forked from interchange/interchange
/
WHATSNEW-5.6
107 lines (68 loc) · 3.26 KB
/
WHATSNEW-5.6
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
------------------------------------------------------------------------------
What's new in each version of Interchange
(on the version 5.6 stable branch)
------------------------------------------------------------------------------
See UPGRADE document for a list of incompatible changes.
Interchange 5.6.1 released 2008-11-13.
Core
----
* Fixed regression in Vend::Table::DBI::set_slice for the following usage
pattern (RT #200):
$Db{table}->set_slice('', %parms));
* Quell bogus warnings from Encode::Alias (#224). Thanks to Andy
<ic@tvcables.co.uk> and Rene Hertell <icdevgroup@hertell.com>.
* Added Nunavut to the list of valid Canadian provinces (#231). Thanks to
Mathew Jones for the report.
* Fix vulnerability where a string passed in the mv_order_item CGI variable is
displayed verbatim without any input sanitation if there is a valid sku in
mv_sku. Thanks to Mat from Bibliopolis for discovering and reporting the
vulnerability.
* Fixed deficiency in Levies, where multiple handling modes separated by null
would not work as in the old subtotal calculation model.
* Allow XML posts by e.g. Google Checkout, which broke in Interchange 5.6.0
(RT #219). By Andy <ic@tvcables.co.uk>.
* Corrected logic flaw that applied UTF-8 handling in some cases where it
shouldn't have. Fixed by David Christensen <david@endpoint.com>.
UserTag
-------
* We are vulnerable to cross-site scripting problems any time there is a
<input value="[value foo]"> call. You can get around this, of course,
with <input value="[value name=foo keep=1 filter=encode_entities"]">
instead. That is a bit of a mess, though, so I added an alias for that
called "evalue".
You call it with [evalue address1], which is identical to
[value keep=1 filter="encode_entities" name=address1].
Widgets
-------
* Prevent cross-site scripting problem in the country-select widget. Found and
fixed by Josh Lavin of Perusion.
Admin UI
--------
* Fixed regression in ContentEditor.pm to make it possible again to create
files via the Admin interface.
Payment
-------
* If the tmp/wget directory (or more properly "$Vend::Cfg->{ScratchDir}/wget")
directory did not exist, use_wget mode would error out.
Change code to make directory if non-existent, and give better error
if by some strange chance a file existed there.
Standard demo
-------------
* Made userdb password field nullable for Postgres, to avoid new user creation
problems.
* Disabled product comment to prevent spam showing up on default installations.
* Provide reasonable defaults for shipping mode and country at checkout to avoid
"not enough information" errors.
* Modified include/checkout forms to use evalue. There are undoubtedly many
other places it should be put in. But until this is evaluated properly I
don't want to do it all over the place. You can do so with this one liner,
at least pretty reliably:
perl -pi -e 's{value="\[(value\s+[-\w]+\])}{value="[e$1}g'
I think we have gotten rid of all VALUE= uppercase kind of things,
but if not we should now.
Packaging
---------
* Numerous Debian packaging and localization updates.
------------------------------------------------------------------------------
Interchange 5.6.0 released on 2008-05-21.
(end)