Permalink
Switch branches/tags
Commits on Sep 16, 2009
  1. Sync manifest

    jonjensen committed Sep 16, 2009
  2. bump up version number and date

    racke committed Sep 16, 2009
    updates to documentation (WHATSNEW, README-DEVELOPMENT)
  3. Fix two occasionally broken tests.

    jonjensen committed Nov 16, 2008
    Two tests of the [query] tag and built-in SQL parser relied on the results
    being returned in a particular, even though SQL's result sets are not ordered
    by default.
    
    Fixed this by specifying a sort order and setting the results to match.
  4. Fix default shipmode due to incomplete [either] clause.

    jonjensen committed Dec 4, 2008
    Also remove stray ] above and clean up indenting.
    
    Fix by JT Justman <jt@endpoint.com>.
  5. Fixed rare bug that caused requests to / URL with a query string to f…

    jonjensen committed Dec 31, 2008
    …ail, e.g.:
    
        http://hostname/?somevar=1
    
    Interchange in that case looked for a page called "?somevar=1" and of course
    didn't find it.
    
    Thanks to David Christensen <david@endpoint.com> for the fix.
  6. * Correct .access functionality directly in pages/

    docelic authored and jonjensen committed Jan 8, 2009
      .access worked in subdirectories like pages/abc/, but didn't work directly
      under pages/. (Instead of looking for pages/.access, it was looking for
      pages/PAGENAME/.access)
  7. * Add framekiller for clickjacking defense in template. Probably we are

    perusionmike authored and jonjensen committed Jan 28, 2009
      unlikely to have problems in the standard template, but you never know.
  8. there is no ::Catalog aparently (anymore?), ::Cat does return the cat…

    Gert van der Spoel authored and jonjensen committed Feb 10, 2009
    …alog name, this is for the DebugTemplate directive
  9. * Make forum only available for logged-in users, as spammers are

    perusionmike authored and jonjensen committed Feb 27, 2009
      exploiting it constantly.
  10. * Fix bug found by Jeff Boes <jeff@endpoint.com> which prevented custom

    perusionmike authored and jonjensen committed Mar 20, 2009
      widget type from working.
  11. * Prevent an incomprehensible error when following an order link that…

    perusionmike authored and jonjensen committed Apr 7, 2009
    … was
    
      created on an mv_tmp_session page or other non-connecting session.
  12. Avoid possible problem with read-only variable table by using @@MV_PA…

    jonjensen committed Apr 8, 2009
    …GE@@ instead of @_MV_PAGE_@.
    
    This is the only place in Interchange we use @_MV_PAGE_@, which isn't
    necessary because MV_PAGE is always global.
    
    More details at this blog comment I wrote:
    
    http://blog.endpoint.com/2009/04/subverting-subversion-for-fun-and.html?showComment=1239148380000#c3445687618157063638
  13. Fix omission of media type in <link> output

    jonjensen committed May 28, 2009
    Patch by Thomas J.M. Burton <tom@globalfocusdm.com>. Thanks!
  14. Removed javascript that submits the form if the user changes his emai…

    René Hertell authored and jonjensen committed Jun 9, 2009
    …l-preferences.
    
    It's better to let the user make the final decision if he wants to submit the stock-alert form after all..
  15. Added some missing end-tags

    René Hertell authored and jonjensen committed Jun 9, 2009
  16. Remove CVV2/CSC from default credit card encrypted block template

    jonjensen committed Jun 19, 2009
    The card security code should not be stored at all, even in encrypted
    form. This makes the default behavior compliant with section 3.2.2 of
    PCI-DSS 1.2:
    
    https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.pdf
    
    It is of course still possible to manually supply a template that
    stores the card security code in violation of PCI-DSS requirements, so
    developers should review any custom credit card encryption templates
    to make sure that the CVV2 is not included, and purge it from any
    historical data they have stored.
    
    Thanks to Mark Lipscombe for calling attention to this.
  17. Unbuffer output as early as possible

    jonjensen committed Jun 25, 2009
    This stops the confusing out-of-order mixing of regular and error messages
    during startup. And output was being unbuffered later on anyway.
    
    Also update copyright years and remove CVS $Id$ tag.
  18. Specifically require Digest::SHA1 module

    jonjensen committed Jun 25, 2009
    This should give more helpful error messages for those upgrading since
    Digest::SHA1 wasn't part of Bundle::Interchange historically but has
    been since January 2008.
  19. Abort daemon startup when required module is missing and clean up err…

    jonjensen committed Jun 27, 2009
    …or output
    
    Fix problem with eval $@ error result's scope in global Perl module
    require routine. This was caused because logGlobal contains an eval
    itself that overrides $@. Now when a "Require module Something::Special"
    directive is issued and not satisfied, it is fatal as was originally
    intended.
    
    Remove logGlobal call that results in duplicate error output.
    
    Correctly say "Aborting Interchange daemon" instead of "Aborting
    catalog" when dying on global config errors.
  20. Corrected min/max username length

    Gert van der Spoel authored and jonjensen committed Jul 14, 2009
    Currently you can set a username with a length between 2 and 64.
    ship_addresses.html was testing on usernames bewteen 4 and 10.
    
    Any account created with a username < 4 or > 10 would result in
    an error such as: username length XX more than maximum length 10.
    
    Reported by René Hertell.
  21. Correct update of saved company value for shipping address

    Gert van der Spoel authored and jonjensen committed Jul 14, 2009
    get_shipping on ord/shipping.html does not update the company-field in
    the demo. All other values are getting updated.
    
    This was due to missing 'company' in @S_FIELDS list.
    
    Reported by René Hertell (http://rt.icdevgroup.org/125)
  22. Don't ignore case of passed options to compile_link.

    pajamian authored and jonjensen committed Aug 15, 2009
    compile_link was confusing the -s socketfile option with the new -S status
    because Getopt::Long ignores option case by default.  This fixes the problem by
    passing the no_ignore_case config parameter to Getopt::Long.
  23. Remove bogus execute bit

    jonjensen committed Sep 16, 2009
  24. Fix problem restarting daemon in PreFork mode

    msjohns1 authored and jonjensen committed Sep 1, 2009
    Previously, restart was failing, stating it couldn't find the previous
    Interchange running, and would keep creating StartServers new servers on
    every restart. Only SIGKILL was able to kill all PreFork children.
    
    The original code was just being stupid (and I can say that freely
    since I wrote it). I had in my head that as child PIDs died, %Page_pids
    and %Starting_pids would be culled. However, that process only happens
    through normal operations (housekeeping, ChildLife or MRPC, etc.)--not
    when I send the kid a TERM!
  25. Update USPS international rate names and add script that fetches them

    jonjensen committed Sep 1, 2009
    Also cleaned up some POD errors.
    
    Thanks to Josh Lavin and Mat Jones.
  26. Note recent commits

    pajamian committed Sep 16, 2009
  27. check whether directory is allowed before, not after path expansion

    racke authored and pajamian committed Sep 8, 2009
    (cherry picked from commit 4f17bcc)
  28. Fix bug that didn't tolerate relative TemplateDir settings

    jonjensen authored and pajamian committed Sep 8, 2009
    (cherry picked from commit 45471c4)
  29. Disallow abuse of writes via ErrorFile when NoAbsolute is set

    jonjensen authored and pajamian committed Sep 8, 2009
    Exploit reported by Peter Ajamian.
    (cherry picked from commit 9b6872c)
  30. parse_dir_array: Validate paths for NoAbsolute etc.

    jonjensen authored and pajamian committed Sep 8, 2009
    (cherry picked from commit 08a1fde)