Commits on Mar 9, 2011
  1. Fix a bug in read_cookie's code path when using the single-arg form

    This issue was caused by a bug in the interchange read_cookie codepath
    which was being too lentient about its parsing of $CGI::cookie when
    looking up a specific cookie's value.
    Certain $CGI::cookie strings and requested cookie names can result in
    returning the wrong value for the cookie given the following
    circumstances: $CGI::cookie contains a value portion of the keyvalue
    pairs which include a word-break character, the (case-insensitive)
    target name and then an equals sign.  Additionally, this matching
    substring would need to appear before the actual cookie for the key in
    Given $ENV{HTTP_COOKIE}:
      'foo.tracker={"url":"","count":3}; MV_SOURCE=foo'
    [read-cookie] without arguments would correctly parse and return the
    expected keypairs, however [read-cookie MV_SOURCE] would scan the
    $CGI::cookie string for a word-break, the specific cookie name, a
    literal '=' and then proceed to return the literal:
      MV_SOURCE => 'blah","count":3}'
    This fix tightens up the parsing to only look at the start of the
    string or immediately after a ';' (with optional whitespace between)
    when parsing a specific cookie value.
    Some additional comments:
    I had difficulty locating a specification for the cookie keys/values
    themselves, but I wonder if we should remove the /i regex modifier, as
    I'd personally expect cookie names to be case-sensitive.  Left in for
    Additionally, the setter of the aforementioned cookie should likely
    have used some form of uriencoding instead of having the raw '{}='
    characters, however that's no excuse for us to barf on bad behavior.
    machack666 committed Mar 9, 2011
Commits on Apr 18, 2010
  1. Add checks for MV_UTF8 in global variable space

    Depending on the context in which a particular piece of code is
    called, $::Variable will be aliased to either the variables defined in
    interchange.cfg (i.e., $Global::Variable) or in the specific
    In order to handle the fact that MV_UTF8 can be defined in either
    interchange.cfg or catalog.cfg, change all checks to look at both
    $::Variable and $Global::Variable explicitly.
    This is known to have affected the [import] tag at the very least, and
    likely had other subtle implications in other places.
    machack666 committed Apr 18, 2010
Commits on Apr 16, 2010
  1. Move MYSQL_ENABLE_UTF8 to a connection-level attribute

    When MYSQL_ENABLE_UTF8 is set, it currently does not provide the
    mysql_enable_utf8 parameter to the DBI->connect call; instead it's
    part of the DBI handle attributes that get set on an already-created
    From the docs for DBD::mysql, mysql_enable_utf8 needs to be set on
    connect, otherwise there are additional steps one needs to take to get
    the results returned in UTF8 (primarily issuing a $dbh->do("SET NAMES
    utf8") on the opened handle).
    With this change, when the catalog.cfg defines MYSQL_ENABLE_UTF8, the
    mysql_enable_utf8 => 1 attribute will be included in the hash of
    options returned by Vend::Table::DBI::find_dsn.  This will not occur
    unless said DatabaseDefault/Database attribute is defined.
    This corrects a bug when using MySQL with MV_UTF8 mode, as with the
    old behavior the UTF8 flag would be set on the values returned from
    the database, but they would not have been transferred in UTF8, but
    instead with the server's default character set (likely latin1).  The
    normal way to get around this issue when setting the $dbh attribute
    manually is to issue a $dbh->do("SET NAMES utf8"), which has the
    effect of setting the client's connection and results character sets
    to UTF8.
    This has the possibility of introducing some changes in application
    behavior, but since MYSQL_ENABLE_UTF8 is generally turned on in
    conjunction with MV_UTF8 mode, this is not judged to be a big risk.
    If existing user code was already working around this bug by issuing
    its own $dbh->do("SET NAMES utf8"), this will continue to work,
    essentially becoming a no-op.
    machack666 committed Apr 16, 2010
Commits on Mar 25, 2010
  1. Bump version number

    machack666 committed Mar 25, 2010
  2. Update Copyright Date

    machack666 committed Mar 25, 2010
Commits on Mar 24, 2010
  1. Fix css.tag to properly output the css when using the inline <style> …

    css.tag attempts to write a file out to the filesystem after reading
    in the css via either variable or literal.  If the file path it
    attempts to write to is not writable, for whatever reason, instead of
    creating a <link> tag to the written file, it attempts to create a
    <style> tag containing the css.
    Currently, if it ever creates the style tag, it will never contain the
    css.  When the location is not writable, it skips the portion of code
    that reads in the actual css, either from the literal option or the
    contents of the variable.
    This patch moves the reading of the css up to a point where it can't
    be skipped, allowing both the link and style tags to be created
    Report and patch by Justin Otten <>
    machack666 committed Mar 24, 2010
  2. Fix "HTTP Response Splitting" security exploit

    Discovery and patch from Justin Otten <>:
    Added new method to for scrubbing newlines from header data.
    Updated all discovered instances of the use of the "Location" header
    ran the URL through the routine.
    machack666 committed Mar 22, 2010
Commits on Feb 23, 2010
  1. Properly initialize BOP supplemental parameters.

    This fixes a bug where supplemental parameters passed to the payment
    module to initialize the Business::OnlinePayment gateway object get a
    value of 1 instead of what's in your catalog.cfg or
    Patch by Richard Siddall, with minor bugfixes by David Christensen
    machack666 committed Feb 23, 2010
Commits on Jan 5, 2010
Commits on Sep 25, 2009
Commits on Sep 24, 2009
  1. Do not specify a default charset if none is passed via MV_HTTP_CHARSET.

    Do not specify a default charset if none is passed via MV_HTTP_CHARSET.
    Thanks to Raymond Cheng <> for pointing out the regression
    caused by this.
    machack666 committed Sep 24, 2009
Commits on Sep 16, 2009
  1. Sync manifest

    jonjensen committed Sep 16, 2009
  2. bump up version number and date

    updates to documentation (WHATSNEW, README-DEVELOPMENT)
    racke committed Sep 16, 2009
  3. Fix two occasionally broken tests.

    Two tests of the [query] tag and built-in SQL parser relied on the results
    being returned in a particular, even though SQL's result sets are not ordered
    by default.
    Fixed this by specifying a sort order and setting the results to match.
    jonjensen committed Nov 16, 2008
  4. Fix default shipmode due to incomplete [either] clause.

    Also remove stray ] above and clean up indenting.
    Fix by JT Justman <>.
    jonjensen committed Dec 4, 2008
  5. Fixed rare bug that caused requests to / URL with a query string to f…

    …ail, e.g.:
    Interchange in that case looked for a page called "?somevar=1" and of course
    didn't find it.
    Thanks to David Christensen <> for the fix.
    jonjensen committed Dec 31, 2008
  6. * Correct .access functionality directly in pages/

      .access worked in subdirectories like pages/abc/, but didn't work directly
      under pages/. (Instead of looking for pages/.access, it was looking for
    docelic committed with jonjensen Jan 8, 2009
  7. * Add framekiller for clickjacking defense in template. Probably we are

      unlikely to have problems in the standard template, but you never know.
    perusionmike committed with jonjensen Jan 28, 2009
  8. there is no ::Catalog aparently (anymore?), ::Cat does return the cat…

    …alog name, this is for the DebugTemplate directive
    Gert van der Spoel committed with jonjensen Feb 10, 2009
  9. * Make forum only available for logged-in users, as spammers are

      exploiting it constantly.
    perusionmike committed with jonjensen Feb 27, 2009
  10. * Fix bug found by Jeff Boes <> which prevented custom

      widget type from working.
    perusionmike committed with jonjensen Mar 20, 2009
  11. * Prevent an incomprehensible error when following an order link that…

    … was
      created on an mv_tmp_session page or other non-connecting session.
    perusionmike committed with jonjensen Apr 7, 2009
  12. Avoid possible problem with read-only variable table by using @@MV_PA…

    …GE@@ instead of @_MV_PAGE_@.
    This is the only place in Interchange we use @_MV_PAGE_@, which isn't
    necessary because MV_PAGE is always global.
    More details at this blog comment I wrote:
    jonjensen committed Apr 8, 2009
  13. Fix omission of media type in <link> output

    Patch by Thomas J.M. Burton <>. Thanks!
    jonjensen committed May 28, 2009
  14. Removed javascript that submits the form if the user changes his emai…

    It's better to let the user make the final decision if he wants to submit the stock-alert form after all..
    René Hertell committed with jonjensen Jun 9, 2009
  15. Added some missing end-tags

    René Hertell committed with jonjensen Jun 9, 2009
  16. Remove CVV2/CSC from default credit card encrypted block template

    The card security code should not be stored at all, even in encrypted
    form. This makes the default behavior compliant with section 3.2.2 of
    PCI-DSS 1.2:
    It is of course still possible to manually supply a template that
    stores the card security code in violation of PCI-DSS requirements, so
    developers should review any custom credit card encryption templates
    to make sure that the CVV2 is not included, and purge it from any
    historical data they have stored.
    Thanks to Mark Lipscombe for calling attention to this.
    jonjensen committed Jun 19, 2009
  17. Unbuffer output as early as possible

    This stops the confusing out-of-order mixing of regular and error messages
    during startup. And output was being unbuffered later on anyway.
    Also update copyright years and remove CVS $Id$ tag.
    jonjensen committed Jun 25, 2009
  18. Specifically require Digest::SHA1 module

    This should give more helpful error messages for those upgrading since
    Digest::SHA1 wasn't part of Bundle::Interchange historically but has
    been since January 2008.
    jonjensen committed Jun 25, 2009
  19. Abort daemon startup when required module is missing and clean up err…

    …or output
    Fix problem with eval $@ error result's scope in global Perl module
    require routine. This was caused because logGlobal contains an eval
    itself that overrides $@. Now when a "Require module Something::Special"
    directive is issued and not satisfied, it is fatal as was originally
    Remove logGlobal call that results in duplicate error output.
    Correctly say "Aborting Interchange daemon" instead of "Aborting
    catalog" when dying on global config errors.
    jonjensen committed Jun 27, 2009
  20. Corrected min/max username length

    Currently you can set a username with a length between 2 and 64.
    ship_addresses.html was testing on usernames bewteen 4 and 10.
    Any account created with a username < 4 or > 10 would result in
    an error such as: username length XX more than maximum length 10.
    Reported by René Hertell.
    Gert van der Spoel committed with jonjensen Jul 14, 2009