Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Fetching contributors…

Cannot retrieve contributors at this time

85 lines (54 sloc) 2.372 kb
------------------------------------------------------------------------------
What's new in each version of Interchange
(since the version 5.0 branch)
------------------------------------------------------------------------------
Interchange 5.0.2 released 2005-09-22.
Security
--------
* Fix ITL injection hole in pages/forum/submit.html.
------------------------------------------------------------------------------
Interchange 5.0.1 released 2004-03-29.
Security
--------
* Plug a security hole which allows an attacker to expose arbitrary variable
contents by using an URL like
http://shop.example.com/cgi-bin/store/__SQLUSER__.
All Interchange applications using the standard "missing" special page
from the demo catalog or a similar one are vulnerable to this attack.
The attacker may learn the SQL access information for your Interchange
application and use this information to read and manipulate sensitive
data.
* Disallow [ and < in page names when setting MV_PAGE and MV_PREV_PAGE
variables.
* Prevent login information from getting re-saved on a session cancel.
* Define a set of CGI keys that we don't want to save to disk, as
@Global::HideCGI.
* Don't show sensitive (i.e. @Global::HideCGI) CGI variables in a dump.
This allows saving a session to disk for diagnositic purposes in case
of order failure.
Core
----
* Allow [dump no-cgi=1 no-session=1 no-env=1] to finetune dump.
* Tolerate leading whitespace in query in Vend::Form.
Admin
-----
* Fix bug where affiliate reports don't filter based on that.
* Make reports with no specified end_date work.
* Fix missing relocation variables in Vend::Table::Editor found by Paul
Vinciguerra.
Usertags
--------
* history-scan: Make pageonly=1 option work correctly when there's no
History saved in the user's session.
Foundation
----------
* Remove unmatched </FORM> from cart_display component.
Debian
------
* Add libhtml-parser-perl to Build-Depends to keep HTML::Entities
module out of the package (Closes: #224435, thanks to Henrik Holmboe
<elements@hack.se> for the bug report)
* Switch to gettext-based debconf templates (Closes: #235494, thanks to
Martin Quinson <Martin.Quinson@tuxfamily.org> for the patch)
------------------------------------------------------------------------------
(end)
Jump to Line
Something went wrong with that request. Please try again.