Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Newer
Older
100644 442 lines (296 sloc) 14.226 kB
56cb0fb @jonjensen Add separate files for each development stage of Interchange.
jonjensen authored
1 ------------------------------------------------------------------------------
2
3 What's new in each version of Interchange
4 (since the version 5.0 branch)
5
6 See WHATSNEW-5.3 for later changes.
7
8 ------------------------------------------------------------------------------
9
10
11 Interchange 5.1.0 released 2004-04-08.
12
13 Security
14 --------
15
16 * Plug a security hole which allows an attacker to expose arbitrary variable
17 contents by using an URL like
18 http://shop.example.com/cgi-bin/store/__SQLUSER__.
19
20 All Interchange applications using the standard "missing" special page
21 from the demo catalog or a similar one are vulnerable to this attack.
22 The attacker may learn the SQL access information for your Interchange
23 application and use this information to read and manipulate sensitive
24 data.
25
26 * Disallow [ and < in page names when setting MV_PAGE and MV_PREV_PAGE
27 variables.
28
29 * Prevent login information from getting re-saved on a session cancel.
30
31 * Define a set of CGI keys that we don't want to save to disk, as
32 @Global::HideCGI.
33
34 * Don't show sensitive (i.e. @Global::HideCGI) CGI variables in a dump.
35 This allows saving a session to disk for diagnositic purposes in case
36 of order failure.
37
38 Core
39 ----
40
41 * mime subroutine handles email attachments better now: filename for
42 attachments is set correctly from description parameter;
43 attachment vs. inline is now controlled by attach_only attribute
44 for [tag mime ...]. Demo'd with encrypted credit card attachment
45 in etc/report.
46
47 * Move mv_nextpage fallback before security check.
48
49 * Add the ability to create a transaction ID and later assign the order number.
50 To use, you need to set in the main route:
51
52 counter_tid etc/transaction.number
53
54 At that point, in the current foundation, you would add this code to
55 assign an order number *after* payment is taken.
56
57 Set order number in values: [value
58 name=mv_order_number
59 set="[counter
60 name=`$Session->{current_route}{counter_name}
61 || 'etc/order.number'
62 `
63 sql=`$Session->{current_route}{sql_counter}`
64 start=`$Session->{current_route}{first_order_number}`
65 date=`$Session->{current_route}{date_counter}`
66 ]"
67 ]
68 Set order number in session: [calc]
69 $Session->{mv_order_number} = $Values->{mv_order_number};
70 [/calc]
71
72 This allows the order numbers to increment only after payment has been
73 received, while still allowing the all-in-one transaction logging
74 file located in a report file.
75
76 If you use counter_tid, you *must* set set the order number in your
77 logging file if you want it to be available.
78
79 You will want to call [charge ... order_id="[value mv_transaction_id]"]
80 to get full traceability of declined and failed charges.
81
82 * Add ability to use date-based order numbers with
83
84 date_counter 1
85
86 in the appropriate route.
87
88 * Allow setting a counter name without incrementing the counter itself, if
89
90 increment 0
91
92 is in the route. This is really how it should have been done in the
93 first place.
94
95 * Remove Vend::Server::http_log_msg which is only called for SOAP accesses.
96
97 * Create way to specify that local override of a global tag should not cause
98 an error message.
99
100 Limit override_tag tag1 tag2 tag3
101
102 * Define a set of CGI keys that we don't want to save to disk, as
103 @Global::HideCGI.
104
105 * Allow [dump no-cgi=1 no-session=1 no-env=1] to finetune dump.
106
107 * Don't show sensitive (i.e. @Global::HideCGI) CGI variables in a dump.
108 This allows saving a session to disk for diagnositic purposes in case
109 of order failure.
110
111 * Fix problem with invalid cookie if FullUrl is enabled and there is no path.
112
113 * Allow standard handler for PUT operations. To enable, do:
114
115 SpecialPage put_handler some_action
116
117 The some_action action (could be a page) will be prepended to
118 any path sent with the PUT.
119
120 * Add 'reverse' attribute to [item-list], to walk the cart lines in reverse
121 order.
122
123 * Add ability to export only portions of tables based on a where= parameter.
124 Only works for DBI tables at the current time.
125
126 If the where parameter is a scalar, just passed as a "WHERE" clause,
127 i.e.
128
129 [export table=products where="prod_group='Ladders'"]
130
131 You can pass anything that won't cause a syntax error, even including
132 an "order by" or "limit".
133
134 If you want to pass multiple things, or not worry about quoting,
135 you can do:
136
137 [export table=products where.prod_group=Ladders]
138
139 The normal caveats for hash parameters apply, i.e. you cannot
140 do:
141
142 where.prod_group="[cgi foo]"
143
144 You *can* do:
145
146 where.prod_group=`$Tag->cgi('foo')`
147
148 or
149
150 where.prod_group=`$CGI->{foo}`
151
152 Normal DBI quoting is always done, so you don't include quotes.
153
154 * Allow (sensible) relative paths for DebugFile directive and
155 change default debug file to $VENDROOT/debug.log.
156
157 * Remove obsolete and unused DifferentSecure directive.
158
159 * Fix rare but nasty bug that causes chained ITL conditional tests to fail
160 in no-op mode:
161
162 [if scratch something][or value something]...[/if]
163 [if scratch something][and value something]...[/if]
164
165 The problem happens when the first [if] contains a string that doesn't
166 convert nicely to a number, and gets passed to an XOR test directly instead
167 of being converted to a 1 or 0 first. That causes a string XOR to be done,
168 which gives the wrong answer.
169
170 * Optimize no-op [if] checks when test is false.
171
172 * Add ability to control directory creation and umask of uploaded files.
173
174 Automatic creation of directory:
175
176 [set mv_auto_create_dir]1[/set]
177
178 The umask for creation operation:
179
180 [set mv_create_umask]02[/set]
181
182 * SpecialSub -- directive to specify subroutines (catalog or global)
183 upon certain conditions, i.e. "missing".
184
185 When the routine is called, it should perform whatever action is
186 required. If it wants the catalog to continue with the default
187 action, i.e. the "missing" special page, it should return false.
188 If it returns true, and there is no second parameter of a page name
189 returned, it will be assumed all required action has
190 been taken and the default action will not be performed.
191
192 If it returns true, and a second parameter is returned, it
193 is the name of a page to display in lieu of the original one.
194
195 This allows
196
197 SpecialSub missing check_category
198
199 Sub check_category <<EOS
200 sub {
201 my ($name) = @_;
202 return unless $name =~ m{^[A-Z]};
203 $name =~ s,_, ,g;
204 my ($prod_group, $category) = split m{/}, $name;
205
206 $CGI->{co} = 1;
207 $CGI->{fi} = 'products';
208 $CGI->{st} = 'db';
209 $CGI->{sf} = join "\0", 'prod_group', 'category';
210 $CGI->{op} = join "\0", 'eq', 'eq';
211 $CGI->{se} = join "\0", $prod_group, $category;
212 $CGI->{sp} = 'results';
213 $CGI->{mv_todo} = 'search';
214 $Tag->update('process');
215 return (1, 'results');
216 }
217 EOS
218
219 You can also use a GlobalSub to perform actions not allowed in a catalog
220 subroutine.
221
222 * The Vend::Page module is modified to call a "missing" SpecialSub if
223 it exists. No other actions are currently handled.
224
225 * Vend::Table::DBI::set_slice handles passed list correctly and doesn't
226 mangle arrays passed by reference
227
228 * Prevent Storable from dying when encountering a code object in
229 save_more.
230
231 UserTag
232 -------
233
234 * Added new usps_query usertag for real-time rate quotes from U.S. Postal
235 Service's webtools API. Documentation in tag.
236
237 * Add new UserTag option "attrDefault", which allows default attributes to
238 be set globally or catalog-wide for a given usertag. Two examples:
239
240 UserTag area attrDefault href index
241 UserTag calc attrDefault filter entities
242
243 Any user-specified attributes will take precedence, even if 0 or blank.
244
245 This is designed to allow changing the default behavior of a tag without
246 changing its code, especially for built-in tags one would rather not
247 customize. Note that when using this directive on global usertags,
248 it must be done in interchange.cfg, and for catalog usertags in catalog.cfg.
249
250 * Add option to specify useragent to get_url tag.
251
252 * Add locale option to [convert-date] following a suggestion from
253 Rene Hertell <rene@hertell.com>.
254
255 * The [convert-date] global UserTag now has an "adjust" parameter which
256 allows date adjustments such as "2 hours" or "3 weeks" etc. to be made.
257 Valid qualifiers are seconds, hours, days, minutes and weeks. If no
258 qualifier is specified the the numeric value is assumed to be a number
259 of days. The old "days" parameter still works, but has been depreciated.
260
261 * Add filter attribute to var tag, similar to value, cgi, and scratch,
262 except that filtered value will never be saved back into the variable.
263
264 * Add matrix option to [weight] UserTag for automatically
265 falling back to the base SKU weight if not filled in for the variant.
266
267 * [import-fields]: sanity check on key name to avoid imports in wrong
268 file format
269
270 * Make pageonly=1 option in [history-scan] UserTag work correctly
271 when there's no history saved in the user's session.
272
273 * [row-edit]: display columns in the same order as in the columns
274 parameter
275
276 UI
277 --
278
279 * customer_mailing: Add full path for sendmail in batch,
280 using $Config->{SendMailProgram}, weed duplicate email addresses,
281 sort by email instead of last name
282
283 * let [row_edit] honor spread_width meta setting
284
285 * display an error message if for whatever reason the regions directory is
286 empty
287
288 * fix item_price.html in order to keep secure mode
289
290 * add names to templates/components list page
291
292 * fix menu loader bug with combined category field type reported by Michael Streubel
293 <Michael.Streubel@palmwaregroup.com>
294
295 * give focus to username box on login page load to allow immediate
296 username typing
297
298 Foundation
299 ----------
300
301 * Added entries to shipping.asc for USPS rate queries, and two new vars to
302 variable.txt.
303
304 * Remove "default" column from mv_metadata.asc, as it is not used anywhere.
305 This allows the addition of mv_metadata to MySQL, as otherwise the
306 column name "default" prevents the creation of the table.
307
308 * Add missing [timed-build] to category_vertical_tree component.
309
310 * Improve layout of order tracking page, use [convert-date] for date
311 display.
312
313 * Supply framework for making use of the modulo feature
314 for UPS shipments. Two new catalog variables enable/disable the feature
315 and set the modulus, respectively. We still maintain the 'one big box'
316 assumption that has been there all along, but now alternatives are somewhat
317 easier to implement.
318
319 * On special_pages/missing.html set correct scratch variable so admin
320 missing page error displays correctly.
321
322 TableEditor
323 -----------
324
325 * Apply Paul Vinciguerra's patch to number of rows thing, which gets multiple row
326 tabs working on the tabbed display if not in ui_style mode.
327
328 * Make containing form name (i.e. <form name=foo ...>) available
329 to the widget.
330
331 * Allow setting of a disabled.param=1 entry so that you can show
332 widgets in a table editor yet not accept data from them. The DISABLED=1
333 flag will be set in the widget (which normally grays it out) and
334 it will be set to be display_only.
335
336 * Pass the form and form_name parameters to Vend::Form for use in
337 widgets.
338
339 * Add option "top-buttons-rows" to set the number of rows where
340 top buttons will be triggered. Use said options in appropriate
341 UI pages.
342
343 Menu
344 ----
345
346 * Enhance flyout menus to have a lined-up image indicating a submenu.
347 The parameter is an image name (if not beginning with <) or
348 arbitrary HTML (if first character is <).
349
350 Use by passing the parameter:
351
352 submenu_image_right="[var IMAGE_DIR]/right.gif"
353
354 or
355
356 submenu_image_left="[image src=asterisk.gif]"
357
358 or to fake it out with some text:
359
360 submenu_image_right=|
361 <span style="font-size: smaller !important"> &nbsp; (more)</span>
362 |
363
364 Widgets
365 -------
366
367 * Allow date_widget to display/store empty value if called as date_blank
368 or datetime_blank.
369
370 Options
371 -------
372
373 * Add blank_label="--select--" option to [item-options], allows development
374 of code to enforce option selection.
375
376 * Add missing space to SQL query in Interchange 4.8 options.
377
378 Payment
379 -------
380
381 * Always pass the customer's IP address through to PSiGate as part
382 of the payment request.
383 This patch was supplied by Gary Benson - thanks!
384
385 * Pass credit card security code through to Verisign if provided in
386 CGI parameter mv_credit_card_cvv2.
387
388 i18n
389 ----
390
391 * "make localefiles" ignores CVS conflict files now
392
393 * Japanese UI translation update from Murahashi <murahashi@ayayu.com>.
394
395 * Improve translation of UI and foundation store.
396
397 * [LC] uses DefaultLocale setting if $Scratch->{mv_locale} isn't available
398
399 SOAP
400 ----
401
402 * no DNS lookups unless HostnameLookups is set
403
404 Debian
405 ------
406
407 * Add libhtml-parser-perl to Build-Depends to keep HTML::Entities
408 module out of the package (Closes: #224435, thanks to Henrik Holmboe
409 <elements@hack.se> for the bug report)
410
411 * Check for existence of expireall binary in cron script.
412
413 Mod_interchange
414 ---------------
415
416 * Fixed a weird bug where null HTTP variables were being passed
417 under certain circumstances.
418
419 * Added a SUN_LEN() macro for those operating systems that don't
420 have one already. I think this was done for Solaris. I can't
421 remember now. :-)
422
423 * Fixed a bunch of potential buffer overflows. Each of them would
424 have a very remote possibility of being tripped, unless intentionally.
425
426 * Added a "OrdinaryFileList" directive to DECLINE requests where the
427 path starts with one of the values in the list. If this module
428 DECLINEs a request then Apache will attempt to serve the request
429 instead. This is useful for creating excptions to <Location />,
430 for image files etc.
431
432 * Added a "InterchangeScript" directive. The new directive can be used
433 to specify a SCRIPT_NAME to pass to Interchange. The value will override
434 the SCRIPT_NAME=/foo that would default from <Location /foo>.
435
436 * Lots of minor cleanups.
437
438
439 ------------------------------------------------------------------------------
440
441 (end)
Something went wrong with that request. Please try again.