Bugs

Vialect Bug Bounty;

  1. Contact us and let us know you are interested.
  2. Qualification
    • Confine aggressive/damaging testing to a local install
    • Keep your findings confidential until the week after we fix the bug (same day we hope)
    • We pay whenever we make a change as a result of your bug report.
  3. Send us a report with enough information for us to reproduce the bug of whatever class
    • RCE Remote code execution
    • EoP Elevation of privilege
    • ID Information disclosure
    • DoS Denial of service
  4. We will reward you (You will not be prosecuted)
    • Public credit and thanks
    • Payment (varies by severity and location of the bug up to $1,000 USD)

We thank VioPoint and All Covered for Testing Noodle.

mailto has no defined limit on the number of characters but there are limits in practice (as of 2015)

Web Browsers:

  •  Apple Safari
    • 705000000
    • Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/601.1.56 (KHTML, like Gecko) Version/9.0 Safari/601.1.56
    • limited by 16GB RAM
  • Mozilla Firefox
    • 268435455
    • Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0
    • limited by maximum string length
  • Google Chrome
    • 2097132
    • Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
    • limited without explanation
  • Microsoft Internet Explorer
    • 2029
    • Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; rv:11.0) like Gecko
    • limited without explanation

Email Clients:

  • Mozilla Thunderbird
    • 2097132 works in 1 second
    • 268435455 uses 100% CPU for 2 minutes but fails to render the body and is not usable
    • version 38.3.0
  • SeaMonkey
    • 2097132 works in 5 seconds
    • 268435455 uses 100% CPU for a long time (more than 5 minutes)
    • version 2.38
  • Apple Mail
    • 500000 works in 14 seconds
    • 2097132 uses 100% CPU for a long time (more than 5 minutes)
    • version 8.2
  • Microsoft Outlook
    • trims any url to 2070 in 1 second
    • version 2013

There is a Microsoft Office bug (2019105) that will attempt WebDAV windows authentication from non WebDAV links. To work around this bug the server can specify the "Content-Disposition" header as an "attachment" (requesting the browser save the file instead of opening it). Microsoft Internet Explorer will still ask if you want to open the file but will not attempt WebDAV. When making links with ShowItemData.po use the "download" in place of the "filename" parameter. For example:

/ShowItemData.po?handle=123&download=file.ext

Chrome Bugs:
  • Version 37.0.2062.120 (and 39.0.2159.0 canary) inconsistently crash with "Aw, Snap!".
    • Empty the cache, etc, and restart the browser.
    • Send us your ids from chrome://crashes/ (Google keeps some bug reports private, but any IDs we are sent will be added as related to our report or one of the 72937 other outstanding chromium bugs).
  • Version 40.0.2214.111 will not run functions if they have ever been called(onmouseover) from another window (iframe)
    • reported as a regression.
  • Version 44.0.2403.125 loses scope on deeply nested AJAX
  • Version 50 Disabling "Use a prediction service to load pages more quickly" is advised to avoid incorrect redirects.
  • Version 72+ web driver is not blocking and thus unusably buggy
  • Version 84+ resets live CSS changes only when developer tools is open
  • Version 85 writes it's own CSS instead of respecting dark mode
Solutions:
  • Use Firefox.
  • Upgrade
  • avoid nested AJAX

Safari (GET/POST) requests sometimes block other requests.
In order to keep Noodle responsive we have disabled the instant features of Noodle on Safari.
We don't recommend using Safari; we do recommend Chrome, Firefox, and Internet Explorer.

Some browsers incorrectly cache HTTP 302 "Found/Moved temporarily" and 303 "See Other" redirects as if they were 301 "Permanent Redirect"s.

Safari

The "Too many redirects" error can be temporarily fixed In the "Safari" menu by selecting "Reset Safari".

Chrome/Chromium

Disabling "Use a prediction service to load pages more quickly" is advised.

There is a limitation of the PostgreSQL installer if you are using windows domains.

The installer will need to make a postgres user that have write permissions on %PROGRAMFILES%\Postgres.

If the PostgreSQL is/will-be unable to do so, please setup the permissions beforehand. Adding write for "Everyone" or adding rights for a new postgres user with the default password Pgsq1p@ssword will avert this limitation.

If you tried a normal noodle install and you have a black "upgrade in progress" screen then this is likely the problem. There is no need to reinstall noodle; just uninstall PostgreSQL, set up the permissions, download the PGInstaller and reinstall PostgreSQL.

After you install PostgreSQL you will need to edit the pg_hba.conf and make sure there is a "127.0.0.1/32 password" line.
Next run the init.sql in the Noodle folder with PGAdmin3 one line at a time.
Restart the PostgreSQL then Noodle service.