Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also compare across forks.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also compare across forks.
...
Commits on Nov 10, 2005
cvs2svn This commit was manufactured by cvs2svn to create branch
'STABLE_5_4-branch'.
bb9296a
Commits on Nov 11, 2005
Kevin Walsh * Corrected a CSS typo. 1fbdbc2
Kevin Walsh * Recognise "GoogleBot", rather than just "Google", in the
	  "RobotUA" list, to prevent confusion with other UA values such
	  as "GoogleToolbar" etc.
8da201a
Commits on Nov 15, 2005
@jonjensen jonjensen Ugh. Missed ui-version in mv_metadata, which will give the annoying
"need to merge" message when logging in to the admin.
0c8fa36
Commits on Nov 21, 2005
@racke racke fixed typo 763e28d
Commits on Nov 26, 2005
@racke racke renamed "extra" option which is a standard widget parameter to
htmlarea_config, fixes Debian bug #340568
f157ecc
Commits on Nov 29, 2005
@racke racke descriptions added, natural and relative_filename are using custom er…
…ror messages now
90a19f4
@perusionmike perusionmike * Merge changes from devel branch (no hard requirement for Set::Cront…
…ab).
133dd05
Commits on Nov 30, 2005
@racke racke don't use current time as default for date_blank 08834a8
@racke racke documented date_blank change 61a7db4
Commits on Dec 01, 2005
@racke racke Reject invalid dates in "future" profile. cbe9fea
@racke racke allow dates without time or with seconds
more restrictive regexp
abac302
@racke racke merge fck widget with htmlarea widget 8cfd808
@racke racke getting ready for beta2 release d940fbf
Commits on Dec 02, 2005
@racke racke closing htmlarea widget bug ae3b2c2
@perusionmike perusionmike * Patch error log problems with switch_discount_space(). 20ac5ab
@perusionmike perusionmike * Add missing quote preventing same-billing JavaScript function
  from working.
21ec0b9
Commits on Dec 03, 2005
@perusionmike perusionmike * Fix syntax error introduced by improper application of patch. 49abe44
Commits on Dec 07, 2005
Kevin Walsh * The last "digit" of an ISBN code can be a "X" (meaning 10),
	  which wasn't allowed for in the previous version.
5245a26
Commits on Dec 08, 2005
@racke racke document isbn profile change abe85da
Commits on Dec 09, 2005
@perusionmike perusionmike * Put Mike's recent WHATSNEW update into stable. 1a1beb8
Commits on Dec 12, 2005
@perusionmike perusionmike * Prevent crash when $::Discounts not defined. 0110d61
Commits on Dec 13, 2005
@jonjensen jonjensen Bump version to 5.3.3 before release. ab3a3f4
Commits on Dec 23, 2005
Kevin Walsh * Prevent Interchange from tripping the DATE_SPAMWARE_Y2K (Date
	  header uses unusual Y2K formatting) SpamAssassin rule with every
	  email it sends.
cff2cc6
@jonjensen jonjensen Add overlooked user-merge tag. 0039409
Commits on Dec 24, 2005
@jonjensen jonjensen Update version number to 5.4.0. 361e6e7
@jonjensen jonjensen Update versions in RPM doc, though it's neglected at the moment ... 81e0fe0
Commits on Jan 04, 2006
@racke racke fix regression with browsers claiming MSIE compatibility 276be82
@racke racke documented htmlarea regression fix c7a0fe2
Commits on Jan 07, 2006
@racke racke new release c53707e
Commits on Jan 08, 2006
@perusionmike perusionmike * Update distributed tables to match US Postal Service rate increase. 1d92f08
@perusionmike perusionmike * Update US Postal rates 4055807
@racke racke Updated UPS Postal rates. 8de5453
Commits on Jan 09, 2006
@perusionmike perusionmike * Fix bug with patch supplied by Gert.
* Also remove literal space from regex -- it should be a standard within
  interchange not to use *any* literal whitespace in regular expressions.
  A literal space could be embedded with \0x20 or such, but \s+ should always
  be preferred.
bd178e0
Commits on Jan 13, 2006
@racke racke closing font tag added as suggested by Steve Graham <icdev@mrlock.com> b1d5030
Commits on Jan 18, 2006
@perusionmike perusionmike * Fix thread-safety problem with shipping adder (and potentially other
  things).
1dd3d8b
@perusionmike perusionmike * Fix rounding error that could make total comparisons wrong. e850307
Commits on Jan 24, 2006
@perusionmike perusionmike * Display proper state and zip 791373b
Commits on Feb 01, 2006
@jonjensen jonjensen Remove incorrect note about ITL in HTML comments, and add note about
upgrading from IC 5.2.
889ad44
Commits on Feb 03, 2006
@perusionmike perusionmike * Make log message manageable with ErrorDestination.
* Allow a "quiet" shipmode that won't log missing areas.
7413fc5
@jonjensen jonjensen Fix a bug found by Brian Miller <brian@endpoint.com>:
When reading an OrderProfile from an external config file,
for instance, etc/profiles.login or similar if there is a comment line
immediately preceding the __NAME__ identifier then the first line of the
profile is commented out. Actually any line preceding the __NAME__ line
will silently be prepended to the first line of the profile, just so
happens a comment (in some of our code) would be the likely offender.

For example:

# following profile confirms user input
__NAME__ Login
  username=required Username had better be filled in.
  password=required Password is required.
__END__

Will result in a profile structure that looks like:

# following profile confirms user input   username=required ...

And the username check will never execute.
0a4aac3
Commits on Feb 16, 2006
@jonjensen jonjensen Remove apparently never-used SOAP_Host directive. 343797d
Commits on Feb 17, 2006
@racke racke fix unmatched [msg] tags found by Steve Graham 1c988f2
Commits on Mar 12, 2006
@perusionmike perusionmike * Put in Steve Graham's bug fix for bad sku in link. 1c1be6a
Commits on Mar 14, 2006
@perusionmike perusionmike * Make timeout for menu blank settable (Greg Hanson change). 4ef871d
Commits on Mar 28, 2006
cvs2svn This commit was manufactured by cvs2svn to create branch
'STABLE_5_4-branch'.
9a6ba08
@perusionmike perusionmike * Add Interchange::Link patches from devel. 23ee5fe
Commits on Apr 06, 2006
@jonjensen jonjensen Fix typo in sub call. d739bb6
Commits on May 09, 2006
@perusionmike perusionmike * Fix minor security hole of exposing admin's session ID when they
  enter an order for a user.
ba41cc4
Commits on May 10, 2006
@jonjensen jonjensen Fix bug in parser that can cause an infinite loop when malformed ITL
opening tags are encountered.

Bug found and original patch supplied by Dan Collis-Puro <dan@endpoint.com>.
64e36c9
Commits on May 11, 2006
@perusionmike perusionmike * Allow numerals in all but first position in unpack output areas. f2bcbc8
Commits on May 13, 2006
@perusionmike perusionmike * Fix bug introduced in previous change to cert_path logic attempting
  to allow relative paths. If the certs/ directory was not directly
  in VENDROOT and no cert_path was defined, no search for a certs/
  directory would happen.

* We should try to release IC as soon as possible on this one, as an
  upgrade will break catalogs using Verisign PayFlow Pro (which is
  how I discovered this one).
f4ddacc
Commits on May 15, 2006
@racke racke fix outdated reference to interchange-cat-foundation catalog 3e785ba
@racke racke run debconf-updatepo from clean target 170e6b3
@racke racke fix reference to removed interchange/debug Debconf template b34bec8
@racke racke document recent updates 4a72bf2
@perusionmike perusionmike * Improve Linkpoint module based on work provided by Josh Lavin.
  -- Add ability to do POSTAUTH (settle_prior) in Interchange Admin.
  -- Add check_sub capability ala Vend::Payment::Signio.
524801f
Commits on May 17, 2006
@jonjensen jonjensen Fix non-interpolating [process] and [form-session-id] tags, remove stray
" from HTML tag, correct nonexistent cellmargin table attribute, and
XHTMLize HTML (except for self-closing tags).

Thanks to Steve Graham for reporting problem.
7c1e436
@racke racke added Swedish debconf template translation, updated Russian and Frenc…
…h one
4dd6241
@racke racke updated PO files d456c40
@racke racke added bug number for initial installs de2a660
Commits on May 18, 2006
@jonjensen jonjensen Move 5.4 branch change notes to a new file, and document all commits
since the branch began.
2e34ea6
Commits on May 19, 2006
@jonjensen jonjensen Sync. 4886288
@jonjensen jonjensen Bump version number to 5.4.1 in preparation for release. 724abbd
@racke racke use invoke-rc.d to run init scripts if command is available 584299f
@perusionmike perusionmike * Change variables sent in POST_AUTH transaction so that partial
  captures can be done, and so that AVS will not be attempted.
  Changes supplied by Josh Lavin.

* Add documentation adapted by Josh Lavin.
dc10b96
@jonjensen jonjensen Correct payment gateway and sub name in example. 5e96aea
@racke racke removed unused Debconf template interchange-cat-standard/demomode 7f96181
Commits on May 22, 2006
@racke racke add Debconf translations notices and fixed serious bug 5cd5e39
Commits on May 26, 2006
@jonjensen jonjensen Mention latest Linkpoint change, and add release date. 5f5277f
@jonjensen jonjensen Update copyright date in a few more visible places. 58e5754
Commits on Jun 06, 2006
Kevin Walsh * Patch for a DoS exploit, pointed out by Donald Alexander. Thanks
      Donald.

      A carefully crafted HTTP POST request could cause an Interchange
      page processor to hang until it's killed by Interchange's periodic
      housekeeping routine.

      If several of these requests are received in quick succession
      then it could be possible to disable all of the page processors,
      rendering Interchange unresponsive for a while.
43c192b
Commits on Jun 13, 2006
@jonjensen jonjensen Get rid of "alpha" moniker, "mike" name, etc. This should've been done
long ago ...
33e9d9c
Commits on Jun 24, 2006
@jonjensen jonjensen Updated Discover Card logo. Provided by Steve Graham. d308fa0
@jonjensen jonjensen * Fix broken admin 404 error page.
* Remove duplicate, sometimes-bogus MV_PREV_PAGE display.
* Eliminate double-interpolation of page comparison.

(Merged from trunk.)
62cbd57
@jonjensen jonjensen Clean up HTML and fix broken links. (Merged from trunk.) d88cf32
@jonjensen jonjensen Clean up HTML, fix broken links, and don't mention Interchange links not
working, since this page wouldn't work in that case either. (Merged from
trunk.)
903fe76
@jonjensen jonjensen Make HTML compatible with XHTML. (Merged from trunk.) dc66d4b
@jonjensen jonjensen Note all changes since last release. d60c49a
Commits on Jun 29, 2006
@racke racke removed last trace of foundation catalog 8802f8e
Commits on Jul 02, 2006
@racke racke updated Swedish translation of Debconf templates (Closes: #375916,
thanks to Daniel Nylander <yeager@lidkoping.net>)
601df21
Commits on Jul 21, 2006
@racke racke Fixed spurious hidden form element output for matrix options with sep…
…arate

widgets and report option set, patch provided by Peter Ajamian.
5108be7
Commits on Aug 24, 2006
@pajamian pajamian Fix masking of unencrypted credit card numbers to work with a custom
MV_CREDIT_CARD_INFO_TEMPLATE that does not match the regexp.

Fix the above mentioned regexp so it removes the CVV2 value from the
unencrypted data as well.
9b35767
@pajamian pajamian Fix masking of unencrypted credit card numbers to work with a custom
MV_CREDIT_CARD_INFO_TEMPLATE that does not match the regexp.

Fix the above mentioned regexp so it removes the CVV2 value from the
unencrypted data as well.
78c3e76
Commits on Aug 26, 2006
@pajamian pajamian Make sure that we don't overwrite a pre-encrypted block. 27af967
Commits on Aug 30, 2006
@perusionmike perusionmike * Fix problem where get_option_hash would return the reference itself
  when passed one. We need to return a copy so that we can be assured
  we won't modify a configuration value improperly. Since the user is
  asking for an option hash from a possible string, they should not ever
  need or want the exact same reference back.

  Most of the work done by Bruno Cantieni.
03c4fd4
Commits on Sep 19, 2006
@pajamian pajamian * Use <pre> ... </pre> instead of the obsolete <xmp> ... </xmp> eleme…
…nt in the

  test_code admin UI page when displaying in SOURCE mode.

* Don't filter entities when displaying in HTML mode.
e8abd41
@jonjensen jonjensen Fix bug in order returns for more than one return.
Patch by Jure Kodzoman <jure@plsavez.hr>. Thanks!
e8b637d
Commits on Sep 20, 2006
@racke racke moved "Test code" entry to stable, as this fix will be released with …
…that

branch
also edited entry slightly
don't mention Peter explicitly anymore, he is a Coree now
a88b22a
Kevin Walsh * Corrected an <img> tag's "alt" parameter typo.
	  (back-ported from CVS HEAD)
864dad5
Kevin Walsh * Autovivification issue: The temporary mv_shipping cart was left
      undefined instead of being removed in some cases.  In fact, in the
      test case that showed the error, the mv_shipping cart was just being
      defined as undef and left as-is.  The undef "cart" caused problems
      in later cart recalculations.
      (back-ported from CVS HEAD)
6e2ce5c
Kevin Walsh * Fixed a CSS syntax error, reported by Paul Jordan in IRC.
      (back-ported from CVS HEAD)
8c0c0c5
Kevin Walsh * The [sql-quote] sub-tag (in the [query] tag) didn't work properly
      if the column data spanned multiple lines, as it may do with an
      INSERT or UPDATE etc.
      (back-ported from CVS HEAD)
3618679
Kevin Walsh * Commented out the "Register (optional)" link for now. It can be
      re-enabled when the link points somewhere useful, or simply removed
      altogether.
      (back-ported from CVS HEAD)
1ad98d3
@pajamian pajamian * If we don't match a prod_group and category in a missing page retur…
…n the

  missing SpecialPage not results.html.

* If we do have a match display it in the results SpecialPage instead of hard
  coding it to results.html.
06a7e6f
Commits on Oct 08, 2006
@racke racke updated Czech translation of Debconf templates (Closes: #391541, thanks
to Martin Sín <martin.sin@seznam.cz>)
8258c54
Commits on Oct 09, 2006
@racke racke document Debconf template update d876614
Commits on Oct 16, 2006
@perusionmike perusionmike * Only run check_sub (usually AVS) on SALE and PREAUTH, not POSTAUTH. d77ac00
Commits on Oct 31, 2006
@pajamian pajamian Use a path relative to the catroot instead of an absolute path to the…
… catalog error.log file when displaying in UI Administration/Info tab.
a8dfe58
Commits on Dec 05, 2006
@racke racke converted to UTF-8 74b47c4
Commits on Dec 07, 2006
@jonjensen jonjensen Minor XHTML compatibility changes. b9f42c2
@jonjensen jonjensen Work around apparent Perl bug that allowed code called by DispatchRou…
…tines

to overwrite the routines arrays themselves.

Found and fixed by Frederic Steinfels <fredo@dvdupgrades.ch>. Backported
from trunk lib/Vend/Dispatch.pm version 1.63.
65dd7e6
Commits on Dec 25, 2006
@racke racke fixed stupid typo in postinst script of interchange package which
caused creation of a directory named 775 (Closes: #404391, thanks to
Filippo Giunchedi <filippo@debian.org> for the report and the
investigation)
70762bb
Commits on Jan 17, 2007
@pajamian pajamian added missing =cut line at end of docs a6230d9
Commits on Jan 30, 2007
@jonjensen jonjensen Add some overlooked changes to the release notes. b1a5d39
@jonjensen jonjensen Don't show deprecated ./configure anymore, and prepare for new release. 9e1791e
@jonjensen jonjensen Bump version to 5.4.2 in preparation for release. 3bfa91e
Commits on Jan 31, 2007
@pajamian pajamian Wait until the *next* line of the profile before undefining $And.
$And gets set if there is a &and or &or command with no further args (ie
chaining the line above and below together, not chaining two or more tests
together on the same line).  Currently $And gets unset before it has a chance
to affect the following line.  This results in the &and or &or being ignored
and the two lines treated as individual tests.  This patch fixes that by
skipping to the next iteration of the loop before $And is undefined.
541a771
@racke racke * require versions of Perl and DBI which allow to run Interchange
    without (known) crashes with threaded Perl (Closes: #339335, thanks to
    Henrik Holmboe <henrik@holmboe.se>)
  * removed notice about threaded Perl and no longer set MV_GETPPID_BROKEN
77d93b5
@racke racke preserve debug value in settings.cfg 13776c5
@racke racke removed Business::UPS manual page to avoid conflicts with
libbusiness-ups-perl (Closes: #404022, thanks to Michael Ablassmeier
<abi@grinser.de> for the report)
ba12bc8
@racke racke updated with Debian packaging changes 0a31ec3
Commits on Feb 02, 2007
@jonjensen jonjensen Update visible copyright date. 22f42c1
Commits on Feb 07, 2007
@jonjensen jonjensen Fix release date. 35efd20
Commits on Feb 09, 2007
Kevin Walsh * Back-ported the SearchOp bug fixes, which were committed to the 5.5
      trunk on 2006-07-05 at 13:19:54 GMT by kwalsh.
9b1863b
Commits on Feb 16, 2007
Kevin Walsh * Removed a stray </li> closing tag. Probably just a copy/paste error
      from somewhere.
da4809a
Kevin Walsh * Quick fix for a MSIE 7 problem reported by Richard Ball, who was
      trying to use the online demo, and later by Steve Graham on the
      interchange-users mail list.  Thanks to both of you.
70e259f
Commits on Feb 22, 2007
@jonjensen jonjensen Correct Interchange's handling of incoming requests where a form element
has a space in the name. Before the fix, when it gets to values space
it still has the plus. However true '+' characters will have also been
decoded, so you can't distinguish the two. This change switches pluses
to spaces before %2B gets switched to '+'.

Fixed by Brian Miller <brian@endpoint.com>.

(Merged from development branch.)
c9dfd87
Commits on Feb 23, 2007
@racke racke document recent changes c2846db
Commits on Mar 07, 2007
@perusionmike perusionmike * Add fix inspired by Sonny Cook -- prevents bad subroutine reference…
… death.
da525d4
Commits on Mar 08, 2007
@racke racke recent fix from Mike documented 3d75b3d
Commits on Mar 15, 2007
@racke racke Updated Russian debconf template translation. 74638aa
Commits on Mar 30, 2007
@pajamian pajamian Update LICENSE with fresh copy from the FSF at http://www.gnu.org/lic… c901bbd
@pajamian pajamian New Free Software Foundation Address in headers of various files e58b738
@pajamian pajamian record LICENSE and FSF address changes in WHATSNEW 956e1b5
Commits on Mar 31, 2007
@pajamian pajamian Fix incorrect license in headers GPL v2 -> GPL v2 "or later". Update …
…copyrights.
6d964b5
@pajamian pajamian recorded license change in WHATSNEW e91c4ff
@pajamian pajamian Fix incorrect license in headers GPL v2 -> GPL v2 "or later". Update …
…copyrights.
255242c
Commits on Apr 11, 2007
@racke racke removed Debconf dependency from interchange-ui postrm script
(Closes: #416601, thanks to Michael Ablassmeier <abi@grinser.de>)
47002a0
Commits on Apr 13, 2007
@racke racke added Portuguese translation of Debconf templates 52cfb56
Commits on Jun 13, 2007
@racke racke ready for next release 377fb7f
@racke racke etch has been released b0cce1f
Commits on Jun 17, 2007
@racke racke removed libapache-mod-interchange package as Apache 1.3 has been
removed from unstable (Closes: #428849, thanks to Bastian Blank
<waldi@debian.org>)
7613aae
Commits on Jun 18, 2007
@racke racke update for remove libapache-mod-interchange files a4425af
Commits on Jun 22, 2007
@racke racke removed code to build mod_interchange (Closes: #430097, thanks to Bas…
…tian Blank

<waldi@debian.org> for the report)
01a8663
Commits on Aug 22, 2007
@perusiongreg perusiongreg * Fix problem with shipping notice caused by bareword. 8164f78
Commits on Feb 06, 2008
Kevin Walsh * Fixed a security bug where an attacker could craft a URI that
      tricks Interchange into executing arbitrary Perl code.  The Perl
      code would be subject to the Safe constraints of course, but could
      still be devistating to the security of the target website.
aa91a3e
Kevin Walsh * Standard demo security bug fix. cc2db5d
@jonjensen jonjensen Fix misspelling. 623d32e
Commits on Feb 25, 2008
@perusionmike perusionmike * Fix bug in regex for auto_format anchor handling. 173626b
Commits on Jun 05, 2008
@racke racke Disabled product comment to prevent spam showing up on default instal…
…lations.
88114a9
Commits on Jun 16, 2008
@perusionmike perusionmike * Fix deficiency in Levies, where multiple handling modes separated b…
…y null

  would not work as in the old subtotal calculation model.
ce3c1e0
Commits on Jul 28, 2008
@perusionmike perusionmike * Fix bug in my commit found by Racke eadb582
@perusionmike perusionmike * Make levies description fix I should have originally made. 4bc0cd7
Commits on Nov 12, 2008
@jonjensen jonjensen Update for release of 5.4.3, and sync manifest. 48a5f65
Commits on Mar 27, 2009
@perusionmike perusionmike * Fix cross site scripting error found by Josh Lavin of Perusion. 3dfeb51
Commits on Jun 27, 2009
@racke racke Correct detection of broken getppid() for Perl 5.10.0 (RT #286) e08436e
@jonjensen jonjensen Add .gitignore from master branch 26b64c2
Commits on Sep 15, 2009
Mark Lipscombe Fix remote disclosure security vulnerability
Add new configuration option AllowRemoteSearch to selectively re-enable
remote searches on "safe" tables. Defaults to products, variants and
options.

Please see UPGRADE for important information on upgrading your catalogs
to prevent any problems.
81654e4
@jonjensen jonjensen Development switched from CVS to Git e1216e8
@jonjensen jonjensen Set version to 5.4.4 for release 1bf2aa7
@jonjensen jonjensen Sync manifest 09e346b
Commits on Sep 16, 2009
@jonjensen jonjensen Move AllowedFileRegex from catalog into global configuration
This prevents catalog-level tampering of the regular expression used for
checking paths are allowed by NoAbsolute. It is set at startup time but
before as a catalog configuration entry could be manipulated even in
Safe page code.

Problem reported by Peter Ajamian.

(Cherry Picked from f34ce1b)
83812b0
@jonjensen jonjensen Prevent TemplateDir from circumventing NoAbsolute constraints
Problem reported by Peter Ajamian.
(cherry picked from commit f265e8a)
(cherry picked from 6d618a6)
a0010f8
@jonjensen jonjensen Set $Vend::Cat as early as possible
This solves a chicken-and-egg problem for configuration-time code that
works fine once the catalog is fully configured.
(cherry picked from commit 74803e2)
(cherry picked from commit 58cb83e)
99b4530
@jonjensen jonjensen Make sure catalog TemplateDir directives are safe when NoAbsolute is set
(cherry picked from commit 239f9a3)
9bb84ae
@jonjensen jonjensen parse_relative_dir: Use standard absolute_or_relative() check
Use standard routines to check for absolute or subdirectory-escaping
paths instead of duplicate logic here.

Remove comment that's somewhat misleading since relative paths are
absolutized all over in other routines too.
(cherry picked from commit 7fcf352)
(cherry picked from 21283ad)
d3e3b8d
@jonjensen jonjensen parse_dir_array: Validate paths for NoAbsolute etc.
(cherry picked from commit 08a1fde)
(cherry picked from commit 5ec0f91)
c1f7147
@jonjensen jonjensen Disallow abuse of writes via ErrorFile when NoAbsolute is set
Exploit reported by Peter Ajamian.
(cherry picked from commit 9b6872c)
(cherry picked from commit 5dd0cf2)
178a5c3
@jonjensen jonjensen Fix bug that didn't tolerate relative TemplateDir settings
(cherry picked from commit 45471c4)
(cherry picked from commit e61f8eb)
f8912f2
@racke racke check whether directory is allowed before, not after path expansion
(cherry picked from commit 4f17bcc)
(cherry picked from commit 09fe58f)
0b27344
@pajamian pajamian Note latest commits 002b21c
@jonjensen jonjensen Fix two occasionally broken tests.
Two tests of the [query] tag and built-in SQL parser relied on the results
being returned in a particular, even though SQL's result sets are not ordered
by default.

Fixed this by specifying a sort order and setting the results to match.
4bdc908
@jonjensen jonjensen Remove CVV2/CSC from default credit card encrypted block template
The card security code should not be stored at all, even in encrypted
form. This makes the default behavior compliant with section 3.2.2 of
PCI-DSS 1.2:

https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.pdf

It is of course still possible to manually supply a template that
stores the card security code in violation of PCI-DSS requirements, so
developers should review any custom credit card encryption templates
to make sure that the CVV2 is not included, and purge it from any
historical data they have stored.

Thanks to Mark Lipscombe for calling attention to this.
4813bab
@pajamian pajamian Don't ignore case of passed options to compile_link.
compile_link was confusing the -s socketfile option with the new -S status
because Getopt::Long ignores option case by default.  This fixes the problem by
passing the no_ignore_case config parameter to Getopt::Long.
1e3ece6
@jonjensen jonjensen Update copyright year in Standard demo page footer 9a0189d
@jonjensen jonjensen Fix test failing because 12/2008 is now in the past 6d566b5
@jonjensen jonjensen Note changes backported from master 00ec49f
@jonjensen jonjensen Update copyright year c5414b3
Commits on Jan 05, 2010
@pajamian pajamian Change [forum] tag to default to NoReparse. 6a79f95
Commits on Feb 23, 2010
@machack666 machack666 Properly initialize BOP supplemental parameters.
This fixes a bug where supplemental parameters passed to the payment
module to initialize the Business::OnlinePayment gateway object get a
value of 1 instead of what's in your catalog.cfg or
products/variable.txt.

Patch by Richard Siddall, with minor bugfixes by David Christensen
cc3d816
Commits on Mar 22, 2010
@machack666 machack666 Fix "HTTP Response Splitting" security exploit
Discovery and patch from Justin Otten <justin.otten@gmail.com>:

Added new method to Util.pm for scrubbing newlines from header data.
Updated all discovered instances of the use of the "Location" header
ran the URL through the routine.
5c4596a
Commits on Mar 24, 2010
@machack666 machack666 Update WHATSNEW in preparation for release f53daf8
@machack666 machack666 Fix css.tag to properly output the css when using the inline <style> …
…block

css.tag attempts to write a file out to the filesystem after reading
in the css via either variable or literal.  If the file path it
attempts to write to is not writable, for whatever reason, instead of
creating a <link> tag to the written file, it attempts to create a
<style> tag containing the css.

Currently, if it ever creates the style tag, it will never contain the
css.  When the location is not writable, it skips the portion of code
that reads in the actual css, either from the literal option or the
contents of the variable.

This patch moves the reading of the css up to a point where it can't
be skipped, allowing both the link and style tags to be created
properly.

Report and patch by Justin Otten <justin.lasotten@gmail.com>
cc52a2f
@machack666 machack666 Additional update of WHATSNEW 096881c
@machack666 machack666 Update copyright dates 190c084
@machack666 machack666 Bump version numbers 1767d07