Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Commits on Jun 13, 2011
  1. @machack666
  2. @machack666

    add additional da.po file

    machack666 authored
  3. @machack666
Commits on May 3, 2011
  1. @jonjensen

    Remove outdated CVS tags

    jonjensen authored
  2. @perusionjosh @jonjensen
Commits on Apr 29, 2011
  1. @perusionjosh @jonjensen

    Option to allow's "hold for review" orders, via Fraud D…

    perusionjosh authored jonjensen committed
    …etection Suite
Commits on Apr 22, 2011
  1. @racke
Commits on Apr 14, 2011
  1. @racke

    Fix [charge] to not populate $Vend::Session->{errors}{mv_credit_card_…

    racke authored
    when payment module returned an empty error message.
    This happens with PayPaypalExpress when using setrequest request and
    results in [if errors]...[/if] being true but [error all=1 show_error=1]
    displaying nothing.
Commits on Apr 11, 2011
  1. Reducing a warning message when using

    Gert van der Spoel authored
Commits on Apr 2, 2011
  1. @danielbr

    Disallow name="" in Content-Disposition header.

    danielbr authored
    Jon Jensen noticed that the last commit (b29f34f) introduced a new
    problem by relaxing the constraint a little too much and allowing
    empty strings. This patch by Mike Heins goes back to requiring at
    least one character, while still allowing 0.
  2. @jonjensen

    Enhance TrustProxy to handle multiple chained proxies

    jonjensen authored
    This can happen if, for example, you have a first proxy at
    which proxies to which then hits your web server that passes
    control to Interchange.
    If you visit from, Interchange will see this HTTP header:
    and the request will have the source IP address
    But if you set this in interchange.cfg:
    TrustProxy,    # order irrelevant
    then Interchange will see past the two trusted proxies and set its
    standard variable $CGI::remote_addr to, so that the customer's
    IP address gets used.
  3. @jonjensen

    Add new pragma cache_control to set HTTP Cache-Control response header

    jonjensen authored
    Can be used in a page like this:
    [tag pragma cache_control]max-age=600[/tag]
    That will send this response header:
    Cache-Control: max-age=600
    Which will tell upstream proxies and browsers to cache the page for 10 minutes.
  4. @danielbr

    Allow name="0" in Content-Disposition header.

    danielbr authored
    Interchange was checking the Content-Disposition name for perly truth
    rather than definedness, which caused it to incorrectly disallow the valid
    name of "0". I ran into one particular program in the wild that happens
    to generate requests with just such headers:

  5. @danielbr

    Enable case-insensitivity in UserDB for indirect_login.

    danielbr authored
    This patch allows catalogs that are using the indirect_login feature to
    combine that with ignore_case to enable case-insensitive logins.
    A common use-case is to have email address be the indirect login field, so
    one thing to be aware of is that it's legal for two separate e-mail
    addresses to differ in capitalization only (e.g. user@domain is distinct
    from User@domain).
  6. @danielbr
  7. @danielbr

    Enable case-insensitivity in UserDB for unencrypted passwords.

    danielbr authored
    This patch makes ignore_case function correctly on unencrypted passwords
    even when mixed-case passwords exist in the UserDB table.
    Currently, ignore_case only works if the stored passwords are lower case.
    There are at least two ways for mixed-case passwords to make it into the
    UserDB table:
     * If some user records were created with UserDB before ignore_case was set.
       (In this case, newer accounts get the expected behavior while older ones
       don't -- a recipe for "fun".)
     * If the password column is populated by more than just UserDB, such as
       through custom IC code or integration with other software.
    Case-insensitivity is a nice convenience; both for users who tend not to
    notice when caps lock has been toggled, and for help desk workers who field
    their calls. The cost is that it reduces the effective number of ASCII
    password characters by about one quarter. While it's true that it makes it
    ever so slightly easier to crack passwords, other factors (e.g. password
    length, use of dictionary words) far outweigh its importance.
    One alternative to this patch would be to change all current and future
    passwords in the UserDB table to lower case, then the existing ignore_case
    would suffice to provide case-insensitive functionality. One downside of
    that approach would be that it's irreversible, whereas this patch allows
    switching back and forth by simply changing the ignore_case configuration.
    This feature is enabled under the following example configuration:
    UserDB    default    crypt         0
    UserDB    default    ignore_case   1
  8. @danielbr

    Promote UserDB encryption methods from anonymous subs to named methods.

    danielbr authored
    The method body of md5_salted was long enough to justify its own named sub,
    and as soon as you do it for one of them, you know the rest are just going
    to whine until they get it too. I prefer named subs for style anyway.
  9. @danielbr

    Add salted md5 password support to UserDB.

    danielbr authored
    The specific format used here is to store the password and salt in a single
    field, separated by a colon. I used it to convert a Zen Cart store to
    To use this feature, set the following catalog configuration parameters:
    UserDB    default    md5_salted    1
    UserDB    default    crypt         1
  10. @danielbr
Commits on Mar 30, 2011
  1. @perusiongreg

    Add better ability to set file umask from various upload locations

    perusiongreg authored
    Basic changes added to admin file_upload page to allow passing of umask more easily. Users trying to upload files for web viewing needed better control
    Also modified slightly the uploadhelper widget to provide means to pass umask option, and subsequently altered process_filter where there were previously no means to pass umask through
Commits on Mar 29, 2011
  1. @racke
Commits on Mar 28, 2011
  1. @jonjensen

    Keep using URL session ID & counter in admin

    jonjensen authored
    This provides maximum safety for browsers with cache problems such as
    old versions of Internet Explorer.
Commits on Mar 27, 2011
  1. Updated WHATSNEW

    Gert van der Spoel authored
  2. Fix for processing GDBM files while using UTF8

    Gert van der Spoel authored
    It appears that utf8 filter should not be applied when creating GDBM
    files. This seems to cause a double encoding. Prerequisite is that
    the TXT file out of which the GDBM file is built is UTF8 encoded.
    But when working with UTF8 this should be the case else the TXT files
    are not able to be worked with with various languages.
  3. Fix parsing TemplateDir at startup with multiple dirs on one line (RT…

    Gert van der Spoel authored
    …# 318)
    When TemplateDir was defined like:
    TemplateDir /path/to/dir /path/to/dir2
    this was not being parsed correctly. This has now been resolved.
    Thanks to Mat Jones for the report.
Commits on Mar 22, 2011
  1. updating core and retired core

    Gert van der Spoel authored
Commits on Mar 18, 2011
  1. @perusionjosh @jonjensen

    Fix for image.tag when using makesize and extra parameters

    perusionjosh authored jonjensen committed
    Example: makesize="200>".
    Also quote argument for execution.
Commits on Mar 15, 2011
  1. @racke
Commits on Mar 9, 2011
  1. @machack666

    update WHATSNEW

    machack666 authored
  2. @machack666

    Fix a bug in read_cookie's code path when using the single-arg form

    machack666 authored
    This issue was caused by a bug in the interchange read_cookie codepath
    which was being too lentient about its parsing of $CGI::cookie when
    looking up a specific cookie's value.
    Certain $CGI::cookie strings and requested cookie names can result in
    returning the wrong value for the cookie given the following
    circumstances: $CGI::cookie contains a value portion of the keyvalue
    pairs which include a word-break character, the (case-insensitive)
    target name and then an equals sign.  Additionally, this matching
    substring would need to appear before the actual cookie for the key in
    Given $ENV{HTTP_COOKIE}:
      'foo.tracker={"url":"","count":3}; MV_SOURCE=foo'
    [read-cookie] without arguments would correctly parse and return the
    expected keypairs, however [read-cookie MV_SOURCE] would scan the
    $CGI::cookie string for a word-break, the specific cookie name, a
    literal '=' and then proceed to return the literal:
      MV_SOURCE => 'blah","count":3}'
    This fix tightens up the parsing to only look at the start of the
    string or immediately after a ';' (with optional whitespace between)
    when parsing a specific cookie value.
    Some additional comments:
    I had difficulty locating a specification for the cookie keys/values
    themselves, but I wonder if we should remove the /i regex modifier, as
    I'd personally expect cookie names to be case-sensitive.  Left in for
    Additionally, the setter of the aforementioned cookie should likely
    have used some form of uriencoding instead of having the raw '{}='
    characters, however that's no excuse for us to barf on bad behavior.
Commits on Mar 8, 2011
  1. @racke

    Fix bug in [email] tag with reply and html attributes used in conjunc…

    racke authored
    Thanks to Salvador Caballé for the report.
Commits on Mar 5, 2011
  1. Change UrlJoiner variable call to work if it is set, or substitute

    Mike Heins authored
    the default & if not.
Commits on Mar 4, 2011
  1. Hard code UrlJoiner because changes to postprocessing for MV_HTML_4_C…

    Mike Heins authored
    stepped on the AutoVariable setting.
  2. Fix problem with lookup_exclude discovered by Andrew Baerg, which

    Mike Heins authored
    will cause display() to return prematurely.
Something went wrong with that request. Please try again.