vicidial.org

[boybawang]

vicidial version: VERSION: 2.6-369a BUILD: 120526-0827
Vicidial buid: Installed from Scratch on Ubuntu 10.04 LTS

This error seems to appear on the new list loader and the old list loader, the error happened after I upgraded a test build.

[boybawang]

Verified working on VERSION: 2.6-368a

[rrb555]

Vicibox 3.1.15 Installer
no other hardware


experienced the same issue

downgraded server to revision 1821

VERSION: 2.6-368a
BUILD: 120518-1456

[boybawang]

You can do is to copy the lead loader php scripts from an older version to the newer one to solve the issue, i will post the code disparity later

[DomeDan]

svn checkout svn://svn.eflo.net:3690/agc_2-X/trunk
svn checkout svn://svn.eflo.net:3690/agc_2-X/trunk@1821 trunk_1821

diff -u trunk_1821/www/vicidial/admin_listloader_fourth_gen.php trunk/www/vicidial/admin_listloader_fourth_gen.php

Code: Select all

--- trunk_1821/www/vicidial/admin_listloader_fourth_gen.php   2012-05-29 10:05:29.756907468 +0200
+++ trunk/www/vicidial/admin_listloader_fourth_gen.php   2012-05-29 10:12:44.221058179 +0200
@@ -45,10 +45,11 @@
 # 120221-0140 - Added User Group restrictions
 # 120223-2318 - Removed logging of good login passwords if webroot writable is enabled
 # 120402-2128 - Added template options
+# 120525-1038 - Added uploaded filename filtering
 #
 
-$version = '2.4-44';
-$build = '120402-2128';
+$version = '2.4-45';
+$build = '120525-1038';
 
 
 require("dbconnect.php");
@@ -153,6 +154,8 @@
 
 ### REGEX to prevent weird characters from ending up in the fields
 $field_regx = "['\"`\\;]";
+$lead_file = preg_replace("/;|:|\/|\^|\[|\]|\"|\'|\*/","",$lead_file);
+$leadfile_name = preg_replace("/;|:|\/|\^|\[|\]|\"|\'|\*/","",$leadfile_name);
 
 $vicidial_list_fields = '|lead_id|vendor_lead_code|source_id|list_id|gmt_offset_now|called_since_last_reset|phone_code|phone_number|title|first_name|middle_initial|last_name|address1|address2|address3|city|state|province|postal_code|country_code|gender|date_of_birth|alt_phone|email|security_phrase|comments|called_count|last_local_call_time|rank|owner|entry_list_id|';
 

same different in the third gen listloader.
I guess you have any of these characters in the filename: ; : / ^ [ ] " ' *
Am I right, what was the filename of the file you tried to load?

[rrb555]

@DomeDan

problem are with revision 1822 and 1823

1821 is a working build

have u tested using revision 1822 and 1823?

[mflorell]

Please detail the exact steps(including all options selected) to duplicate this. Before committing the changes we did some basic tests and had no issues with our test lead files, but you might be doing something different.

[rrb555]

Using revision 1823
VERSION: 2.6-369a
BUILD: 120526-0827

added new list > 1001 > Listname (test leads) > list description (test leads) > campaign (testcamp) > active (N)
load new leads > Chose the file (mobility.txt a delimited file) > List override (1001-test leads) > Custom Layout > Submit > Set Phone number, first,last, city, state, and postal > OK to process

[boybawang]

The best way to trace of any code changes is to search that error message in the code itself then compare both files from the latest 369 and to the later 368

[mflorell]

Should be fixed now in svn trunk and branches/2.4

Please try it out and let me know if you run into any issues.

[rrb555]

updated to latest revision 1824
VERSION: 2.6-369a
BUILD: 120526-0827

Working.. thanks

[boybawang]

Verified working as well

[DomeDan]

@DomeDan
problem are with revision 1822 and 1823
1821 is a working build
have u tested using revision 1822 and 1823?

I posted the difference between 1821 and 1823

Verified working as well

weird that it just started working after that update, not even this: "ERROR: Invalid File Name: $LF_orig" ?

well well, never mind its working probably

[mflorell]

Those changes last week were made quickly in response to an exploit that a couple of people had reported on non-upgraded systems. The quick-fixes ended up removing the exploit(although an upgrade for those clients would have done so as well, but we always want to close all possible exploit paths as soon as possible) and it also caused uploaded files to not always be addressed properly by the lead loaders. The new fix for the exploit simply doesn't allow the process to proceed if you have bad characters in the filename, which seems like a better solution overall anyway.