Recent changes to bugs

Security issue: WEB-INF directory can be exposed

Daniel Quathamer — Tue, 23 Jan 2007 20:22:02 -0000

Hi Folks,
a colleague of mine (Patrick Schönenberg from Zendas www.zendas.de) pointed out a possible security risk in dbforms 2.5: If you create a local web page with a modified form, files like WEB-INF/dbforms-config.xml can be exposed to any client without authentication. This is how you do it:
Create a local file test_dbform.htm with a form tag:
<form name="dbform" action="http://<<your-webapp>>/servlet/control" method="post">
and a button <input type="hidden" name="fu_<<FORM-ID>>" value="/WEB-INF/dbforms-config.xml"/>
and a submit button will display the dbforms-config file- without authentication! Since this file (or others) in the WEB-INF directory contain sensitive information like connection passwords, this is a serious issue.

I have corrected this behaviour with the attached webevent-class, but this only works in my installation. A more general solution would be feasible. Maybe this is already corrected in dbforms 2.6.

Thank you for your attention, and please keep developing this great product!

Daniel Quathamer

OutOfMemoryError

sphawkins — Thu, 17 Aug 2006 08:45:57 -0000

I am having problems with out of memory errors when
using the application that I have developed with
dbforms. After using the system for a few hours it
falls over with the error java.lang.OutOfMemoryError:
Java heap space. I have tried uping the initial and max
memory pool size in the tomcat config, now 128MB and
256MB which did improve things but I am still getting
the error.

I was originally getting the error when I loaded the
full database (about 45000 records) and clicked on the
last record button on the form, uping the memory size
the first time solved this but made me wonder of
records where being released properly.

Tomcat version 5.5.9
Java 1.5.0_02
DbForms 2.6 snapshot 20051105

Steven

Class not found using snapshot 20060405

sphawkins — Thu, 17 Aug 2006 08:29:23 -0000

I have tried to upgrade from 2.6 snapshot 20051105 to
the latest weekly build snapshot 20060405 but get the
following error

java.lang.NoClassDefFoundError:
org.dbforms.taglib.StaticData

I have copied all the depended jar files accross to
replace the existing ones and the dbforms.tld but as
sone as I start using the dbforms2.6-SNAPSHOT jar I get
the above error?

Steven

sql count error

Jose Enrique — Wed, 24 May 2006 16:28:15 -0000

When using a data access class to make a row count in a
list table it dosn´t work by a sql error (by example,
using
dtaAccessClass="dataaccess.DataSourceJDBCWithRowCount"
in dbforms-config.xml and <db:textFormat
contextVar="rsv_TABLE.attribute(ROWCOUNTALL)" /> )

The sql is wrong formated at
org.dbforms.event.datalist.dao.DataSourceJDBC because
an "order by" sentence is at the end of the select
count(*).

Proposed solution
-----------------

I have deleted de "orderConstraint" and compliled
dbforms and it works.

Class-> org.dbforms.event.datalist.dao.DataSourceJDBC
Method -> protected void open()

Inside --- if(isCalcRowCount()) ---

We change --- orderConstraint --- by --- new
FieldValue[]{} ---

Before
------

....

if(Util.isNull(whereClause)) {
String pquery = getTable().getSelectQuery(v,
filterConstraint, orderConstraint, sqlFilter,
Constants.COMPARE_NONE);
PreparedStatement pstmt =
connection.prepareStatement(pquery);

....

After
-------

....

if (Util.isNull(whereClause)) {
String pquery = getTable().getSelectQuery(v,
filterConstraint, new FieldValue[]{}, sqlFilter,

Constants.COMPARE_NONE);
....

Date Validation

sphawkins — Thu, 17 Nov 2005 17:44:44 -0000

I have setup the following date validation on a field
on my form:

<field property="LETTER_SENT" depends="date">
<msg name="date" key="Invalid date entered "
resource="false"/>
<var>
<var-name>datePatternStrict</var-name>
<var-value>dd-MMM-yyyy</var-value>
</var>
</field>

When I use one of the navigation buttons (next, last
etc) the field is validated correctly but if I use the
Update or Insert buttons valid dates are reported as
invalid?

Also is there anyway of validating that a date is on or
before the date of entry.

Steven

navigation with autoupdate=true

Anonymous — Tue, 30 Aug 2005 15:55:29 -0000

A problem using datalist:
Set autoupdate attribute to true, make some changes to
a form, navigate to next, (an update is executed),
navigate to prev, at this point, you don't see the data
freshly inserted, but the old ones. It seems to me that
cached data isn't updated on executing update as a
secondary event. If Update is clicked the amended data
is dispayed.

steven.hawkins@stedsbc.gov.uk

devgui - mysql syntax...

Anonymous — Fri, 10 Jun 2005 18:30:23 -0000

: Retrieving metadata using the following properties
-----------------------------------------------------
jdbcDriver=com.mysql.jdbc.Driver
jdbcURL=jdbc:mysql://localhost/customer
username=root
password=(hidden)
catalog=customer
schemaPattern=null
tableNamePattern=null
Warning: Reading of auto-incremented columns

failed with message
'You have an error in your SQL syntax; check the manual
that corresponds to your MySQL server version for the
right syntax to use near 'order LIKE 'order_id'' at
line 1'.
No reason to panic, just detection auf auto-incremented
columns will not work. However, better send a mail to
DbForms Mailing list to get this corrected
finished

Tried this with both Stable and Weekly build using
table definitions in the user manual example for a
customer database.

Mysql 4.1.12 binary installation
Solaris 10
Java - j2sdk 1.4.2_08

imput is not a valid HTML tag

Wed, 15 Sep 2004 10:30:30 -0000

Hi
There is a bug in dbforms2.5-SNAPSHOT (August 18), and
I have also seen it in dbforms2.4, where a form mad
will dbforms contains the following:
<imput type="hidden" name="country" value="US"/>

imput is not a valig tag, should be input.

validator-rules.xml (dbforms 2.3)

Anonymous — Tue, 01 Jun 2004 13:51:47 -0000

Validator-rules.xml has several errors:

1)
In the attribute "methodParams" of the
element "validator", the last type should
be "org.dbforms.config.DbFormsErrors" instead
of "org.dbforms.DbFormsErrors", for all validators;

2)
The javascript function of the "long" validator has 2
errors:
2.1) The 5th line of the function should be "oLong = new
longValidations();" instead of "oLong = new
LongValidations();" (notice the upper case "L");
2.2) In the for loop is used "oInteger" instead of "oLong".

Joăo Pires (jgmp@mail.pt)

Locale Bug?

chris — Tue, 04 May 2004 09:38:43 -0000

Hi,

I have a Web-Application with Locale-support (both
language und Country attributes are needed).

But when your method "processLocale" creates a new
Locale-Object, only the language-Attribute is processed.

What shall we do with our country-Attribute?
(e.g. "de_DE", "en_ZA")

private void processLocale(HttpServletRequest request)
{
String loc = ParseUtil.getParameter(request, "lang");
if (!Util.isNull(loc)) {
Locale locale = new Locale(loc);
MessageResources.setLocale(request, locale);
} else if (MessageResources.getLocale(request) ==
null)
{
MessageResources.setLocale(request,
request.getLocale());
}
}

Thanks from Germany

Chris