Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Commits on Mar 22, 2015
  1. @pajamian

    COLUMN_INDEX is lowercase.

    pajamian authored
Commits on Mar 17, 2015
  1. @pajamian

    Add set_source SpecialSub.

    pajamian authored
    This commit adds the set_source SpecialSub which is called when the affiliate
    source is about to be set or changed.  The sub is called with three args:
        source - This is the new affiliate source that is about to be set.
        priority - This is the priority (as per the SourcePriority configuration
    	directive) that this source change falls under.
        oldsource - This is the affiliate source that was already set and is about
    	to be overwritten.
    Return values:  Any defined value returned by this sub becomes the new affiliate
    source.  If undef is returned then the old source is kept and processing
    continues onto the next priority in the SourcePriority list.
    Example usage:  The following example usage will make sure that a customer who
    enters your site with an affiliate source does not do so from a search engine
    Sub <<EOS
    sub source_check_referer {
        my ($source, $priority) = @_;
        return $source unless $priority eq 'mv_pc' || $priority eq 'mv_source';
        my $referer = $Tag->env('HTTP_REFERER');
        my @bad_referers = qw{
        for (@bad_referers) {
            return if $referer =~ /\Q$_\E/;
        return $source;
    SpecialSub set_source source_check_referer
Commits on Mar 14, 2015
  1. @pajamian

    Fix typo.

    pajamian authored
Commits on Mar 13, 2015
  1. @pajamian

    Add support for automatic quoting of identifiers in DBI.

    pajamian authored
    Table and column names have not traditionally quoted in Vend::Table::DBI
    routines.  This can (and has) led to issues such as clashing with db reserved
    words and possible SQL injection issues.  This patch adds optional support to
    allow all SQL queries that are generated by Interchange to have all the
    identifiers quoted.
    To enable this feature just add the following configuration directive to
        DatabaseDefault QUOTE_IDENTIFIERS 1
    The above must be set before any Database or DatabaseAuto directives for it to
    work properly.  You can also set this individually for each table:
        Database foo QUOTE_IDENTIFIERS 1
    Also, if you want this to apply to all catalogs under a particular server instance, you can add this setting to catalog_before.cfg.
    As an example of how db queries are affected by this setting for a MySQL db with
    the Interchange tag [field price 12345] Interchange will send something like the
    following without and with QUOTE_IDENTIFIERS set for the products table:
        Without: SELECT price FROM products WHERE sku='12345'
        With: SELECT `price` FROM `products` WHERE `sku`='12345'
Commits on Jan 13, 2015
  1. @jonjensen

    Support new DebugTemplate tokens REQUEST_METHOD, REQUEST_URI, SESSION…

    jonjensen authored
    This makes possible a nicely detailed DebugTemplate like this:
    DebugTemplate  %F %T {CATALOG} {REMOTE_ADDR} {REQUEST_METHOD} {REQUEST_URI} {PAGE|-} {} {SESSION.username|-} | {MESSAGE}
    to track the session ID, the logged in user name, and more about the
Commits on Jan 6, 2015
  1. @machack666
Commits on Dec 30, 2014
  1. @machack666
  2. @machack666
Commits on Dec 29, 2014
  1. @machack666

    Improve application/json POST support

    machack666 authored
    While the code already existed to support "application/json" as a valid content-type for POST
    requests, this did not do anything useful in practice.  So this commit adds the following:
    - Add automatic decoding of the POST entity into the variable $CGI::json_ref.  If this variable
      exists, it is already guaranteed to be structurally valid.
    - Conditionally handle "application/json" POST mapping into CGI space, using the new UnpackJSON
    directive.  This means that for the POSTed JSON object we will populate %CGI::values with the keys
    of that object with the (potentially deep structured) values of the same object.
    We enable UnpackJSON handling by default, though this value is up for debate.  Considering that we
    already don't (shouldn't) trust CGI values, simply making it easier to have structured data using a
    JSON request doesn't seem like there are additional security implications.  Additionally, by shoving
    this into CGI space, we already have ITL/tag support for accessing the values of the response, which
    seem to make this much easier than having redundant UserTags/SystemTags to support inspection of
    $CGI::json_ref for the common use case.
Commits on Sep 17, 2014
  1. @jonjensen

    UserDB: log timestamps to second granularity

    jonjensen authored
    I am not sure why this was just minute granularity before, but that is
    not sufficient for correlation with other event logs.
Commits on Sep 11, 2014
  1. @jdigory

    Add payment module for MerchantWare 4.0 gateway, from Merchant

    jdigory authored
    Supports "repeat sale" transactions, using tokens.
    This module was certified by Merchant Warehouse for their gateway:
Commits on Jul 18, 2014
  1. @machack666

    Revert "Embed Safe 2.07 into Vend::Safe to avoid various problems wit…

    machack666 authored
    …h recent versions of Safe."
    This is broken in at least perl 5.20, possibly earlier; I also don't believe that this is a good
    approach to take, particularly as the Safe module relies on specific internal perl modules which we
    are also currently not including (nor could we effectively).
    I *would* be interested to look at the issues that this commit was intended to fix, to see if we can
    come up with a better general-purpose solution which works across multiple versions of perl and
    This reverts commit 6264540.
Commits on Jul 10, 2014
  1. @jdigory

    Correct logging of bad robot to permit rerouting with ErrorDestination,

    jdigory authored
    and to remove duplicate log message.
Commits on Jul 6, 2014
  1. @msjohns1

    Remove /o flag from iterate_hash_list()

    msjohns1 authored
    * /o in the -next and -last regexes causes the regex pattern
      to freeze with whatever prefix happens to be used on the first
      run of the routine. This is particularly pernicious in pre-fork
      where the daemon may be used dozens of times after the initial
      run that freezes the pattern.
    * Modified flags to match those of the regex counterparts in
Commits on Jun 30, 2014
  1. @jdigory
Commits on Jun 19, 2014
  1. @msjohns1

    Add bcrypt encryption option to Vend::UserDB

    msjohns1 authored
    * Full bcrypt support
      + Requires modules Digest::Bcrypt and Crypt::Random.
      + Enabled with "bcrypt" key in catalog UserDB setting.
        - Ex: UserDB  default  bcrypt  1
      + Pads out passwords to 72-character limit of bcrypt to
        increase difficulty of brute-forcing weak passwords.
        - Optional "pepper" (highly recommended) to make padding
          pattern unique per catalog.
      + Defaults to cost of 13.
    * Storage follows general guidelines of modular crypt format
      (MCF), both weaning it from the length-based cipher
      identification, but also allowing it to identify a "pre digest"
      against the password (discussed below).
      + Example storage structure:
    * Uses a "more complex than usual" approach to manage the
      identifier than the standard MCF. This complexity is used to
      specify which algorithm "pre digested" the raw password. They
      are as follows:
      + $2y$ - standard, default identifier. Means bcrypt processed
        the raw password directly.
      + $2s$ - s => SHA1. Indicates bcrypt process first runs the raw
        password through the SHA1 algorithm before encrypting. If you
        update passwords originally stored as SHA1 as a background
        process, the resulting bcrypt structures should all have this
        - Example storage structure:
      + $2m$ - m => MD5. Same as $2s$ but for passwords that are
        originally stored MD5.
        - Example storage structure:
      + $2n$..$ - n => md5_salted encryption algorithm. '..' are the 2
        salt characters in the original stored password, made available
        so that the "pre digest" step can accurately reproduce the
        salted MD5 structure before bcrypting and comparing.
        - Example storage structure:
      + $2c$..$ - c => crypt(). Same as md5_salted, but with crypt()
        - Example storage structure:
      The "pre digested" feature allows a site developer to create
      a background process for updating an existing user table with
      bcrypted passwords even if the table is already encrypted by
      one of the previously supported ciphers. Thus, in a matter of
      minutes to weeks (depending on the size of your user table and
      chosen bcrypt cost) your passwords can be fully upgraded to
      bcrypt without having to wait on the organic process "promote"
      allows, or having to know any of your users' original
    * New routine construct_bcrypt() in Vend::UserDB. Takes a
      single hash ref argument with keys "password", "type"
      (optional), and "profile" (optional). Returns a
      properly-formatted bcrypt structure suitable for being stored
      in the password field of the user table of interest.
      Anticipated usage scenario would be for a developer with an
      already encrypted user table (sha1, md5, md5_salted, or crypt)
      to create an Interchange job that slurps in all the encrypted
      passwords, passes them along with the type of encryption that
      created them (described below), and gets in return the
      appropriate bcrypt structure reflecting that original
      encryption type to write back to the user table's password
      + If "type" is left off, assumes code is encrypting against
        the raw password. Returns structure with identifier $2y$.
        Otherwise, "type" is any of the supported Interchange
        encryption options:
        - sha1 (identifier returned is $2s$)
        - md5 (identifier returned is $2m$)
        - md5_salted (identifier returned is $2n$..$)
        - crypt (identifier returned is $2c$..$)
      + If "profile" is left off, uses "default" profile, which
        is typically the definition for the userdb table. Common
        other profile is "ui", which defines the access table for
        the admin.
      Whatever profile is being used, it must have been set to use
      bcrypt before executing code that calls construct_bcrypt().
      If it's set to anything other than bcrypt, the routine dies
      with an error.
      + Example usage: if my "ui" profile is configured with
        "crypt" (as it is by default), I have crypt() passwords in
        the access table:
        UserDB  ui  crypt 1
        I first change and promote to bcrypt by replacing the above
        UserDB  ui  promote 1
        UserDB  ui  bcrypt  1
        UserDB  ui  bcrypt_pepper {some reasonably long random string}
        Then, rather than wait for every user to eventually log
        in, I run all my crypt passwords through construct_bcrypt().
        If I have, for example, a password of cWNLm21WqgOKU:
        my $bcrypt_password = Vend::UserDB::construct_bcrypt(
                password => 'cWNLm21WqgOKU',
                type => 'crypt',
                profile => 'ui',
        and $bcrypt_password now holds something like:
        which can directly overwrite cWNLm21WqgOKU in the password
    * "promote" flag has been expanded to recognize intra-bcrypt
      config changes between the cost of a stored password and the
      current cost being used for encryption. E.g., if the current
      cost setting for bcrypt is 14, but the storage structure
      indicates $2y$13$..., promote catches that and updates the
      password in the database to the calculated structure for cost
Commits on May 2, 2014
  1. @jdigory
  2. @jdigory

    Allow DirectoryIndex to find index page in root pages/ dir:

    jdigory authored
    It seems DirectoryIndex, when the readin() sub doesn't find a page
    for '', adds a slash, so it then looks for '/index'. This is wrong
    when acting on the root pages/ directory, so now we check if the
    page is blank, and if so skip the slash.
    Came to light when attempting to serve a root index.html page via
Commits on Apr 4, 2014
  1. @jonjensen

    Correct [log type=error|debug] final newline behavior

    jonjensen authored
    It shouldn't quote the final newline with > since ::logError
    doesn't. (And because it makes a mess of the log.)
Commits on Apr 3, 2014
  1. @jdigory

    Allow use of 'id' parameter with [table-editor] tag, in hash-attribut…

    jdigory authored
    …e form:
    Works in conjunction with existing 'id' support in
Commits on Mar 25, 2014
  1. * Add MV_AUTOEND capability as in MV_AUTOLOAD -- automatically append…

    Mike Heins authored
    …s something
      to an IC page first time it is run through interpolate_html(). This is
      arguably more useful than MV_AUTOLOAD, which happened at the beginning.
    * Fix bug in init_page pragma capability. The flypage would be
Commits on Mar 23, 2014
  1. * Interchange has long been distributing the dump page. This is

    Mike Heins authored
      somewhat insecure; it should be gated with a password. This is a
      change to pages/dump.html in the standard template. Makes the
      password be __SQLPASS__ or __ORDERS_TO__.
    * Allow option to sort the keys of output in ::full_dump. Turn on that
      option by default in the standard dump page.
  2. * Allow replacement of crappy IC tabbed display with one from jqueryui.

    Mike Heins authored
      Simply need to include jQuery and jqueryui as per their docs, then
      pass jui-tabs=1 option to [table-editor].
Commits on Mar 22, 2014
  1. @perusionmike

    * Add new UserTag parameter "Underride". This allows you to define

    perusionmike authored
      a new UserTag for use, then later have that tag become part of
      the distribution Interchange without causing errors.
      Has the effect of ignoring the second definition of a tag
      if that tag begins its stanza with
      	UserTag  tagname  Underride
      Intended for allowing a new "strap" template admin and catalog
      template with a few new UserTag definitions distributed with
      the template, then have those tags be superseded by distribution
      Interchange tags. (The first of those is ts/tn/tv, for defining
      page titles, ephemeral JavaScript code, etc.)
Commits on Mar 15, 2014
Commits on Mar 13, 2014
  1. @jdigory

    In carts, provide prevention for item attributes migrating to other i…

    jdigory authored
    This can happen due to a user's removal of an item and subsequent use of Back button.
    Requires setting of CGI parameter in ord/basket.html and other cart modification pages:
    <input type="hidden" name="mv_nlines" value="[nitems lines=1]">
    By Mike Heins.
  2. @jdigory
Commits on Feb 24, 2014
  1. @melmothx

    Patch [area] to accept decoded strings.

    melmothx authored
    is_utf8 is badly name. First, it's an internal function, but it's
    used all over the place in IC.
    From the doc:
        is_utf8(STRING [, CHECK])
          [INTERNAL] Tests whether the UTF8 flag is turned on in the STRING. If
          CHECK is true, also checks the data in STRING for being well-formed
          UTF-8. Returns true if successful, false otherwise.
    So, basically, is_utf8 returns true if the string is decoded, not when
    is encoded in utf8.
    use strict;
    use warnings;
    use utf8;
    diag "When we encode, the string is not \"utf8\" any more";
    ok(!is_utf8(encode(utf8 => 'à')));
Commits on Feb 20, 2014
  1. @jdigory

    Fix broken name in PayPal module when using pp_use_billing_address an…

    jdigory authored
    …d alternate address
    There is no such reference as {PayerName}{PayerName}; also needed to override b_fname/b_lname with b_name when it is present. Added b_phone fallback as well.
Commits on Feb 9, 2014
  1. Interchange since 5.0 has not allowed setting CookieName while retaining

    Mike Heins authored
    the standard CoOkIe: pattern. Also, PHP setcookie routine URLencodes
    cookie values, so the %3a that : is moved to defeats our patterns.
    So, this commit does three things.
    * Change cookie handling so that setting a CookieName doesn't affect the
      addition of host/username as long as the InternalCookie directive
      is set to Yes.
    * Add InternalCookie directive to indicate that a custom CookieName
      should have internal handling.  (A YesNo directive).
    * Treat %3a as equivlent to : for cookie matching when in
      InternalCookie mode.
    So, to change the CookieName for sessions from MV_SESSION_ID
    to MVID without changing external cookie behavior, do in
        CookieName      MVID
        InternalCookie  Yes
    If you don't set InternalCookie Yes, it will have the old ExternalCookie
    behavior where the session file is solely based on what is found
    in $Vend::Cfg->{CookiePattern}.
    If you don't change the CookieName from MV_SESSION_ID (assuming you
    don't explicitly set to that in catalog.cfg) then "InternalCookie Yes"
    is implied.
  2. * Fix non-working (in 5.8.x perl) is_ipv4() routine. (split '.' doesn't

    Mike Heins authored
      do what you might think it does.)
    * Have concerns about efficiency of this and wisdom of using
      this routine for a string which is not being used as an IP address,
      but not suggesting change. I guess CPUs are getting faster.
Commits on Feb 5, 2014
  1. @msjohns1

    Fix broken parsing on session cookie

    msjohns1 authored
    * Modifications to support IPv6 left it so it didn't work
      properly on either IPv4 or IPv6.
Commits on Jan 31, 2014
  1. * As of Jan 31, 2014 Authorize.Net stopped accepting a transaction ID

    Mike Heins authored
      on transaction types that don't need it. That should be AUTH_ONLY
      and AUTH_CAPTURE, though I am waiting on a definitive pronouncement
      from them.
Commits on Jan 8, 2014
  1. @msjohns1
Something went wrong with that request. Please try again.