Permalink
Commits on Mar 25, 2010
  1. Bump version number

    machack666 committed Mar 25, 2010
  2. Update Copyright Date

    machack666 committed Mar 25, 2010
Commits on Mar 24, 2010
  1. Fix css.tag to properly output the css when using the inline <style> …

    machack666 committed Mar 24, 2010
    …block
    
    css.tag attempts to write a file out to the filesystem after reading
    in the css via either variable or literal.  If the file path it
    attempts to write to is not writable, for whatever reason, instead of
    creating a <link> tag to the written file, it attempts to create a
    <style> tag containing the css.
    
    Currently, if it ever creates the style tag, it will never contain the
    css.  When the location is not writable, it skips the portion of code
    that reads in the actual css, either from the literal option or the
    contents of the variable.
    
    This patch moves the reading of the css up to a point where it can't
    be skipped, allowing both the link and style tags to be created
    properly.
    
    Report and patch by Justin Otten <justin.lasotten@gmail.com>
  2. Fix "HTTP Response Splitting" security exploit

    machack666 committed Mar 22, 2010
    Discovery and patch from Justin Otten <justin.otten@gmail.com>:
    
    Added new method to Util.pm for scrubbing newlines from header data.
    Updated all discovered instances of the use of the "Location" header
    ran the URL through the routine.
Commits on Feb 23, 2010
  1. Properly initialize BOP supplemental parameters.

    machack666 committed Feb 23, 2010
    This fixes a bug where supplemental parameters passed to the payment
    module to initialize the Business::OnlinePayment gateway object get a
    value of 1 instead of what's in your catalog.cfg or
    products/variable.txt.
    
    Patch by Richard Siddall, with minor bugfixes by David Christensen
Commits on Jan 5, 2010
Commits on Sep 25, 2009
Commits on Sep 24, 2009
  1. Do not specify a default charset if none is passed via MV_HTTP_CHARSET.

    machack666 committed Sep 24, 2009
    Do not specify a default charset if none is passed via MV_HTTP_CHARSET.
    Thanks to Raymond Cheng <rayonnet@hotmail.com> for pointing out the regression
    caused by this.
Commits on Sep 16, 2009
  1. Sync manifest

    jonjensen committed Sep 16, 2009
  2. bump up version number and date

    racke committed Sep 16, 2009
    updates to documentation (WHATSNEW, README-DEVELOPMENT)
  3. Fix two occasionally broken tests.

    jonjensen committed Nov 16, 2008
    Two tests of the [query] tag and built-in SQL parser relied on the results
    being returned in a particular, even though SQL's result sets are not ordered
    by default.
    
    Fixed this by specifying a sort order and setting the results to match.
  4. Fix default shipmode due to incomplete [either] clause.

    jonjensen committed Dec 4, 2008
    Also remove stray ] above and clean up indenting.
    
    Fix by JT Justman <jt@endpoint.com>.
  5. Fixed rare bug that caused requests to / URL with a query string to f…

    jonjensen committed Dec 31, 2008
    …ail, e.g.:
    
        http://hostname/?somevar=1
    
    Interchange in that case looked for a page called "?somevar=1" and of course
    didn't find it.
    
    Thanks to David Christensen <david@endpoint.com> for the fix.
  6. * Correct .access functionality directly in pages/

    docelic committed with jonjensen Jan 8, 2009
      .access worked in subdirectories like pages/abc/, but didn't work directly
      under pages/. (Instead of looking for pages/.access, it was looking for
      pages/PAGENAME/.access)
  7. * Add framekiller for clickjacking defense in template. Probably we are

    perusionmike committed with jonjensen Jan 28, 2009
      unlikely to have problems in the standard template, but you never know.
  8. there is no ::Catalog aparently (anymore?), ::Cat does return the cat…

    Gert van der Spoel committed with jonjensen Feb 10, 2009
    …alog name, this is for the DebugTemplate directive
  9. * Make forum only available for logged-in users, as spammers are

    perusionmike committed with jonjensen Feb 27, 2009
      exploiting it constantly.
  10. * Fix bug found by Jeff Boes <jeff@endpoint.com> which prevented custom

    perusionmike committed with jonjensen Mar 20, 2009
      widget type from working.
  11. * Prevent an incomprehensible error when following an order link that…

    perusionmike committed with jonjensen Apr 7, 2009
    … was
    
      created on an mv_tmp_session page or other non-connecting session.
  12. Avoid possible problem with read-only variable table by using @@MV_PA…

    jonjensen committed Apr 8, 2009
    …GE@@ instead of @_MV_PAGE_@.
    
    This is the only place in Interchange we use @_MV_PAGE_@, which isn't
    necessary because MV_PAGE is always global.
    
    More details at this blog comment I wrote:
    
    http://blog.endpoint.com/2009/04/subverting-subversion-for-fun-and.html?showComment=1239148380000#c3445687618157063638
  13. Fix omission of media type in <link> output

    jonjensen committed May 28, 2009
    Patch by Thomas J.M. Burton <tom@globalfocusdm.com>. Thanks!
  14. Removed javascript that submits the form if the user changes his emai…

    René Hertell committed with jonjensen Jun 9, 2009
    …l-preferences.
    
    It's better to let the user make the final decision if he wants to submit the stock-alert form after all..
  15. Added some missing end-tags

    René Hertell committed with jonjensen Jun 9, 2009
  16. Remove CVV2/CSC from default credit card encrypted block template

    jonjensen committed Jun 19, 2009
    The card security code should not be stored at all, even in encrypted
    form. This makes the default behavior compliant with section 3.2.2 of
    PCI-DSS 1.2:
    
    https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.pdf
    
    It is of course still possible to manually supply a template that
    stores the card security code in violation of PCI-DSS requirements, so
    developers should review any custom credit card encryption templates
    to make sure that the CVV2 is not included, and purge it from any
    historical data they have stored.
    
    Thanks to Mark Lipscombe for calling attention to this.
  17. Unbuffer output as early as possible

    jonjensen committed Jun 25, 2009
    This stops the confusing out-of-order mixing of regular and error messages
    during startup. And output was being unbuffered later on anyway.
    
    Also update copyright years and remove CVS $Id$ tag.
  18. Specifically require Digest::SHA1 module

    jonjensen committed Jun 25, 2009
    This should give more helpful error messages for those upgrading since
    Digest::SHA1 wasn't part of Bundle::Interchange historically but has
    been since January 2008.
  19. Abort daemon startup when required module is missing and clean up err…

    jonjensen committed Jun 27, 2009
    …or output
    
    Fix problem with eval $@ error result's scope in global Perl module
    require routine. This was caused because logGlobal contains an eval
    itself that overrides $@. Now when a "Require module Something::Special"
    directive is issued and not satisfied, it is fatal as was originally
    intended.
    
    Remove logGlobal call that results in duplicate error output.
    
    Correctly say "Aborting Interchange daemon" instead of "Aborting
    catalog" when dying on global config errors.
  20. Corrected min/max username length

    Gert van der Spoel committed with jonjensen Jul 14, 2009
    Currently you can set a username with a length between 2 and 64.
    ship_addresses.html was testing on usernames bewteen 4 and 10.
    
    Any account created with a username < 4 or > 10 would result in
    an error such as: username length XX more than maximum length 10.
    
    Reported by René Hertell.
  21. Correct update of saved company value for shipping address

    Gert van der Spoel committed with jonjensen Jul 14, 2009
    get_shipping on ord/shipping.html does not update the company-field in
    the demo. All other values are getting updated.
    
    This was due to missing 'company' in @S_FIELDS list.
    
    Reported by René Hertell (http://rt.icdevgroup.org/125)
  22. Don't ignore case of passed options to compile_link.

    pajamian committed with jonjensen Aug 15, 2009
    compile_link was confusing the -s socketfile option with the new -S status
    because Getopt::Long ignores option case by default.  This fixes the problem by
    passing the no_ignore_case config parameter to Getopt::Long.
  23. Remove bogus execute bit

    jonjensen committed Sep 16, 2009