Skip to content
This repository
tree: 68a5a7ba97
Fetching contributors…

Cannot retrieve contributors at this time

file 1151 lines (747 sloc) 39.651 kb
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149 1150 1151
------------------------------------------------------------------------------

                  What's new in each version of Interchange
                (in development since the version 5.6 branch)

------------------------------------------------------------------------------

See UPGRADE document for a list of incompatible changes.


Interchange 5.7.7 released on 2011-06-12.

Core
----
* Ensure users were always assigned sessions when using major
  browsers, regardless of any toolbar matches in the User Agent
  string.

* If we are running an or search and not all of the specs have equivelant sql
  specs (WHERE clauses) then don't try to optimize the query as doing so will
  cause records to not be returned that might match other specs.

* Allow customization of "DO ANOTHER" HTML block in the table editor. The DO
  ANOTHER block contains hard-coded text and return-pages used for radio buttons
  which is always displayed for new entries. This change allows customized HTML
  to replace it for when you want to use the table editor in your own custom
  admin pages.

* Strip bad characters from affiliate source. These characters cause problems
  in the usertrack log (and possibly other places) if they are allowed to remain
  in the source.

* Remove newline from errormessages to be able to parse locale of it

* Fix a bug in the [read-cookie] tag which in very specific rare
  circumstances could return the wrong value for a cookie.

* Fix a bug in parsing of TemplateDir directive with multiple directories
  on a single line (RT#318).
  Thanks to Mat Jones for the report.

* Fix for processing GDBM files while using UTF8.

* Add additional UserDB encryption options.

* Add pragma handling for setting the Cache-Control header.

* Enhance TrustProxy to handle multiple chained proxies.

* Multiple bugfixes to payment modules.

* Fixes when sending UTF-8 email.

Tags
----
* Allow sorting of forum entries.

Standard Demo
-------------
* Fix for adding items to cart with options shows expired page message. Thanks
  to Steve Graham <icdev@mrlock.com>.

* Fix for country selection drop down.
  Thanks to Paul Jordan <paul@gishnetwork.com>.

* Fix for state selection drop down for Ireland.
  Thanks to Paul Jordan <paul@gishnetwork.com>.

------------------------------------------------------------------------------

Interchange 5.7.6 released on 2010-03-23.

Core
----
* Fix a "HTTP Response Splitting" security exploit. This is not known
  to be exploitable in the standard demo, but could potentially affect
  other pages in rare circumstances.

* Fix a bug in initialization of Vend::Payment::BusinessOnlinePayment
  supplemental parameters.

* Fix a bug in css.tag to properly output the css when using the
  inline <style> block.

* Allow for bounces from Autoload routines.

* Fix SpecialPages directive for violation.html.

* Give some sort of informative error message if we crap out loading the locale
  db.

Standard Demo
-------------

* Correct comments in catalog.cfg for Limit robot_expire.

* Add comments for Limit ip_session_expire.

Admin UI
--------

* Remove the AdminUser configuration directive.

* Allow ids to be added to form widgets built from mv_metadata.

Contrib
-------

* Update jEdit syntax highlighting mode.

Debian packaging
----------------

* Multiple bug/dependency fixes.

------------------------------------------------------------------------------


Interchange 5.7.5 released on 2010-02-23.


Core
----

* Fix bug when calling some versions of Sys::Syslog.

* Multiple Debian fixes and translation updates.

* SEO-friendlier ActionMaps supported; hyphens are turned resolved into underscores.

Tags
----

* Make the [forum] tag default to NoReparse.

Payment
-------

* Upgraded Vend::Payment::PaypalExpress to v1.0.7 from http://kiwi.zolotek.net.

  * Fix for yet another variation in the way that Paypal handle Canadian province names.
    So we have 'British Columbia', 'BC', and now 'B.C.' formats.

  * Allow use of the [assign] tag in shipping.

  * Allow 'use_billing_override' to send billing addresses.

  * Display Long rather than Short PayPal error message to customers.

  Last three changes contributed by Josh Lavin.

* Added CyberSource SOAP toolkit payment module. Includes payment modules for:
  * Standard credit card
  * Bill Me Later
  * Paypal Express Checkout
  * Electronic check

* Corrected Vend::Payment::BusinessOnlinePayment handling/passing of
  supplemental parameters.

------------------------------------------------------------------------------


Interchange 5.7.4 released 2009-12-09.


Core
----

* Make the default session 'spider' variable reflect $Vend::Robot status,
  which more accurately says whether the request was made by (what
  Interchange considers) a spider, not just any old temporary session.

* Force raw encoding for file uploads (RT #268).

* Overhaul syslog support and offer much faster Sys::Syslog mechanism.

* Move parsing of CGI input to Vend::Dispatch::open_cat (#268).

* Fix bug related to [tag pragma name value] semantics being different
  than [pragma name value].

* Increased performance when using mv_max_matches with searches:

  * Make mv_max_matches stop all further searching once the limit is
    hit, rather than loading the entire result set into memory and
    then truncating it.

  * Add pragma max_matches, which takes precedence over user-supplied
    mv_max_matches unless the user-supplied argument is more restrictive.

* Provide a default implementation of mime_name for compatibility with
  older versions of Encode.pm.

* Recognize LWP::UserAgent as a robot.

SystemTag
---------

* Avoid encoding binary data in [deliver].

Debian packaging
----------------

* Eliminated commands with absolute paths in maintainer scripts.

* Added Spanish translation of Debconf templates.

Admin UI
--------

* Multiple cleanups and minor performance enhancements.


------------------------------------------------------------------------------


Interchange 5.7.3 released 2009-11-05.


Core
----

* Fix empty charset= lines when no $Vend::StatusLine was previously set.

* Allow POST with Content-type of application/json.

* Remove empty mv_arg from more-list links.

* Cleanup some POD documentation.

* Fix crash with TolerateGet and upload forms (#325).
 
* Show discount error message that was missing. Fixed by Jeff Boes.

* Die on errors in global configuration of crontab.

* Stop display of invalid user-provided session ID. Should not be XSS
  exploitable, since displayed in text/plain context, but don't show anyway
  in case any browser does improper content-type handling.

* Avoid XSS exploit in CGI input error. Reported by Justin Otten.

* Add BounceRobotSessionURL directive to 301 redirect robots which
  provide an explicit mv_session_id to the canonical page URL without
  the explicit mv_session_id. This prevents search engine urls from
  being indexed with an explicit session_id.

Tags
----

* Remove reference to deprecated Spreadsheet::WriteExcel::Big module in
  backup-database tag.

* Allow passing of "id" to the [display] tag. It will be output in the form
  element and a label element will be created to match, if appropriate.

  Example 1:

  [display id=category options=|
  =--select--,
  1=Junior High School,
  2=High School,
  3=College,
  4=Graduate School,
  | value="[evalue category]" type=select name=category]

  Output (bring your own <label for=category>):
  <select name="category" id="category">
      <option value="" SELECTED>--select--
      <option value="1">Junior High School
      <option value="2">High School
      <option value="3">College
      <option value="4">Graduate School
  </select>

  Example 2 (label elements provided):

  [display name=publish_email value="[evalue publish_email]" type=radio
  passed="0=No,1=Yes" blank_default=1 id=publish_email]

  Output:
  <input type="radio" name="publish_email" value="0" id="publish_email0">
       &nbsp;<label for="publish_email0">No</label>
  <input type="radio" name="publish_email" value="1" id="publish_email1" checked>
       &nbsp;<label for="publish_email1">Yes</label>

Standard Demo
-------------

* Correct bounces to nonexistent error pages.

* Fixed bug that causes options to not show up on the checkout receipt, or the
  order report, or the mail reciept for most or all items.

* Fix problem that prevented unsubscribing from all mailing lists.

Debian packaging
----------------

* Keep virtual host name supplied by user.

* Move CSS & image files from /var/www/interchange-5 to
  /usr/share/interchange-ui.

* Use virtual host instead of system hostname as server name for demo catalog
  if FullUrl is enabled.

* Updated translations of Debconf templates.


------------------------------------------------------------------------------


Interchange 5.7.2 released 2009-09-17.


Core
----

* Close remote disclosure security vulnerability, and added new configuration
  option AllowRemoteSearch to selectively re-enable remote searches on "safe"
  tables. Defaults to products, variants and options.

  Please see UPGRADE for important information on upgrading your
  catalogs to prevent any problems.

* Fix validate_charset to return mime charset names only.

* Enable catalog usertags within dispatch routines.

* Add SpecialSub order_missing (#221).

* Make TAX_CATEGORY_FIELD work as intended, where a colon-separated table and
  field will work as well as a simple field in the same table as the item.

* Add environment variable MINIVEND_DISABLE_UTF8 which allows us to
  skip the Encode module entirely.

  Since "no encoding" does not remove the tie from regexes to Encode,
  but only disables it, you can't use that method. You have to literally
  not include Encode in the module namespace. This environment variable
  prevents require/import of the module if it is set true.

  It also adds a Global UTF8 directive that would normally not be, but could
  be, set by the user. This disables UTF8 with "no encoding", which should avoid
  some of the Perl UTF8 insanity but still won't avoid a potential "require" or
  "dofile" on a simple regex.

* Change Vend::CharSet away from the quasi-object style of programming
  (i.e. Module->routine()), since this module is only used internally.
  This will improve performance if/when a large number of CGI parameters
  are passed.

* Pass data to be encoded by Vend::CharSet by reference. While the
  Encode module inexplicably won't operate on references, at least we
  can avoid slinging hundred-megabyte files by value for what ends up
  being a no-op. Should you have to decode the data, it will still be
  slow but it will be limited to that eventuality, not every uploaded
  file.

* Vend::Interpolate::taxable_amount: Remove unnecessary calls to item_subtotal
  and thus the database. Thanks to Josh Braegger <jbraegger@backcountry.com>.

* Unit tests: Test various values access methods. Fix some [query] test
  corner cases.

* Add new child-process tag and core support routines. This tag runs
  ITL code in a forked child process. Useful for offloading processes
  that take a relatively long time to complete.

* link programs:
  * Make HTML just a tad more modern.
  * Make message configurable in config.h.in.
  * Alter compile_link.PL to allow error message to be built from a file.
    Uses four lines, concatenating remainder of file into one big line 4.
    Tested with 70K file with many double-quotes, newlines, and carriage
    returns.
  * Add status option to make compile_link.PL to make error status
    configurable.
  * Add status option to make compile_link.PL to make error content type
    configurable.

* Fix rare bug that caused requests to / URL with a query string to fail, e.g.:

  http://hostname/?somevar=1

  Interchange in that case looked for a page called "/?somevar=1".

  Thanks to David Christensen <david@endpoint.com> for the fix.

* Correct .access functionality directly in pages/

  .access worked in subdirectories like pages/abc/, but didn't work directly
  under pages/.

* BounceReferrals changes:

  * Fix bug that kept query strings from being passed through due to use of
  nonexistent %$CGI::Values instead of %CGI::Values.

  * Remove mv_pc and mv_source to prevent redirection loops.

  * Don't generate a "process" URL for root URL; use DirectoryIndex instead,
    if available.

* Make [email] process cc and bcc options for plain text emails (#250).

* Allow catalogs to be set to have Perl always global by default.

      AllowGlobal catname
      PerlAlwaysGlobal catname

    This is a global directive (i.e. interchange.cfg).

    [perl global=0] will still be honored, i.e. that will be interpreted
    by Safe.

  * Allow catalogs to turn off "strict" in global mode by default:

      PerlNoStrict catname

    This is a global directive (i.e. interchange.cfg).

  This is intended as an easy way to allow catalogs to work all right
  with Vend::Charset. Sad, but can't think of any better way short of
  maintaining our own version of the UTF8 modules. It is really sad,
  because the Perl powers that be have totally abandoned Opcode and
  Safe.

  NOT RECOMMENDED FOR USE BY NON-SOPHISTICATED INTERCHANGE USERS.

* Correct issue with hi-bit characters in search strings.

  This corrects the "Wide character in subroutine entry" error that
  occurs when hi-bit characters are used in a search. The failure was
  caused by Digest::MD5's reluctance to process characters > 0xFF, so we
  just convert any search options to UTF8 before calculating the MD5.

* Add support for SHA1 encrypted userdb passwords.

  * Add new "promote" feature. When active, and passwords
    of any of the other algorithms are present, on next
    login the user's password will be promoted to the
    target hashing algorithm. This way, password strength
    can be increased organically.

  Use of SHA1 passwords can be specified in the same manner
  as currently MD5 can be:

  UserDB ui sha1 1

  To utilize the promotion feature, you add a similar line
  for the UserDB definition:

  UserDB ui promote 1

  Promote implies that strength is increased, but in reality
  promotion will move in any direction desired. The requested
  hashing algorithm is the target, and whatever the form of the
  passwords in the database, they will be converted to the target.

  E.g., if neither sha1 nor md5 is specified, and the database
  currently has md5 passwords, if promote is added, it will have
  the effect of promoting to crypt(), the target hashing algorithm
  (which happens to be the default).

  If promote is not used, the change is fully backward compatible.
  Whatever method is specified will be used, and if the database
  has passwords of a different algorithm, authentication will fail.

  You should not specify more than 1 hashing type. If you specify
  both md5 and sha1, you'll be subject to the whims of hash
  ordering from keys().

  Also note that, before promoting to a stronger hash, you should
  ensure your database's password field is long enough to hold the
  new, longer datum.

  Original work from Steven Jenkins <steven@endpoint.com> for
  framework of promotion code.

* Add global timeout feature for payment gateways.

  The different payment gateways all tend to implement their own timeout features
  with varying degrees of success. In particular, LWP-based clients do not appear
  to have any capability of passing a timeout by the developer whenever it uses
  the https protocol. Thus, the use of LWP's timeout feature is illusory and
  forces any activity to a 180s timeout.

  The new feature completely separates out the gateway activity with a fork,
  giving it reliable control over the duration of the gateway request. It also
  eliminates the need for each gateway module to implement its own timeout,
  either because the developer chose not to, didn't consider it, or because the
  developer discovered it was hopeless to do so using LWP.

  The feature is invoked using the "global_timeout" option in the payment route,
  or as an opt passed to [charge]. global_timeout should be any positive integer,
  which will define the number of seconds until the timeout is triggered. If this
  new option is not used, the effect is a no-op, with behavior identical to that
  prior to the feature. No changes in config means completely backward
  compatible.

  Additionally, a new "global_timeout_msg" option is available so that the
  message produced if the alarm fires can be customized within the payment route.

  E.g.:

      Route payflowpro id "__PAYFLOWPRO_ID__"
      Route payflowpro secret "__PAYFLOWPRO_SECRET__"
      Route payflowpro partner "__PAYFLOWPRO_PARTNER__"
      Route payflowpro vendor "__PAYFLOWPRO_VENDOR__"
      Route payflowpro host "__PAYFLOWPRO_SERVER__"
      Route payflowpro transaction A
      Route payflowpro global_timeout 20
      Route payflowpro global_timeout_msg "We're sorry ... [etc.]"

* Add DowncaseVarname config. Given a space- or comma-delimited list of CGI
  params, Interchange will accept those params in any case from the query
  string and force them to lower case. Developed primarily to address affliates
  creating URLs with "mv_pc" but using inconsistent case in the URL, and thus
  Interchange missing it.

* Add new SessionCookieSecure boolean catalog directive. When enabled, makes
  session cookie set in https usable only in https.

* Add new SourcePriority catalog directive.

  SourcePriority <source_list>

  <source_list> is a prioritized list of cgi variables to get the source
  (affiliate) name from. Can also include the following:

  mv_pc - has the current special casing of mv_pc, (ie RESET is special as
  are values that contain only digits).

  cookie-foo check the cookie with the foo label.

  session - stop here if session already exists, do not check any further
  variables.

  session-foo - stop here if foo session variable is set.

  Default: SourcePriority mv_pc mv_source

  Examples:

  Check the MV_SOURCE cookie for an affiliate name as well as the other defaults:
  SourcePriority mv_pc mv_source cookie-MV_SOURCE

  ...as above, but you don't want your affiliates using mv_pc:
  SourcePriority mv_source cookie-MV_SOURCE

  Check the cgi variable affid instead:
  SourcePriority affid

  Say you send affiliate traffic to other sites, and you don't want
  those sites to get credit for sales if a customer follows a banner from
  them back to your site:
  SourcePriority session mv_pc mv_source

  If you want affiliates who use the specialsource cgi variable instead of
  mv_source to get special treatment and can override customers who
  already have sessions:
  SourcePriority specialsource session mv_pc mv_source

  If you want to allow affiliates to get credit if there is a
  session but only if no other affiliate is already set:
  SourcePriority session-source mv_pc mv_source

* Add directive SourceCookie, support for persistent affiliate tracking.

  Setting SourceCookie defines the relevant attributes of a cookie to be
  maintained in conjunction with the usual session-only parameter
  $Session->{source}. Its usage eliminates the duration of the user's session as
  the limiting factor for applying credit to a referral.

  SourceCookie and SourcePriority would be expected to typically work in tandem,
  and thus the same cookie defined in both contexts. However, there is no such
  requirement to do so. Defining SourceCookie by itself merely makes the cookie
  available any time the core source routines set or manipulate
  $Session->{source}. That cookie may, or may not, be leveraged as an element in
  SourcePriority, which itself may look to a cookie not maintained by
  SourceCookie.

  SourceCookie supports the following attributes:

  * name (required)
  * expire (any format supported for [set-cookie])
  * domain
  * path
  * secure
  * autoreset

  autoreset is a boolean that, when true, will cause each request from the client
  to reset the cookie in the response, effectively refreshing the expiration time
  relative to the current time. Uses, for example, might include a desire to
  ensure that the source cookie last "forever" (autoreset + sufficiently long
  expire period) or for more obscure uses such as "Affiliate should last [value
  of expire] from the last request".

  Attributes may be positional in order of (name expire domain path secure), but
  it is recommended that they be expressed as key=value pairs for clarity.

  Example using both SourcePriority and SourceCookie together in catalog.cfg:

  SourcePriority mv_pc mv_source cookie-MV_SOURCE
  SourceCookie name=MV_SOURCE expire="180 days"

* Add reload of AutoModifier based on a prepended ! (exclamation point).
  Example:

     AutoModifier !download pricing:price_group

  The download attribute will be recomputed for the current sku when
  the cart is recalculated.

* Add ability to merge user logins with merged_user field. When the
  user logs in, their username is changed to the value of the ID in
  that field. No default, so not operational in standard demo catalog.
  Enabled with:

        UserDB default merged_user merge_to

  That would look in the database field "merge_to" for a user name
  to change to.

* Force re-configure on compile_link --force.

* table_editor/flex_select: Add ability to link "edit record" to custom
  page with custom parameter. Also can now change "edit record to
  something else like "view user".

* Fix table editor bug found by Jeff Boes <jeff@endpoint.com> which
  prevented custom widget type from working.

* Add shorthand to allow beginning/ending year with date widget name
  (i.e. yearbegin1934, yearend0000 where 0000 means current year).

* Add ability to configure the number of levels and hash length for
  the directory structure of file-based sessions. Instead of a fixed
  value of 2 and 1 for levels and length, respectively, make two
  configuration parameters named SessionHashLevels and SessionHashLength

  Default is 2 and 1, respectively, matching the current values.

  This solves the problem of session IDs passed from CGI::Session or other
  modules that use a quasi-sequential session ID. You end up placing all
  sessions in the S/2 directory for a long time, followed by the S/3 directory,
  etc. A setting of:

    SessionHashLength 4
    SessionHashLevels 1

  would break sessions up into separate directories instead of putting all
  sessions in a huge directory.

* Encoding and fallback for reading/writing files while in UTF-8 mode.

* New adjust_time() function allows time adjustment based on secs, mins, hours,
  days, weeks, months and years. Also can string multiple adjustments together
  and compensate for daylight savings time changes over the adjustment period.

* _set_acl() in UserDB.pm now uses adjust_time() instead of time_to_seconds().

* Fix MaxQuantityField to allow a null, blank, or non-numerical entry in the
  field to represent that no maximum quantity should be enforced for that
  product.

* Minor updates to default robot detection configuration.

* Fix omission of media type in <link> output of [css].
  Patch by Thomas J.M. Burton <tom@globalfocusdm.com>.

* Allow synonym evalue for value in [if] checks.

* Add Vend::Safe abstraction to fix problems with UTF-8 inside Safe.

* Fix crash that occurred with an empty AutoModifier.

* Allow Interchange daemon to start with no Catalog declarations.

* Unbuffer output as soon as possible to make regular & error messages stay
  in sequence during startup.

* Abort daemon startup when required module is missing and clean up error output.

* Update broken getppid() detection for Perl 5.10.0.

* Do not specify a default charset if none is passed via MV_HTTP_CHARSET.
  Thanks to Raymond Cheng <rayonnet@hotmail.com> for pointing out the regression
  caused by this.

* Always log route_order errors regardless of errors_to setting.

* compile_link was confusing the -s socketfile option with the new -S status
  because Getopt::Long ignores option case by default. This fixes the problem
  by passing the no_ignore_case config parameter to Getopt::Long.

* If the flypage SpecialSub returned a non-existent SKU then a blank flypage
  would be displayed (with no data). This is now fixed so that there is no
  difference to what happens without a SpecialSub.

* New areapage SpecialSub that allows you to change the page name passed to the
  [area] family of tags and functions before the tag processes the page name.

* Various UTF-8 support fixes.

* Add NoBlankLines option to and clean up error HTML in Interchange::Link.

* Fix XSS exploit in account creation username check error display (RT #306).
  Thanks to Carl Bailey for reporting the problem.

* Clean up UserDB error output by excluding Perl file & line output.

* Fix PreFork mode daemon restart problem. Now child processes are properly
  killed off.

* Make sure catalog TemplateDir and ErrorFile directives are safe when
  NoAbsolute is set.

* Fix problems with applying Interchange filters to UTF-8 content (RT #258).

Payment
-------

* Add PaypalExpress payment module from Lyn St George <info@zolotek.net>.

* Remove long-defunct BoA (Bank of America) payment module. Bank of America
  is a reseller for CyberSource so its module applies:
  http://www.bankofamerica.com/small_business/merchant_card_processing/index.cfm?template=internet_e_commerce

* Remove long-defunct CyberCash payment module.

* Deprecate Signio payment module, which uses an API that current Payflow
  Pro owner PayPal says they will no longer support after September 1, 2009.

* Add new PayflowPro payment module, which replaces Signio. Based on code by
  Tom Tucker.

* Allow extra parameters to be passed to Business::OnlinePayment.
  Changes by Bill Carr <bill@bottlenose-wine.com>.

* [pay-cert] tag now uses the new adjust_time() function instead of the older
  time_to_seconds().

* Remove CVV2 (Card Security Code) from default credit card encrypted block
  template so that it will not even be stored in encrypted form. This makes
  the default behavior compliant with section 3.2.2 of PCI-DSS 1.2:

  https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.pdf

  It is of course still possible to manually supply a template that stores
  the card security code in violation of PCI-DSS requirements, so developers
  should review any custom credit card encryption templates to make sure that
  the CVV2 is not included, and purge it from any historical data.

* Send correct level 2 card data with AuthorizeNet module. This improves the
  discount rate for a lot of card types.

* Linkpoint: Add CVV capability, and partial pay_cert payments

* Add SagePay and GoogleCheckout modules from Lyn St George.

* Add Worldpay module from Andy Smith of tvcables.co.uk.

* Remove bloat that duplicates %z functionality in Vend::Util::logtime().

UserTag
-------

* [run-profile] now accepts ref attribute to check an arbitrary hash.

* Add empty attribute for [convert-date] to display a custom string
  instead of the current date when no proper date is passed.

* [component], [convert-date] and [css] now use the new adjust_time() function
  instead of the older time_to_seconds().

* [convert-date] has a new compensate_dst attribute that when set to 1 will
  compensate the adjusted time for daylight savings time changes.

* Fix bug in [convert-date] that skewed the time by one hour if the starting
  date was during daylight savings time and an adjustment was made.

* Fix regression in [convert-date] that caused it to display Sunday for every
  day of the week if a raw date was passed and the adjust attribute was not.
  Thanks to Marty Tennison <marty@dripdepot.com> for reporting the bug.

* Add maps of country names and updated international shipping services needed
  by USPS in [usps-query]. Thanks to Josh Lavin and Mat Jones.

SystemTag
---------

* The error is now not anymore automatically appended to the output of [error]
  when MV_ERROR_STD_LABEL has a value.

* [time] now uses adjust_time() instead of the older time_to_seconds(). There
  is also a new compensate_dst attribute that when set to 1 will compensate the
  adjusted time for daylight savings time changes.

Filter
------

* Make code/Filter/text2html.filter output valid code.
  Using double <br>'s instead of opening tag <p>.

* Strip all remaining HTML tags (not just b/i/u tags) in html2text filter.

* Require module Digest::SHA1 in the sha1 filter to raise error sooner if
  it's missing.

* Add strip_html filter.

Checks
------

* Allow custom error messages for email_only check.

* ISBN check can be advised to accept ISBN-10 or ISBN-13 numbers only.

Jobs
----

* Add job group name to error message on missing catalog.

Admin UI
--------

* Check/uncheck all facility for customers/items (#18).

* Allow file removal with uploadhelper widget (#180).

* Fix default shipmode on entry page due to incomplete [either] clause.

* Fix some broken HTML.

* Recognize Opera as DHTML browser. Thanks to Don Hathaway & Steve Graham.

* Add framekiller for clickjacking defense in template. Probably we are
  unlikely to have problems in the standard template, but you never know.

* Avoid problem of side-effect read-only variable table in file navigator.

* New user_merge specialsub is run from the [user-merge] tag when two users are
  merged.

* Keep ui_new_item present in the form (#31).

Standard demo
-------------

* Correct bug in ncheck_category GlobalSub.

* Recognize Opera as DHTML browser. Thanks to Don Hathaway & Steve Graham.

* Require forum users to be logged in, to prevent spam.

* Prevent an incomprehensible error when following an order link that was
  created on an mv_tmp_session page or other non-connecting session.

* Correct update of saved company value for shipping address (#125).

* Display company name in shipping & billing addresses.
  Thanks to Steve Graham <icdev@mrlock.com>.

* Correct min/max length for username entry to ship_addresses.html (#114).

* Refurbish standard/pages/quantity.html (#204).

* Add German locale translations (#40).

* Fix wrong URLs in language selection (#265).

* Have tab-delimited files sort by primary key so it's easier to diff and
  see real changes. Affects access, locale, mv_metadata, survey, and variable.

* Standardize encoding of sample locale table data to UTF-8.

* Remove spurious SQLite database configuration file and corrected others.

* Remove rarely used mass_setting admininstration page.

* Add company name to shipping and billing addresses and filter output
  with evalue.

Other
-----

* Added jEdit mode files for Interchange to eg/jedit. Thanks to Justin Otten.

* Added runtime dump-memory global UserTag and ActionMap for very low-level
  troubleshooting beyond what the structure files can offer.


------------------------------------------------------------------------------


Interchange 5.7.1 released 2008-11-13.


Core
----

* Perl 5.8.5 or newer is now required.

* Fixed regression in Vend::Table::DBI::set_slice for the following usage
  pattern (RT #200):

  $Db{table}->set_slice('', %parms));

* Quell bogus warnings from Encode::Alias (#224). Thanks to Andy
  <ic@tvcables.co.uk> and Rene Hertell <icdevgroup@hertell.com>.

* Added Nunavut to the list of valid Canadian provinces (#231). Thanks to
  Mathew Jones for the report.

* Fix vulnerability where a string passed in the mv_order_item CGI variable is
  displayed verbatim without any input sanitation if there is a valid sku in
  mv_sku. Thanks to Mat from Bibliopolis for discovering and reporting the
  vulnerability.

* Refined error message for missing actions.

* Vend::Interpolate::interpolate_html returns undef on undefined input text.
  This allows to determine whether $Tag->include fails or just produces an
  empty string.

* Fixed deficiency in Levies, where multiple handling modes separated by null
  would not work as in the old subtotal calculation model.

* Correct cookie-clearing function in UserDB.

* Extend MaxQuantityField config directive to support fields prefixed with
  '=' or '?'.

  By default, there's no behavior change and specification of
  'MaxQuantityField f1 f2' sets max quantity to f1 + f2.

  With f1 =f2, max quantity is unconditionally set to f2.

  With f1 ?f2, max quantity is set to f2 only if f2 > 0.

  By Cameron B. Prince <cameron@princeinternet.com>.

* Allow SQL EXPLAIN and SHOW along with SELECT, for queries.
  Thanks to Frederic Steinfels.

* Allow explicit manual table exports even when NoExportExternal is enabled,
  using the force option to &Vend::Data::export_database.

* Fixed database typing problem for HIDE_FIELD. Reported by Sonny Cook.

* Support "secure cookies", which are sent only over SSL connections.
  From a patch by Frederic Steinfels <fst@highdefinition.ch>.

* Allow XML posts by e.g. Google Checkout, which broke in Interchange 5.6.0
  (RT #219). By Andy <ic@tvcables.co.uk>.

* Currently the only order cleanup available, i.e., functions to run after all
  data in the session has been used for order functions, is the bottom of the
  receipt page, if you happen to know that is the place to do it.

  Provide the new OrderCleanup catalog directive which takes a routine name
  and is an authoritative place to perform such actions, in the same vein as
  AutoLoad and AutoEnd. Implementation possibilites include profiles to be
  run at the end or a SpecialSub.

* Fixed problem with new-style shipping configuration reading a mixed-case
  option.

* Corrected logic flaw that applied UTF-8 handling in some cases where it
  shouldn't have. Fixed by David Christensen <david@endpoint.com>.

Search
------

* mv_force_coordinate (fc) added to force coordinated search. Normally,
  when the number of search field does not match the number of search
  strings (specs), coordinated mode is automatically turned off. With
  'fc', number of search specs is adjusted to match the number of search
  fields, either by filling the array with last-set mv_searchspec, or by
  trimming excess values. Useful when you want to search for one string in
  multiple fields in coordinated mode.

* Removed trailing whitespace from text file headers.

* Under rare circumstances the missing search can fall through in a block
  below, which caused an internal server error in the following code line:

$obj->{matches} = scalar @{$obj->{mv_results}};

  This is now mitigated by an empty mv_results array and results in a search
  error as one would expect.

* Refining searches with properties in Swish search:

    sf=distribution
    se=lenny

    se=postgresql

  This also reverts the workaround for #111.

UserTag
-------

* srcliteral attribute added to [button] tag. Setting srcliteral avoids
  the image existence check for the src attribute.

* [run-profile] removes automatically generated profiles only.

* scratch attribute added to [capture-page] to store the resulting page in a
  scratch variable, supplied by Phil Smith.

* lines attribute added to [nitems] to show the number of lines in the shopping
  cart instead of the sum of the items (#225).

* Made [capture-page] aware of mapped output (#197, #226).

* Added name and id to list of [image] pass-through attributes.

* We are vulnerable to cross-site scripting problems any time there is a
  <input value="[value foo]"> call. You can get around this, of course,
  with <input value="[value name=foo keep=1 filter=encode_entities]">
  instead. That is a bit of a mess, though, so I added an alias for that
  called "evalue".

  You call it with [evalue address1], which is identical to
  [value keep=1 filter="encode_entities" name=address1].

* Make backup-database tag work even when NoExportExternal is enabled.

* Add [set-cookie secure=1] option for SSL-only cookies.

OrderCheck
----------

* Added ISBN-13 support to isbn order check and relocated it to code/OrderCheck.

Filters
-------

* Fixed regression in html2text filter to re-allow paragraph attributes such as
  <p align="center">.

Widgets
-------

* Prevent cross-site scripting problem in the country-select widget. Found and
  fixed by Josh Lavin of Perusion.

* Allow passing custom JavaScript to country_select.widget by adding country_js
  and state_js options. It will rewrite "this.form" with the correct form name
  at runtime. By Josh Lavin. Useful e.g. for calling check_tax like this:

  state_js="check_tax(this.form)"

Admin UI
--------

* Prevent whitespace leaking into CREDIT_CARDS_ACCEPTED variable (#209).

* Sort customer orders by order date, descending (was arbitrary).
  (By Rene Hertell, RT #203.)

* Someone removed email_copy field from userdb table, which meant that
  email was not sent to customers by default on status updates. Changed
  to default to yes if email_copy field not present in user table.

* Added tracking_number field to order status if field exists in orderline,
  and handle it in update_order_status tag.

Payment
-------

* If the tmp/wget directory (or more properly "$Vend::Cfg->{ScratchDir}/wget")
  directory did not exist, use_wget mode failed. Changed code to make
  directory if non-existent, and give better error if by some strange chance
  a file existed there.

* Authorize.net fixes by Josh Lavin of Perusion:

  Allow mv_transaction_id to be sent when mv_order_number has not yet been
  created (the case with all newer catalogs, as they use tid.counter).

  Allow Business Checking type of 'CCD' (defaults to WEB if not set or sent).

Standard demo
-------------

* Added SQLite support.

* Disabled product comment to prevent spam showing up on default installations.

* Provide reasonable defaults for shipping mode and country at checkout to avoid
  "not enough information" errors.

* Increased default length of orderline.order_number to 24.

* Modified include/checkout forms to use evalue. There are undoubtedly many
  other places it should be put in. But until this is evaluated properly I
  don't want to do it all over the place. You can do so with this one liner,
  at least pretty reliably:

     perl -pi -e 's{value="\[(value\s+[-\w]+\])}{value="[e$1}g'

  I think we have gotten rid of all VALUE= uppercase kind of things,
  but if not we should now.

Packaging
---------

* Numerous Debian packaging and localization updates.

* Modernize RPM packaging:

  Bundled version of HTML::Entities has been removed, so don't look for it.

  Update syntax used for chown and find.

  Install all man pages to section 8, so the man page for Interchange's
  crontab script doesn't conflict with the system crontab program, and since
  Interchange's "binaries" aren't typically in PATH anyway.

  Stop using deprecated RPM PreReq tag.

  Explicitly require Safe::Hole and Set::Crontab, which the RPM dependency
  checker misses.

  Force use of /usr/lib, not /usr/lib64, on x86_64. We're not installing
  binaries (except the cgi-bin which is in /var/www anyway) and many things
  depend on the /usr/lib location.

  Require Perl 5.8.8 or newer for build and installation to be compatible
  with system threaded Perl.

  Use interchange-* helper scripts directly from SPECS/ in source tarball,
  instead of copying. Enables use of rpmbuild -ta directly on tarball.

  Don't check for IniConf.pm anymore as it's part of dist/lib now.


------------------------------------------------------------------------------


Interchange 5.7.0 never formally released.


(end)
Something went wrong with that request. Please try again.