of search results * Follow-up for the fix to CVE-2021-3693; fix bulk-posting payments For installation instructions and system requirements, see https://github.com/ledgersmb/LedgerSMB/blob/1.7.34/README.md The release can be downloaded from our download site at https://download.ledgersmb.org/f/Releases/1.7.34 The release can be downloaded from GitHub at https://github.com/ledgersmb/LedgerSMB/releases/tag/1.7.34 Or pulled from Docker Hub using the command $ docker pull ledgersmb/ledgersmb:1.7.34 These are the sha256 checksums of the uploaded files: 729ad60745bb3af14249d5ed952ed8d0110788fd7ed444de1bab61a81c2b9450 ledgersmb-1.7.34.tar.gz e2beddf724b41603162c0263e24944bafeb2231917aeb094173274ee3671b6b1 ledgersmb-1.7.34.tar.gz.asc

2 years, 3 months

1
0
0 0

LedgerSMB 1.8.18 released

by Erik Huelsmann

The LedgerSMB development team is happy to announce yet another new version of its open source ERP and accounting application. This release contains three fixes for security vulnerabilities. Users are urged to upgrade as soon as possible. Special thanks go to "ranjit-git", and sudheendra17, users of the https://huntr.dev/ platform, for disclosing these issues responsibly to the development team. And to the platform itself for sponsoring the work of these researchers. This release contains the following fixes and improvements: Changelog for 1.8.18 * Check whether HTML comes from a valid source; CVE-2021-3693 * Apply HTML escaping on error messages; CVE-2021-3694 (#5754) * Fix several issues in `bin/prepare-company-database` (#5769) * Prevent the application being wrapped in a frame; CVE-2021-3731 For installation instructions and system requirements, see https://github.com/ledgersmb/LedgerSMB/blob/1.8.18/README.md The release can be downloaded from our download site at https://download.ledgersmb.org/f/Releases/1.8.18 The release can be downloaded from GitHub at https://github.com/ledgersmb/LedgerSMB/releases/tag/1.8.18 Or pulled from Docker Hub using the command $ docker pull ledgersmb/ledgersmb:1.8.18 These are the sha256 checksums of the uploaded files: c3ed50b78a0cebc6ef7edfab6a5b1c7b6b5b2f5545bf2d680ad6c3f6cbca5be2 ledgersmb-1.8.18.tar.gz 133fae3563fa1be3eb4cd48ec06347187ba165bbeeb854c92ed03d9c08111ae0 ledgersmb-1.8.18.tar.gz.asc

2 years, 3 months

1
0
0 0

LedgerSMB 1.7.33 released

by Erik Huelsmann

The LedgerSMB development team is happy to announce yet another new version of its open source ERP and accounting application. This release contains three fixes for security vulnerabilities. Users are urged to upgrade as soon as possible. Special thanks go to "ranjit-git", and sudheendra17, users of the https://huntr.dev/ platform, for disclosing these issues responsibly to the development team. And to the platform itself for sponsoring the work of these researchers. This release contains the following fixes and improvements: Changelog for 1.7.33 * Check whether HTML comes from a valid source; CVE-2021-3693 * Apply HTML escaping on error messages; CVE-2021-3694 (#5766) * Prevent the application being wrapped in a frame; CVE-2021-3731 * Align filters between UI and the database on draft transaction search (#5693) * Correctly present manual tax and invoice total on reversing invoice (#5721) * Repeatedly saving a draft invoice pops up an SQL error (#5679) For installation instructions and system requirements, see https://github.com/ledgersmb/LedgerSMB/blob/1.7.33/README.md The release can be downloaded from our download site at https://download.ledgersmb.org/f/Releases/1.7.33 The release can be downloaded from GitHub at https://github.com/ledgersmb/LedgerSMB/releases/tag/1.7.33 Or pulled from Docker Hub using the command $ docker pull ledgersmb/ledgersmb:1.7.33 These are the sha256 checksums of the uploaded files: 15dcc79a42fd17f12d01e1cc4b36ddd25e8dbe776ffe1b9867a1ad9e42bfabc0 ledgersmb-1.7.33.tar.gz 73eadc3bf2c2b3d2abeabe52ccc3db03dd5e46599d4a84a3a72ef10105d6ab36 ledgersmb-1.7.33.tar.gz.asc

2 years, 3 months

1
0
0 0

[SECURITY] Advisory for clickjacking vulnerability CVE-2021-3731

by Erik Huelsmann

On August 20th, the LedgerSMB project was advised of a security vulnerability in the code. Please see below our security advisory. Insufficient protection against 'clickjacking' Summary: ======== LedgerSMB does not sufficiently guard against being wrapped by other sites, making it vulnerable to 'clickjacking. This allows an attacker to trick a targetted user to execute unintended actions. Known vulnerable: ================= All of: - 1.1.0 upto 1.1.12 (including) - 1.2.0 upto 1.2.26 (including) - 1.3.0 upto 1.3.47 (including) - 1.4.0 upto 1.4.42 (including) - 1.5.0 upto 1.5.30 (including) - 1.6.0 upto 1.6.33 (including) - 1.7.0 upto 1.7.32 (including) - 1.8.0 upto 1.8.17 (including) Known fixed: ============ - 1.7.33 - 1.8.18 Details: ======== In a clickjacking attack, an attacker (invisibly) wraps the vulnerable site in his own site, carefully placing elements of his own site over elements of the wrapped site, tricking the user into performing unintended actions on the vulnerable site. More information on clickjacking is on the OWASP page at https://owasp.org/www-community/attacks/Clickjacking The lack of protection dates back to version 1.0, although it must be noted that mitigation measures were first available in browsers as of 2011 -- the year of the release of 1.3.0. Severity: ========= CVSSv3.1 Base Score: 5.9 (Medium) CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N Recommendations: ================ We recommend all users to upgrade to known-fixed versions. Versions prior to 1.7 are end-of-life and will not receive security fixes from the LedgerSMB project. Users who cannot upgrade, may apply the included patches or are advised to contact a vendor for custom support. As a workaround, administrators may configure their webservers to add the Content-Security-Policy header as documented in the content security policy site at https://content-security-policy.com/#server. References: =========== CVE-2021-3731 (LedgerSMB) https://ledgersmb.org/cve-2021-3731-clickjacking https://huntr.dev/bounties/5664331d-f5f8-4412-8566-408f8655888a/ Reported by: ============ sudheendra17, user of the huntr.dev platform Patches: ======== Patch for LedgerSMB 1.8 (1.8.0 upto 1.8.17, including): ------------------------------------------------------- [[[ diff --git a/lib/LedgerSMB/PSGI.pm b/lib/LedgerSMB/PSGI.pm index b0b20a95b..a4785a9f1 100644 --- a/lib/LedgerSMB/PSGI.pm +++ b/lib/LedgerSMB/PSGI.pm @@ -122,6 +122,9 @@ sub old_app { return Plack::Util::response_cb( $handler->($env), sub { + Plack::Util::header_set($_[0]->[1], + 'Content-Security-Policy', + q{frame-ancestors 'self'}); if (not Plack::Util::header_exists($_[0]->[1], 'X-LedgerSMB-App-Content')) { Plack::Util::header_push($_[0]->[1], @@ -179,6 +182,9 @@ sub psgi_app { } }; + Plack::Util::header_set($res->[1], + 'Content-Security-Policy', + q{frame-ancestors 'self'}); return $res; } ]]] Patch for LedgerSMB 1.7 (1.7.0 upto 1.7.32, including): ------------------------------------------------------- [[[ diff --git a/lib/LedgerSMB/PSGI.pm b/lib/LedgerSMB/PSGI.pm index ec8be07f1..bcb478524 100644 --- a/lib/LedgerSMB/PSGI.pm +++ b/lib/LedgerSMB/PSGI.pm @@ -91,6 +91,9 @@ sub old_app { return Plack::Util::response_cb( $handler->(@_), sub { + Plack::Util::header_set($_[0]->[1], + 'Content-Security-Policy', + q{frame-ancestors 'self'}); if (not Plack::Util::header_exists($_[0]->[1], 'X-LedgerSMB-App-Content')) { Plack::Util::header_push($_[0]->[1], @@ -159,6 +162,9 @@ sub psgi_app { } }; + Plack::Util::header_set($res->[1], + 'Content-Security-Policy', + q{frame-ancestors 'self'}); return $res; } ]]] -- Bye, Erik. http://efficito.com -- Hosted accounting and ERP. Robust and Flexible. No vendor lock-in.

2 years, 3 months

1
0
0 0

[SECURITY] Advisory for cross site scripting security vulnerability CVE-2021-3694

by Erik Huelsmann

On August 4th, the LedgerSMB project was advised of a security vulnerability in the code. Please see below our security advisory. Reflected cross-site scripting of authenticated users in LedgerSMB Summary: ======== LedgerSMB does not sufficiently HTML-encode error messages sent to the browser. By sending a specially crafted URL to an authenticated user, this flaw can be abused for remote code execution and information disclosure. Known vulnerable: ================= All of: - 1.1.0 upto 1.1.12 (including) - 1.2.0 upto 1.2.26 (including) - 1.3.0 upto 1.3.47 (including) - 1.4.0 upto 1.4.42 (including) - 1.5.0 upto 1.5.30 (including) - 1.6.0 upto 1.6.33 (including) - 1.7.0 upto 1.7.32 (including) - 1.8.0 upto 1.8.17 (including) Known fixed: ============ - 1.7.33 - 1.8.18 Details: ======== When encountering an error, LedgerSMB sends the user feedback which may include user-provided input. This input was not sufficiently sanitized before being included in the error report. This allows an attacker inject a script in the error response page by send a specially crafted URL to an authenticated user. As the error page itself does not contain any sensitive information, a sophisticated payload in addition to targetting a sufficiently privileged user, is required for information disclosure. Proper audit control and separation of duties limit Integrity impact of the attack vector. The vulnerable code to provide this user-feedback dates back to version 1.0. Please note that not error messages are vulnerable to this attack as not all messages report the problematic input to the user. Severity: ========= CVSSv3.1 Base Score: 8.2 (High) CVSSv3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N Recommendations: ================ We recommend all users to upgrade to known-fixed versions. Versions prior to 1.7 are end-of-life and will not receive security fixes from the LedgerSMB project. Users who cannot upgrade, may apply the included patches or are advised to contact a vendor for custom support. There are no workarounds available for this vulnerability. References: =========== CVE-2021-3694 (LedgerSMB) https://ledgersmb.org/cve-2021-3694-cross-site-scripting https://huntr.dev/bounties/ef7f4cf7-3a81-4516-b261-f5b6ac21430c/ Reported by: ============ ranjit-git, user of the huntr.dev platform Patches: ======== Patch for LedgerSMB 1.8 (1.8.0 upto 1.8.17, including): ------------------------------------------------------- [[[ diff --git a/lib/LedgerSMB/PSGI/Util.pm b/lib/LedgerSMB/PSGI/Util.pm index 11c01918f..bf443d886 100644 --- a/lib/LedgerSMB/PSGI/Util.pm +++ b/lib/LedgerSMB/PSGI/Util.pm @@ -24,6 +24,7 @@ use strict; use warnings; use Carp; +use HTML::Escape; use HTTP::Status qw( HTTP_OK HTTP_INTERNAL_SERVER_ERROR HTTP_SEE_OTHER HTTP_BAD_REQUEST ); @@ -41,7 +42,7 @@ Returns a standard error representation for HTTP status 500 sub internal_server_error { - my ($msg, $title, $company, $dbversion) = @_; + my ($msg, $title, $company, $dbversion) = map { escape_html($_ // '') } @_; $title //= 'Error!'; $msg =~ s/\n/<br>/g; diff --git a/old/lib/LedgerSMB/oldHandler.pm b/old/lib/LedgerSMB/oldHandler.pm index 1db966406..848eeb75c 100644 --- a/old/lib/LedgerSMB/oldHandler.pm +++ b/old/lib/LedgerSMB/oldHandler.pm @@ -57,6 +57,7 @@ use LedgerSMB::Sysconfig; use Cookie::Baker; use Digest::MD5; +use HTML::Escape; use Log::Log4perl; use Try::Tiny; @@ -184,14 +185,17 @@ sub handle { sub _error { my ($form, $msg, $status) = @_; $msg = "? _error" if !defined $msg; + my $html_msg = escape_html($msg); + my $html_dbversion = escape_html($form->{dbversion}); + my $html_company = escape_html($form->{company}); $status = 500 if ! defined $status; print qq|Status: $status ISE Content-Type: text/html; charset=utf-8 <html> -<body><h2 class="error">Error!</h2> <p><b>$msg</b></p> -<p>dbversion: $form->{dbversion}, company: $form->{company}</p> +<body><h2 class="error">Error!</h2> <p><b>$html_msg</b></p> +<p>dbversion: $html_dbversion, company: $html_company</p> </body> </html> |; ]]] Patch for LedgerSMB 1.7 (1.7.0 upto 1.7.32, including): ------------------------------------------------------- [[[ diff --git a/lib/LedgerSMB/PSGI/Util.pm b/lib/LedgerSMB/PSGI/Util.pm index 2d6195d69..b716a01c4 100644 --- a/lib/LedgerSMB/PSGI/Util.pm +++ b/lib/LedgerSMB/PSGI/Util.pm @@ -24,6 +24,7 @@ use strict; use warnings; use Carp; +use HTML::Escape; use HTTP::Status qw( HTTP_OK HTTP_INTERNAL_SERVER_ERROR HTTP_SEE_OTHER HTTP_UNAUTHORIZED ); @@ -41,7 +42,7 @@ Returns a standard error representation for HTTP status 500 sub internal_server_error { - my ($msg, $title, $company, $dbversion) = @_; + my ($msg, $title, $company, $dbversion) = map { escape_html($_ // '') } @_; $title //= 'Error!'; $msg =~ s/\n/<br>/g; diff --git a/old/bin/old-handler.pl b/old/bin/old-handler.pl index 24fa7a0a0..87864fc7e 100644 --- a/old/bin/old-handler.pl +++ b/old/bin/old-handler.pl @@ -187,14 +187,16 @@ $form->{dbh}->disconnect() if defined $form->{dbh}; sub _error { my ($form, $msg, $status) = @_; $msg = "? _error" if !defined $msg; + my $html_msg = escape_html($msg); + my $html_dbversion = escape_html($form->{dbversion}); + my $html_company = escape_html($form->{company}); $status = 500 if ! defined $status; print qq|Status: $status ISE Content-Type: text/html; charset=utf-8 - <html> -<body><h2 class="error">Error!</h2> <p><b>$msg</b></p> -<p>dbversion: $form->{dbversion}, company: $form->{company}</p> +<body><h2 class="error">Error!</h2> <p><b>$html_msg</b></p> +<p>dbversion: $html_dbversion, company: $html_company</p> </body> </html> |; ]]] -- Bye, Erik. http://efficito.com -- Hosted accounting and ERP. Robust and Flexible. No vendor lock-in.

2 years, 3 months

1
0
0 0

[SECURITY] Advisory for cross site scripting security vulnerability CVE-2021-3693

by Erik Huelsmann

On August 4th, the LedgerSMB project was advised of a security vulnerability in the code. Please see below our security advisory. DOM cross-site scripting of authenticated users in LedgerSMB Summary: ======== LedgerSMB does not check the origin of HTML fragments merged into the browser's DOM. By sending a specially crafted URL to an authenticated user, this flaw can be abused for remote code execution and information disclosure. Known vulnerable: ================= All of: - 1.5.0 upto 1.5.30 (including) - 1.6.0 upto 1.6.33 (including) - 1.7.0 upto 1.7.32 (including) - 1.8.0 upto 1.8.17 (including) Known fixed: ============ - 1.7.33 - 1.8.18 Details: ======== LedgerSMB uses the URL's hash fragment (the part after the '#'-sign) to store which screen the user is on, for the purpose of history navigation (the back button). The hash fragment is assumed to be a URL that is part of the web application's URL space. This assumption is not verified. This allows an attacker inject a script into the page by send a specially crafted URL to an authenticated user. As the process of loading the attack payload overwrites any content in the main window, the attack by itself does not expose sensitive information; a sophisticated payload in addition to targetting a sufficiently privileged user, is required for information disclosure. Proper audit control and separation of duties limit Integrity impact of the attack vector. The vulnerable code dates back to version 1.5 when LedgerSMB moved to the Single Page Application (SPA) model for web applications. Severity: ========= CVSSv3.1 Base Score: 7.1 (High) CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N Recommendations: ================ We recommend all users to upgrade to known-fixed versions. Versions prior to 1.7 are end-of-life and will not receive security fixes from the LedgerSMB project. Users who cannot upgrade, may apply the included patches or are advised to contact a vendor for custom support. There are no workarounds available for this vulnerability. References: =========== CVE-2021-3693 (LedgerSMB) https://ledgersmb.org/cve-2021-3693-cross-site-scripting https://huntr.dev/bounties/daf1384d-648a-43fd-9b35-5c37d8ead667/ Reported by: ============ ranjit-git, user of the huntr.dev platform Patches: ======== Patch for LedgerSMB 1.8 (1.8.0 upto 1.8.17, including): ------------------------------------------------------- [[[ diff --git a/UI/js-src/lsmb/MainContentPane.js b/UI/js-src/lsmb/MainContentPane.js index 9c0d6113c..ebfa36f05 100644 --- a/UI/js-src/lsmb/MainContentPane.js +++ b/UI/js-src/lsmb/MainContentPane.js @@ -7,8 +7,8 @@ define([ "dojo/dom-style", "dojo/_base/lang", "dojo/promise/Promise", + "dojo/Deferred", "dojo/promise/all", - "dojo/request/xhr", "dojo/query", // "dojo/request/iframe", "dojo/dom-class" @@ -19,12 +19,21 @@ define([ domStyle, lang, Promise, + Deferred, all, - xhr, query, // iframe, domClass ) { + var docURL = new URL(document.location); + var domReject = function (request) { + return ( + request.getResponseHeader("X-LedgerSMB-App-Content") !== "yes" || + (request.getResponseHeader("Content-Disposition") || "").startsWith( + "attachment" + ) + ); + }; return declare("lsmb/MainContentPane", [ContentPane], { last_page: null, interceptClick: null, @@ -74,17 +83,62 @@ define([ ); }, load_form: function (url, options) { + var tgt = new URL(url, docURL); + if (tgt.origin !== docURL.origin) { + return new Deferred().resolve(); + } + var self = this; self.fade_main_div(); - return xhr(url, options).then( - function (doc) { - self.hide_main_div(); - self.set_main_div(doc); - }, - function (err) { - self.show_main_div(); - self.report_request_error(err); - } + var req = new XMLHttpRequest(); + var dfd = new Deferred(function () { + req.abort(); + }); + try { + req.open(options.method || "GET", tgt); + var headers = options.headers; + for (var hdr in headers || {}) { + req.setRequestHeader(hdr, headers[hdr]); + } + if ( + options.data && + !(options.data instanceof FormData) && + !headers["Content-Type"] + ) { + req.setRequestHeader( + "Content-Type", + "application/x-www-form-urlencoded" + ); + } + req.setRequestHeader("X-Requested-With", "XMLHttpRequest"); + req.addEventListener("load", function () { + dfd.resolve(req); + }); + req.addEventListener("error", function () { + dfd.reject(req); + }); + req.send(options.data || ""); + } catch (e) { + dfd.reject(e); + } + + return dfd.then( + function (request) { + if (domReject(request)) { + return self.show_main_div(); + } + + self.hide_main_div(); + return self.set_main_div(request.response); + }, + function (request) { + if (domReject(request)) { + return self.show_main_div(); + } + + self.show_main_div(); + return self.report_request_error({ err: request }); + } ); }, download_link: function (/*href*/) { diff --git a/lib/LedgerSMB/Middleware/DynamicLoadWorkflow.pm b/lib/LedgerSMB/Middleware/DynamicLoadWorkflow.pm index 99a964548..07f2feb34 100644 --- a/lib/LedgerSMB/Middleware/DynamicLoadWorkflow.pm +++ b/lib/LedgerSMB/Middleware/DynamicLoadWorkflow.pm @@ -29,6 +29,7 @@ use HTTP::Status qw/ HTTP_REQUEST_ENTITY_TOO_LARGE /; use List::Util qw{ none any }; use Module::Runtime qw/ use_module /; use Plack::Request; +use Plack::Util; use Plack::Util::Accessor qw( script script_name module ); use LedgerSMB::PSGI::Util; @@ -91,7 +92,15 @@ sub call { $env->{'lsmb.script_name'} = $self->script_name; $env->{'lsmb.action'} = $action; $env->{'lsmb.action_name'} = $action_name; - return $self->app->($env); + return Plack::Util::response_cb( + $self->app->($env), + sub { + if (not Plack::Util::header_exists($_[0]->[1], + 'X-LedgerSMB-App-Content')) { + Plack::Util::header_push($_[0]->[1], + 'X-LedgerSMB-App-Content', 'yes'); + } + }); } diff --git a/lib/LedgerSMB/PSGI.pm b/lib/LedgerSMB/PSGI.pm index 26b4ec6b3..b0b20a95b 100644 --- a/lib/LedgerSMB/PSGI.pm +++ b/lib/LedgerSMB/PSGI.pm @@ -119,7 +119,15 @@ sub old_app { my $env = shift; local $psgi_env = $env; - return $handler->($env); + return Plack::Util::response_cb( + $handler->($env), + sub { + if (not Plack::Util::header_exists($_[0]->[1], + 'X-LedgerSMB-App-Content')) { + Plack::Util::header_push($_[0]->[1], + 'X-LedgerSMB-App-Content', 'yes'); + } + }); } } ]]] Patch for LedgerSMB 1.7 (1.7.0 upto 1.7.32, including): ------------------------------------------------------- [[[ diff --git a/UI/js-src/lsmb/MainContentPane.js b/UI/js-src/lsmb/MainContentPane.js index 17ac8d391..5bc1bd4fa 100644 --- a/UI/js-src/lsmb/MainContentPane.js +++ b/UI/js-src/lsmb/MainContentPane.js @@ -6,6 +6,7 @@ define([ "dojo/dom-style", "dojo/_base/lang", "dojo/promise/Promise", + "dojo/Deferred", "dojo/on", "dojo/hash", "dojo/promise/all", @@ -15,8 +16,14 @@ define([ "dojo/dom-class" ], function(ContentPane, declare, event, registry, style, - lang, Promise, on, hash, all, xhr, query, iframe, + lang, Promise, Deferred, on, hash, all, xhr, query, iframe, domClass) { + var docURL = new URL(document.location); + var domReject = function (request) { + return ( + request.getResponseHeader("X-LedgerSMB-App-Content") !== "yes" || + (request.getResponseHeader("Content-Disposition") || "").startsWith("attachment")); + }; return declare("lsmb/MainContentPane", [ContentPane], { @@ -56,17 +63,61 @@ define([ }); }, load_form: function(url, options) { + var tgt = new URL(url, docURL); + if (tgt.origin !== docURL.origin) { + return (new Deferred()).resolve(); + } + var self = this; self.fade_main_div(); - return xhr(url, options).then( - function(doc){ + var req = new XMLHttpRequest(); + var dfd = new Deferred(function () { + req.abort(); + }); + try { + req.open(options.method || "GET", tgt); + var headers = options.headers || {}; + for (var hdr in headers) { + req.setRequestHeader(hdr, headers[hdr]); + } + if (options.data && + !(options.data instanceof FormData) && + ! headers["Content-Type"]) { + req.setRequestHeader( + "Content-Type", + "application/x-www-form-urlencoded" + ); + } + req.setRequestHeader("X-Requested-With", "XMLHttpRequest"); + req.addEventListener("load", function () { + dfd.resolve(req); + }); + req.addEventListener("error", function () { + dfd.reject(req); + }); + req.send(options.data || ""); + } catch (e) { + dfd.reject(e); + } + + return dfd.then( + function (request) { + if (domReject(request)) { + return self.show_main_div(); + } + self.hide_main_div(); - self.set_main_div(doc); + return self.set_main_div(request.response); }, - function(err){ + function (request) { + if (domReject(request)) { + return self.show_main_div(); + } + self.show_main_div(); - self.report_request_error(err); - }); + return self.report_request_error({ err: request }); + } + ); }, download_link: function(href) { // while it would have been nice for the code below diff --git a/lib/LedgerSMB/Middleware/DynamicLoadWorkflow.pm b/lib/LedgerSMB/Middleware/DynamicLoadWorkflow.pm index 94737a25d..6964798a5 100644 --- a/lib/LedgerSMB/Middleware/DynamicLoadWorkflow.pm +++ b/lib/LedgerSMB/Middleware/DynamicLoadWorkflow.pm @@ -28,6 +28,7 @@ use parent qw ( Plack::Middleware ); use List::Util qw{ none any }; use Module::Runtime qw/ use_module /; use Plack::Request; +use Plack::Util; use LedgerSMB::PSGI::Util; @@ -95,7 +96,15 @@ sub call { $env->{'lsmb.script_name'} = $script_name; $env->{'lsmb.action'} = $action; $env->{'lsmb.action_name'} = $action_name; - return $self->app->($env); + return Plack::Util::response_cb( + $self->app->($env), + sub { + if (not Plack::Util::header_exists($_[0]->[1], + 'X-LedgerSMB-App-Content')) { + Plack::Util::header_push($_[0]->[1], + 'X-LedgerSMB-App-Content', 'yes'); + } + }); } diff --git a/lib/LedgerSMB/PSGI.pm b/lib/LedgerSMB/PSGI.pm index 328e80ad3..ec8be07f1 100644 --- a/lib/LedgerSMB/PSGI.pm +++ b/lib/LedgerSMB/PSGI.pm @@ -78,7 +78,7 @@ Returns a 'PSGI app' which handles requests for the 'old-code' scripts in old/bi =cut sub old_app { - return CGI::Emulate::PSGI->handler( + my $handler = CGI::Emulate::PSGI->handler( sub { my $uri = $ENV{REQUEST_URI}; $uri =~ s/\?.*//; @@ -86,6 +86,18 @@ sub old_app { _run_old(); }); + + return sub { + return Plack::Util::response_cb( + $handler->(@_), + sub { + if (not Plack::Util::header_exists($_[0]->[1], + 'X-LedgerSMB-App-Content')) { + Plack::Util::header_push($_[0]->[1], + 'X-LedgerSMB-App-Content', 'yes'); + } + }); + } } ]]] -- Bye, Erik. http://efficito.com -- Hosted accounting and ERP. Robust and Flexible. No vendor lock-in.

2 years, 3 months

1
0
0 0

Debian 11 (Bullseye) release includes LedgerSMB

by Erik Huelsmann

Hi all, On August 14, Debian released the 11th version of its Linux distribution: Bullseye. Where the previous version (10 / Buster) had seriously broken packages for LedgerSMB -- to the extent that you could say that LedgerSMB wasn't really included at all --, we were just in time before the code freeze to submit fixed packages to Bullseye. The fixed packages quickly migrated to various Debian-based distributions, including Ubuntu (which included the fixed package in 21.04 / hirsute). Sending this mail to notify anybody who tried to install LedgerSMB using the distribution-supplied packages on Debian or Ubuntu: the packages in the latest stable repositories should be working correctly again! PS: While the packages are back in a working state, the current release is 1.6.9. The goal for Debian 12 (Bookworm) is to deliver a close-to-current version of LedgerSMB when it releases. -- Bye, Erik. http://efficito.com -- Hosted accounting and ERP. Robust and Flexible. No vendor lock-in.

2 years, 3 months

1
0
0 0

2023

2022

2021

2020

2019

2018

2017

users August 2021