Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Commits on Oct 1, 2015
  1. @pajamian

    Add support for password promote from plain text.

    pajamian authored
    Adds a new UserDB option, "from_plain" that when set to 1 along with the
    promote option will cause Interchange to assume that all current passwords are
    plain text unless they meet the criteria of the new encryption scheme.  Note
    that this is not perfect as it is possible for plain text passwords to appear to
    Interchange as if they are already encrypted, and if Interchange thinks they
    look like the encryption scheme that you're promoting to, either by password
    length, or by a regexp match in the case of bcrypt then Itnerchange will not
    promote the password and assuming it is already encrypted the login will fail.
    While not a perfect solution to the issue of gracefully promoting passwords from
    plain text this is a "better than nothing" approach.
    To use this option, specify the following in your catalog.cfg in addition to the
    other option changes necessary to convert to encrypted passwords:
        UserDB foo promote 1
        UserDB foo from_plain 1
    Note that it is not recommended that you simply set this and forget in order to
    promote plain text passwords.  Having plain text passwords in your DB is now
    considered extremely bad practice and if you simply attempt to promote them via
    this method you will still have a large number of plain text passwords in your
    db for some time to come.  It is instead recommended that you use this method in
    conjunction with another method to convert all remaining passwords as quickly as
    possible.  This is simply in place as a means to help you avoid downtime of your
    site while the passwords are being promoted.
Commits on Sep 26, 2015
  1. @jdigory
Commits on Sep 25, 2015
  1. @jdigory

    Remove ncheck message

    jdigory authored
  2. @jdigory
  3. @jdigory
  4. @jdigory

    Move ncheck subroutine to global

    jdigory authored
    Various installations had trouble with $Tag being called from a non-global sub.
    Including: Perl 5.14.1 and 5.22.0.
    However, a different 5.14.1 installation worked...
  5. @jdigory

    Use strap in, too

    jdigory authored
  6. @jdigory
  7. @jdigory
  8. @jdigory
  9. @jdigory
  10. @jdigory

    add Strap template

    jdigory authored
Commits on Sep 18, 2015
  1. @perusionmike

    * Allow explicit setting of negative numbers in items without

    perusionmike authored
      raising error on quantity update.
      To make an item eligible, set the mv_negative attribute true.
      (You must also have mv_control = notoss if you wish to survive
      the cart toss routine.)
Commits on Sep 16, 2015
  1. @perusionmike
  2. @perusionmike
Commits on Sep 12, 2015
  1. @perusionmike

    * Fix problem where we were stepping on '%' in message even when

    perusionmike authored
      there were no parameters submitted for substitution in sprintf.
Commits on Aug 31, 2015
  1. @jonjensen
  2. @jonjensen

    Remove Signio module for long-defunct Payflow Pro API

    jonjensen authored
    Use Vend::Payment::PayflowPro now instead.
Commits on Aug 15, 2015
  1. @pajamian

    Fix --exclude option in interchange startup script.

    pajamian authored
    Getopt::Long made an incompatible change as of version 2.33 hash values become
    mandatory when they are specified with "=", this makes our documented syntax
    for --exclude invalid.  To make it work again the hash values must be made
    optional by changing the "=" to ":".
Commits on Jul 4, 2015
  1. @racke

    Add architecture dependent library directory to @INC for "Require mod…

    racke authored
    …ule Foo /home/bar/lib" directive.
Commits on Mar 22, 2015
  1. @pajamian

    COLUMN_INDEX is lowercase.

    pajamian authored
Commits on Mar 17, 2015
  1. @pajamian

    Add set_source SpecialSub.

    pajamian authored
    This commit adds the set_source SpecialSub which is called when the affiliate
    source is about to be set or changed.  The sub is called with three args:
        source - This is the new affiliate source that is about to be set.
        priority - This is the priority (as per the SourcePriority configuration
    	directive) that this source change falls under.
        oldsource - This is the affiliate source that was already set and is about
    	to be overwritten.
    Return values:  Any defined value returned by this sub becomes the new affiliate
    source.  If undef is returned then the old source is kept and processing
    continues onto the next priority in the SourcePriority list.
    Example usage:  The following example usage will make sure that a customer who
    enters your site with an affiliate source does not do so from a search engine
    Sub <<EOS
    sub source_check_referer {
        my ($source, $priority) = @_;
        return $source unless $priority eq 'mv_pc' || $priority eq 'mv_source';
        my $referer = $Tag->env('HTTP_REFERER');
        my @bad_referers = qw{
        for (@bad_referers) {
            return if $referer =~ /\Q$_\E/;
        return $source;
    SpecialSub set_source source_check_referer
Commits on Mar 14, 2015
  1. @pajamian

    Fix typo.

    pajamian authored
Commits on Mar 13, 2015
  1. @pajamian
  2. @pajamian

    Add support for automatic quoting of identifiers in DBI.

    pajamian authored
    Table and column names have not traditionally quoted in Vend::Table::DBI
    routines.  This can (and has) led to issues such as clashing with db reserved
    words and possible SQL injection issues.  This patch adds optional support to
    allow all SQL queries that are generated by Interchange to have all the
    identifiers quoted.
    To enable this feature just add the following configuration directive to
        DatabaseDefault QUOTE_IDENTIFIERS 1
    The above must be set before any Database or DatabaseAuto directives for it to
    work properly.  You can also set this individually for each table:
        Database foo QUOTE_IDENTIFIERS 1
    Also, if you want this to apply to all catalogs under a particular server instance, you can add this setting to catalog_before.cfg.
    As an example of how db queries are affected by this setting for a MySQL db with
    the Interchange tag [field price 12345] Interchange will send something like the
    following without and with QUOTE_IDENTIFIERS set for the products table:
        Without: SELECT price FROM products WHERE sku='12345'
        With: SELECT `price` FROM `products` WHERE `sku`='12345'
Commits on Jan 13, 2015
  1. @jonjensen

    Support new DebugTemplate tokens REQUEST_METHOD, REQUEST_URI, SESSION…

    jonjensen authored
    This makes possible a nicely detailed DebugTemplate like this:
    DebugTemplate  %F %T {CATALOG} {REMOTE_ADDR} {REQUEST_METHOD} {REQUEST_URI} {PAGE|-} {} {SESSION.username|-} | {MESSAGE}
    to track the session ID, the logged in user name, and more about the
Commits on Jan 6, 2015
  1. @machack666
Commits on Dec 30, 2014
  1. @machack666
  2. @machack666
Commits on Dec 29, 2014
  1. @machack666

    Improve application/json POST support

    machack666 authored
    While the code already existed to support "application/json" as a valid content-type for POST
    requests, this did not do anything useful in practice.  So this commit adds the following:
    - Add automatic decoding of the POST entity into the variable $CGI::json_ref.  If this variable
      exists, it is already guaranteed to be structurally valid.
    - Conditionally handle "application/json" POST mapping into CGI space, using the new UnpackJSON
    directive.  This means that for the POSTed JSON object we will populate %CGI::values with the keys
    of that object with the (potentially deep structured) values of the same object.
    We enable UnpackJSON handling by default, though this value is up for debate.  Considering that we
    already don't (shouldn't) trust CGI values, simply making it easier to have structured data using a
    JSON request doesn't seem like there are additional security implications.  Additionally, by shoving
    this into CGI space, we already have ITL/tag support for accessing the values of the response, which
    seem to make this much easier than having redundant UserTags/SystemTags to support inspection of
    $CGI::json_ref for the common use case.
Commits on Sep 17, 2014
  1. @jonjensen

    UserDB: log timestamps to second granularity

    jonjensen authored
    I am not sure why this was just minute granularity before, but that is
    not sufficient for correlation with other event logs.
Commits on Sep 11, 2014
  1. @jdigory

    Add payment module for MerchantWare 4.0 gateway, from Merchant

    jdigory authored
    Supports "repeat sale" transactions, using tokens.
    This module was certified by Merchant Warehouse for their gateway:
Commits on Jul 18, 2014
  1. @machack666

    Revert "Embed Safe 2.07 into Vend::Safe to avoid various problems wit…

    machack666 authored
    …h recent versions of Safe."
    This is broken in at least perl 5.20, possibly earlier; I also don't believe that this is a good
    approach to take, particularly as the Safe module relies on specific internal perl modules which we
    are also currently not including (nor could we effectively).
    I *would* be interested to look at the issues that this commit was intended to fix, to see if we can
    come up with a better general-purpose solution which works across multiple versions of perl and
    This reverts commit 6264540.
Commits on Jul 17, 2014
  1. @machack666
Commits on Jul 10, 2014
  1. @jdigory

    Correct logging of bad robot to permit rerouting with ErrorDestination,

    jdigory authored
    and to remove duplicate log message.
Something went wrong with that request. Please try again.