Find file
Fetching contributors…
Cannot retrieve contributors at this time
1152 lines (747 sloc) 38.7 KB
What's new in each version of Interchange
(in development since the version 5.6 branch)
See UPGRADE document for a list of incompatible changes.
Interchange 5.7.7 released on 2011-06-12.
* Ensure users were always assigned sessions when using major
browsers, regardless of any toolbar matches in the User Agent
* If we are running an or search and not all of the specs have equivelant sql
specs (WHERE clauses) then don't try to optimize the query as doing so will
cause records to not be returned that might match other specs.
* Allow customization of "DO ANOTHER" HTML block in the table editor. The DO
ANOTHER block contains hard-coded text and return-pages used for radio buttons
which is always displayed for new entries. This change allows customized HTML
to replace it for when you want to use the table editor in your own custom
admin pages.
* Strip bad characters from affiliate source. These characters cause problems
in the usertrack log (and possibly other places) if they are allowed to remain
in the source.
* Remove newline from errormessages to be able to parse locale of it
* Fix a bug in the [read-cookie] tag which in very specific rare
circumstances could return the wrong value for a cookie.
* Fix a bug in parsing of TemplateDir directive with multiple directories
on a single line (RT#318).
Thanks to Mat Jones for the report.
* Fix for processing GDBM files while using UTF8.
* Add additional UserDB encryption options.
* Add pragma handling for setting the Cache-Control header.
* Enhance TrustProxy to handle multiple chained proxies.
* Multiple bugfixes to payment modules.
* Fixes when sending UTF-8 email.
* Allow sorting of forum entries.
Standard Demo
* Fix for adding items to cart with options shows expired page message. Thanks
to Steve Graham <>.
* Fix for country selection drop down.
Thanks to Paul Jordan <>.
* Fix for state selection drop down for Ireland.
Thanks to Paul Jordan <>.
Interchange 5.7.6 released on 2010-03-23.
* Fix a "HTTP Response Splitting" security exploit. This is not known
to be exploitable in the standard demo, but could potentially affect
other pages in rare circumstances.
* Fix a bug in initialization of Vend::Payment::BusinessOnlinePayment
supplemental parameters.
* Fix a bug in css.tag to properly output the css when using the
inline <style> block.
* Allow for bounces from Autoload routines.
* Fix SpecialPages directive for violation.html.
* Give some sort of informative error message if we crap out loading the locale
Standard Demo
* Correct comments in catalog.cfg for Limit robot_expire.
* Add comments for Limit ip_session_expire.
Admin UI
* Remove the AdminUser configuration directive.
* Allow ids to be added to form widgets built from mv_metadata.
* Update jEdit syntax highlighting mode.
Debian packaging
* Multiple bug/dependency fixes.
Interchange 5.7.5 released on 2010-02-23.
* Fix bug when calling some versions of Sys::Syslog.
* Multiple Debian fixes and translation updates.
* SEO-friendlier ActionMaps supported; hyphens are turned resolved into underscores.
* Make the [forum] tag default to NoReparse.
* Upgraded Vend::Payment::PaypalExpress to v1.0.7 from
* Fix for yet another variation in the way that Paypal handle Canadian province names.
So we have 'British Columbia', 'BC', and now 'B.C.' formats.
* Allow use of the [assign] tag in shipping.
* Allow 'use_billing_override' to send billing addresses.
* Display Long rather than Short PayPal error message to customers.
Last three changes contributed by Josh Lavin.
* Added CyberSource SOAP toolkit payment module. Includes payment modules for:
* Standard credit card
* Bill Me Later
* Paypal Express Checkout
* Electronic check
* Corrected Vend::Payment::BusinessOnlinePayment handling/passing of
supplemental parameters.
Interchange 5.7.4 released 2009-12-09.
* Make the default session 'spider' variable reflect $Vend::Robot status,
which more accurately says whether the request was made by (what
Interchange considers) a spider, not just any old temporary session.
* Force raw encoding for file uploads (RT #268).
* Overhaul syslog support and offer much faster Sys::Syslog mechanism.
* Move parsing of CGI input to Vend::Dispatch::open_cat (#268).
* Fix bug related to [tag pragma name value] semantics being different
than [pragma name value].
* Increased performance when using mv_max_matches with searches:
* Make mv_max_matches stop all further searching once the limit is
hit, rather than loading the entire result set into memory and
then truncating it.
* Add pragma max_matches, which takes precedence over user-supplied
mv_max_matches unless the user-supplied argument is more restrictive.
* Provide a default implementation of mime_name for compatibility with
older versions of
* Recognize LWP::UserAgent as a robot.
* Avoid encoding binary data in [deliver].
Debian packaging
* Eliminated commands with absolute paths in maintainer scripts.
* Added Spanish translation of Debconf templates.
Admin UI
* Multiple cleanups and minor performance enhancements.
Interchange 5.7.3 released 2009-11-05.
* Fix empty charset= lines when no $Vend::StatusLine was previously set.
* Allow POST with Content-type of application/json.
* Remove empty mv_arg from more-list links.
* Cleanup some POD documentation.
* Fix crash with TolerateGet and upload forms (#325).
* Show discount error message that was missing. Fixed by Jeff Boes.
* Die on errors in global configuration of crontab.
* Stop display of invalid user-provided session ID. Should not be XSS
exploitable, since displayed in text/plain context, but don't show anyway
in case any browser does improper content-type handling.
* Avoid XSS exploit in CGI input error. Reported by Justin Otten.
* Add BounceRobotSessionURL directive to 301 redirect robots which
provide an explicit mv_session_id to the canonical page URL without
the explicit mv_session_id. This prevents search engine urls from
being indexed with an explicit session_id.
* Remove reference to deprecated Spreadsheet::WriteExcel::Big module in
backup-database tag.
* Allow passing of "id" to the [display] tag. It will be output in the form
element and a label element will be created to match, if appropriate.
Example 1:
[display id=category options=|
1=Junior High School,
2=High School,
4=Graduate School,
| value="[evalue category]" type=select name=category]
Output (bring your own <label for=category>):
<select name="category" id="category">
<option value="" SELECTED>--select--
<option value="1">Junior High School
<option value="2">High School
<option value="3">College
<option value="4">Graduate School
Example 2 (label elements provided):
[display name=publish_email value="[evalue publish_email]" type=radio
passed="0=No,1=Yes" blank_default=1 id=publish_email]
<input type="radio" name="publish_email" value="0" id="publish_email0">
&nbsp;<label for="publish_email0">No</label>
<input type="radio" name="publish_email" value="1" id="publish_email1" checked>
&nbsp;<label for="publish_email1">Yes</label>
Standard Demo
* Correct bounces to nonexistent error pages.
* Fixed bug that causes options to not show up on the checkout receipt, or the
order report, or the mail reciept for most or all items.
* Fix problem that prevented unsubscribing from all mailing lists.
Debian packaging
* Keep virtual host name supplied by user.
* Move CSS & image files from /var/www/interchange-5 to
* Use virtual host instead of system hostname as server name for demo catalog
if FullUrl is enabled.
* Updated translations of Debconf templates.
Interchange 5.7.2 released 2009-09-17.
* Close remote disclosure security vulnerability, and added new configuration
option AllowRemoteSearch to selectively re-enable remote searches on "safe"
tables. Defaults to products, variants and options.
Please see UPGRADE for important information on upgrading your
catalogs to prevent any problems.
* Fix validate_charset to return mime charset names only.
* Enable catalog usertags within dispatch routines.
* Add SpecialSub order_missing (#221).
* Make TAX_CATEGORY_FIELD work as intended, where a colon-separated table and
field will work as well as a simple field in the same table as the item.
* Add environment variable MINIVEND_DISABLE_UTF8 which allows us to
skip the Encode module entirely.
Since "no encoding" does not remove the tie from regexes to Encode,
but only disables it, you can't use that method. You have to literally
not include Encode in the module namespace. This environment variable
prevents require/import of the module if it is set true.
It also adds a Global UTF8 directive that would normally not be, but could
be, set by the user. This disables UTF8 with "no encoding", which should avoid
some of the Perl UTF8 insanity but still won't avoid a potential "require" or
"dofile" on a simple regex.
* Change Vend::CharSet away from the quasi-object style of programming
(i.e. Module->routine()), since this module is only used internally.
This will improve performance if/when a large number of CGI parameters
are passed.
* Pass data to be encoded by Vend::CharSet by reference. While the
Encode module inexplicably won't operate on references, at least we
can avoid slinging hundred-megabyte files by value for what ends up
being a no-op. Should you have to decode the data, it will still be
slow but it will be limited to that eventuality, not every uploaded
* Vend::Interpolate::taxable_amount: Remove unnecessary calls to item_subtotal
and thus the database. Thanks to Josh Braegger <>.
* Unit tests: Test various values access methods. Fix some [query] test
corner cases.
* Add new child-process tag and core support routines. This tag runs
ITL code in a forked child process. Useful for offloading processes
that take a relatively long time to complete.
* link programs:
* Make HTML just a tad more modern.
* Make message configurable in
* Alter compile_link.PL to allow error message to be built from a file.
Uses four lines, concatenating remainder of file into one big line 4.
Tested with 70K file with many double-quotes, newlines, and carriage
* Add status option to make compile_link.PL to make error status
* Add status option to make compile_link.PL to make error content type
* Fix rare bug that caused requests to / URL with a query string to fail, e.g.:
Interchange in that case looked for a page called "/?somevar=1".
Thanks to David Christensen <> for the fix.
* Correct .access functionality directly in pages/
.access worked in subdirectories like pages/abc/, but didn't work directly
under pages/.
* BounceReferrals changes:
* Fix bug that kept query strings from being passed through due to use of
nonexistent %$CGI::Values instead of %CGI::Values.
* Remove mv_pc and mv_source to prevent redirection loops.
* Don't generate a "process" URL for root URL; use DirectoryIndex instead,
if available.
* Make [email] process cc and bcc options for plain text emails (#250).
* Allow catalogs to be set to have Perl always global by default.
AllowGlobal catname
PerlAlwaysGlobal catname
This is a global directive (i.e. interchange.cfg).
[perl global=0] will still be honored, i.e. that will be interpreted
by Safe.
* Allow catalogs to turn off "strict" in global mode by default:
PerlNoStrict catname
This is a global directive (i.e. interchange.cfg).
This is intended as an easy way to allow catalogs to work all right
with Vend::Charset. Sad, but can't think of any better way short of
maintaining our own version of the UTF8 modules. It is really sad,
because the Perl powers that be have totally abandoned Opcode and
* Correct issue with hi-bit characters in search strings.
This corrects the "Wide character in subroutine entry" error that
occurs when hi-bit characters are used in a search. The failure was
caused by Digest::MD5's reluctance to process characters > 0xFF, so we
just convert any search options to UTF8 before calculating the MD5.
* Add support for SHA1 encrypted userdb passwords.
* Add new "promote" feature. When active, and passwords
of any of the other algorithms are present, on next
login the user's password will be promoted to the
target hashing algorithm. This way, password strength
can be increased organically.
Use of SHA1 passwords can be specified in the same manner
as currently MD5 can be:
UserDB ui sha1 1
To utilize the promotion feature, you add a similar line
for the UserDB definition:
UserDB ui promote 1
Promote implies that strength is increased, but in reality
promotion will move in any direction desired. The requested
hashing algorithm is the target, and whatever the form of the
passwords in the database, they will be converted to the target.
E.g., if neither sha1 nor md5 is specified, and the database
currently has md5 passwords, if promote is added, it will have
the effect of promoting to crypt(), the target hashing algorithm
(which happens to be the default).
If promote is not used, the change is fully backward compatible.
Whatever method is specified will be used, and if the database
has passwords of a different algorithm, authentication will fail.
You should not specify more than 1 hashing type. If you specify
both md5 and sha1, you'll be subject to the whims of hash
ordering from keys().
Also note that, before promoting to a stronger hash, you should
ensure your database's password field is long enough to hold the
new, longer datum.
Original work from Steven Jenkins <> for
framework of promotion code.
* Add global timeout feature for payment gateways.
The different payment gateways all tend to implement their own timeout features
with varying degrees of success. In particular, LWP-based clients do not appear
to have any capability of passing a timeout by the developer whenever it uses
the https protocol. Thus, the use of LWP's timeout feature is illusory and
forces any activity to a 180s timeout.
The new feature completely separates out the gateway activity with a fork,
giving it reliable control over the duration of the gateway request. It also
eliminates the need for each gateway module to implement its own timeout,
either because the developer chose not to, didn't consider it, or because the
developer discovered it was hopeless to do so using LWP.
The feature is invoked using the "global_timeout" option in the payment route,
or as an opt passed to [charge]. global_timeout should be any positive integer,
which will define the number of seconds until the timeout is triggered. If this
new option is not used, the effect is a no-op, with behavior identical to that
prior to the feature. No changes in config means completely backward
Additionally, a new "global_timeout_msg" option is available so that the
message produced if the alarm fires can be customized within the payment route.
Route payflowpro id "__PAYFLOWPRO_ID__"
Route payflowpro secret "__PAYFLOWPRO_SECRET__"
Route payflowpro partner "__PAYFLOWPRO_PARTNER__"
Route payflowpro vendor "__PAYFLOWPRO_VENDOR__"
Route payflowpro host "__PAYFLOWPRO_SERVER__"
Route payflowpro transaction A
Route payflowpro global_timeout 20
Route payflowpro global_timeout_msg "We're sorry ... [etc.]"
* Add DowncaseVarname config. Given a space- or comma-delimited list of CGI
params, Interchange will accept those params in any case from the query
string and force them to lower case. Developed primarily to address affliates
creating URLs with "mv_pc" but using inconsistent case in the URL, and thus
Interchange missing it.
* Add new SessionCookieSecure boolean catalog directive. When enabled, makes
session cookie set in https usable only in https.
* Add new SourcePriority catalog directive.
SourcePriority <source_list>
<source_list> is a prioritized list of cgi variables to get the source
(affiliate) name from. Can also include the following:
mv_pc - has the current special casing of mv_pc, (ie RESET is special as
are values that contain only digits).
cookie-foo check the cookie with the foo label.
session - stop here if session already exists, do not check any further
session-foo - stop here if foo session variable is set.
Default: SourcePriority mv_pc mv_source
Check the MV_SOURCE cookie for an affiliate name as well as the other defaults:
SourcePriority mv_pc mv_source cookie-MV_SOURCE above, but you don't want your affiliates using mv_pc:
SourcePriority mv_source cookie-MV_SOURCE
Check the cgi variable affid instead:
SourcePriority affid
Say you send affiliate traffic to other sites, and you don't want
those sites to get credit for sales if a customer follows a banner from
them back to your site:
SourcePriority session mv_pc mv_source
If you want affiliates who use the specialsource cgi variable instead of
mv_source to get special treatment and can override customers who
already have sessions:
SourcePriority specialsource session mv_pc mv_source
If you want to allow affiliates to get credit if there is a
session but only if no other affiliate is already set:
SourcePriority session-source mv_pc mv_source
* Add directive SourceCookie, support for persistent affiliate tracking.
Setting SourceCookie defines the relevant attributes of a cookie to be
maintained in conjunction with the usual session-only parameter
$Session->{source}. Its usage eliminates the duration of the user's session as
the limiting factor for applying credit to a referral.
SourceCookie and SourcePriority would be expected to typically work in tandem,
and thus the same cookie defined in both contexts. However, there is no such
requirement to do so. Defining SourceCookie by itself merely makes the cookie
available any time the core source routines set or manipulate
$Session->{source}. That cookie may, or may not, be leveraged as an element in
SourcePriority, which itself may look to a cookie not maintained by
SourceCookie supports the following attributes:
* name (required)
* expire (any format supported for [set-cookie])
* domain
* path
* secure
* autoreset
autoreset is a boolean that, when true, will cause each request from the client
to reset the cookie in the response, effectively refreshing the expiration time
relative to the current time. Uses, for example, might include a desire to
ensure that the source cookie last "forever" (autoreset + sufficiently long
expire period) or for more obscure uses such as "Affiliate should last [value
of expire] from the last request".
Attributes may be positional in order of (name expire domain path secure), but
it is recommended that they be expressed as key=value pairs for clarity.
Example using both SourcePriority and SourceCookie together in catalog.cfg:
SourcePriority mv_pc mv_source cookie-MV_SOURCE
SourceCookie name=MV_SOURCE expire="180 days"
* Add reload of AutoModifier based on a prepended ! (exclamation point).
AutoModifier !download pricing:price_group
The download attribute will be recomputed for the current sku when
the cart is recalculated.
* Add ability to merge user logins with merged_user field. When the
user logs in, their username is changed to the value of the ID in
that field. No default, so not operational in standard demo catalog.
Enabled with:
UserDB default merged_user merge_to
That would look in the database field "merge_to" for a user name
to change to.
* Force re-configure on compile_link --force.
* table_editor/flex_select: Add ability to link "edit record" to custom
page with custom parameter. Also can now change "edit record to
something else like "view user".
* Fix table editor bug found by Jeff Boes <> which
prevented custom widget type from working.
* Add shorthand to allow beginning/ending year with date widget name
(i.e. yearbegin1934, yearend0000 where 0000 means current year).
* Add ability to configure the number of levels and hash length for
the directory structure of file-based sessions. Instead of a fixed
value of 2 and 1 for levels and length, respectively, make two
configuration parameters named SessionHashLevels and SessionHashLength
Default is 2 and 1, respectively, matching the current values.
This solves the problem of session IDs passed from CGI::Session or other
modules that use a quasi-sequential session ID. You end up placing all
sessions in the S/2 directory for a long time, followed by the S/3 directory,
etc. A setting of:
SessionHashLength 4
SessionHashLevels 1
would break sessions up into separate directories instead of putting all
sessions in a huge directory.
* Encoding and fallback for reading/writing files while in UTF-8 mode.
* New adjust_time() function allows time adjustment based on secs, mins, hours,
days, weeks, months and years. Also can string multiple adjustments together
and compensate for daylight savings time changes over the adjustment period.
* _set_acl() in now uses adjust_time() instead of time_to_seconds().
* Fix MaxQuantityField to allow a null, blank, or non-numerical entry in the
field to represent that no maximum quantity should be enforced for that
* Minor updates to default robot detection configuration.
* Fix omission of media type in <link> output of [css].
Patch by Thomas J.M. Burton <>.
* Allow synonym evalue for value in [if] checks.
* Add Vend::Safe abstraction to fix problems with UTF-8 inside Safe.
* Fix crash that occurred with an empty AutoModifier.
* Allow Interchange daemon to start with no Catalog declarations.
* Unbuffer output as soon as possible to make regular & error messages stay
in sequence during startup.
* Abort daemon startup when required module is missing and clean up error output.
* Update broken getppid() detection for Perl 5.10.0.
* Do not specify a default charset if none is passed via MV_HTTP_CHARSET.
Thanks to Raymond Cheng <> for pointing out the regression
caused by this.
* Always log route_order errors regardless of errors_to setting.
* compile_link was confusing the -s socketfile option with the new -S status
because Getopt::Long ignores option case by default. This fixes the problem
by passing the no_ignore_case config parameter to Getopt::Long.
* If the flypage SpecialSub returned a non-existent SKU then a blank flypage
would be displayed (with no data). This is now fixed so that there is no
difference to what happens without a SpecialSub.
* New areapage SpecialSub that allows you to change the page name passed to the
[area] family of tags and functions before the tag processes the page name.
* Various UTF-8 support fixes.
* Add NoBlankLines option to and clean up error HTML in Interchange::Link.
* Fix XSS exploit in account creation username check error display (RT #306).
Thanks to Carl Bailey for reporting the problem.
* Clean up UserDB error output by excluding Perl file & line output.
* Fix PreFork mode daemon restart problem. Now child processes are properly
killed off.
* Make sure catalog TemplateDir and ErrorFile directives are safe when
NoAbsolute is set.
* Fix problems with applying Interchange filters to UTF-8 content (RT #258).
* Add PaypalExpress payment module from Lyn St George <>.
* Remove long-defunct BoA (Bank of America) payment module. Bank of America
is a reseller for CyberSource so its module applies:
* Remove long-defunct CyberCash payment module.
* Deprecate Signio payment module, which uses an API that current Payflow
Pro owner PayPal says they will no longer support after September 1, 2009.
* Add new PayflowPro payment module, which replaces Signio. Based on code by
Tom Tucker.
* Allow extra parameters to be passed to Business::OnlinePayment.
Changes by Bill Carr <>.
* [pay-cert] tag now uses the new adjust_time() function instead of the older
* Remove CVV2 (Card Security Code) from default credit card encrypted block
template so that it will not even be stored in encrypted form. This makes
the default behavior compliant with section 3.2.2 of PCI-DSS 1.2:
It is of course still possible to manually supply a template that stores
the card security code in violation of PCI-DSS requirements, so developers
should review any custom credit card encryption templates to make sure that
the CVV2 is not included, and purge it from any historical data.
* Send correct level 2 card data with AuthorizeNet module. This improves the
discount rate for a lot of card types.
* Linkpoint: Add CVV capability, and partial pay_cert payments
* Add SagePay and GoogleCheckout modules from Lyn St George.
* Add Worldpay module from Andy Smith of
* Remove bloat that duplicates %z functionality in Vend::Util::logtime().
* [run-profile] now accepts ref attribute to check an arbitrary hash.
* Add empty attribute for [convert-date] to display a custom string
instead of the current date when no proper date is passed.
* [component], [convert-date] and [css] now use the new adjust_time() function
instead of the older time_to_seconds().
* [convert-date] has a new compensate_dst attribute that when set to 1 will
compensate the adjusted time for daylight savings time changes.
* Fix bug in [convert-date] that skewed the time by one hour if the starting
date was during daylight savings time and an adjustment was made.
* Fix regression in [convert-date] that caused it to display Sunday for every
day of the week if a raw date was passed and the adjust attribute was not.
Thanks to Marty Tennison <> for reporting the bug.
* Add maps of country names and updated international shipping services needed
by USPS in [usps-query]. Thanks to Josh Lavin and Mat Jones.
* The error is now not anymore automatically appended to the output of [error]
when MV_ERROR_STD_LABEL has a value.
* [time] now uses adjust_time() instead of the older time_to_seconds(). There
is also a new compensate_dst attribute that when set to 1 will compensate the
adjusted time for daylight savings time changes.
* Make code/Filter/text2html.filter output valid code.
Using double <br>'s instead of opening tag <p>.
* Strip all remaining HTML tags (not just b/i/u tags) in html2text filter.
* Require module Digest::SHA1 in the sha1 filter to raise error sooner if
it's missing.
* Add strip_html filter.
* Allow custom error messages for email_only check.
* ISBN check can be advised to accept ISBN-10 or ISBN-13 numbers only.
* Add job group name to error message on missing catalog.
Admin UI
* Check/uncheck all facility for customers/items (#18).
* Allow file removal with uploadhelper widget (#180).
* Fix default shipmode on entry page due to incomplete [either] clause.
* Fix some broken HTML.
* Recognize Opera as DHTML browser. Thanks to Don Hathaway & Steve Graham.
* Add framekiller for clickjacking defense in template. Probably we are
unlikely to have problems in the standard template, but you never know.
* Avoid problem of side-effect read-only variable table in file navigator.
* New user_merge specialsub is run from the [user-merge] tag when two users are
* Keep ui_new_item present in the form (#31).
Standard demo
* Correct bug in ncheck_category GlobalSub.
* Recognize Opera as DHTML browser. Thanks to Don Hathaway & Steve Graham.
* Require forum users to be logged in, to prevent spam.
* Prevent an incomprehensible error when following an order link that was
created on an mv_tmp_session page or other non-connecting session.
* Correct update of saved company value for shipping address (#125).
* Display company name in shipping & billing addresses.
Thanks to Steve Graham <>.
* Correct min/max length for username entry to ship_addresses.html (#114).
* Refurbish standard/pages/quantity.html (#204).
* Add German locale translations (#40).
* Fix wrong URLs in language selection (#265).
* Have tab-delimited files sort by primary key so it's easier to diff and
see real changes. Affects access, locale, mv_metadata, survey, and variable.
* Standardize encoding of sample locale table data to UTF-8.
* Remove spurious SQLite database configuration file and corrected others.
* Remove rarely used mass_setting admininstration page.
* Add company name to shipping and billing addresses and filter output
with evalue.
* Added jEdit mode files for Interchange to eg/jedit. Thanks to Justin Otten.
* Added runtime dump-memory global UserTag and ActionMap for very low-level
troubleshooting beyond what the structure files can offer.
Interchange 5.7.1 released 2008-11-13.
* Perl 5.8.5 or newer is now required.
* Fixed regression in Vend::Table::DBI::set_slice for the following usage
pattern (RT #200):
$Db{table}->set_slice('', %parms));
* Quell bogus warnings from Encode::Alias (#224). Thanks to Andy
<> and Rene Hertell <>.
* Added Nunavut to the list of valid Canadian provinces (#231). Thanks to
Mathew Jones for the report.
* Fix vulnerability where a string passed in the mv_order_item CGI variable is
displayed verbatim without any input sanitation if there is a valid sku in
mv_sku. Thanks to Mat from Bibliopolis for discovering and reporting the
* Refined error message for missing actions.
* Vend::Interpolate::interpolate_html returns undef on undefined input text.
This allows to determine whether $Tag->include fails or just produces an
empty string.
* Fixed deficiency in Levies, where multiple handling modes separated by null
would not work as in the old subtotal calculation model.
* Correct cookie-clearing function in UserDB.
* Extend MaxQuantityField config directive to support fields prefixed with
'=' or '?'.
By default, there's no behavior change and specification of
'MaxQuantityField f1 f2' sets max quantity to f1 + f2.
With f1 =f2, max quantity is unconditionally set to f2.
With f1 ?f2, max quantity is set to f2 only if f2 > 0.
By Cameron B. Prince <>.
* Allow SQL EXPLAIN and SHOW along with SELECT, for queries.
Thanks to Frederic Steinfels.
* Allow explicit manual table exports even when NoExportExternal is enabled,
using the force option to &Vend::Data::export_database.
* Fixed database typing problem for HIDE_FIELD. Reported by Sonny Cook.
* Support "secure cookies", which are sent only over SSL connections.
From a patch by Frederic Steinfels <>.
* Allow XML posts by e.g. Google Checkout, which broke in Interchange 5.6.0
(RT #219). By Andy <>.
* Currently the only order cleanup available, i.e., functions to run after all
data in the session has been used for order functions, is the bottom of the
receipt page, if you happen to know that is the place to do it.
Provide the new OrderCleanup catalog directive which takes a routine name
and is an authoritative place to perform such actions, in the same vein as
AutoLoad and AutoEnd. Implementation possibilites include profiles to be
run at the end or a SpecialSub.
* Fixed problem with new-style shipping configuration reading a mixed-case
* Corrected logic flaw that applied UTF-8 handling in some cases where it
shouldn't have. Fixed by David Christensen <>.
* mv_force_coordinate (fc) added to force coordinated search. Normally,
when the number of search field does not match the number of search
strings (specs), coordinated mode is automatically turned off. With
'fc', number of search specs is adjusted to match the number of search
fields, either by filling the array with last-set mv_searchspec, or by
trimming excess values. Useful when you want to search for one string in
multiple fields in coordinated mode.
* Removed trailing whitespace from text file headers.
* Under rare circumstances the missing search can fall through in a block
below, which caused an internal server error in the following code line:
$obj->{matches} = scalar @{$obj->{mv_results}};
This is now mitigated by an empty mv_results array and results in a search
error as one would expect.
* Refining searches with properties in Swish search:
This also reverts the workaround for #111.
* srcliteral attribute added to [button] tag. Setting srcliteral avoids
the image existence check for the src attribute.
* [run-profile] removes automatically generated profiles only.
* scratch attribute added to [capture-page] to store the resulting page in a
scratch variable, supplied by Phil Smith.
* lines attribute added to [nitems] to show the number of lines in the shopping
cart instead of the sum of the items (#225).
* Made [capture-page] aware of mapped output (#197, #226).
* Added name and id to list of [image] pass-through attributes.
* We are vulnerable to cross-site scripting problems any time there is a
<input value="[value foo]"> call. You can get around this, of course,
with <input value="[value name=foo keep=1 filter=encode_entities]">
instead. That is a bit of a mess, though, so I added an alias for that
called "evalue".
You call it with [evalue address1], which is identical to
[value keep=1 filter="encode_entities" name=address1].
* Make backup-database tag work even when NoExportExternal is enabled.
* Add [set-cookie secure=1] option for SSL-only cookies.
* Added ISBN-13 support to isbn order check and relocated it to code/OrderCheck.
* Fixed regression in html2text filter to re-allow paragraph attributes such as
<p align="center">.
* Prevent cross-site scripting problem in the country-select widget. Found and
fixed by Josh Lavin of Perusion.
* Allow passing custom JavaScript to country_select.widget by adding country_js
and state_js options. It will rewrite "this.form" with the correct form name
at runtime. By Josh Lavin. Useful e.g. for calling check_tax like this:
Admin UI
* Prevent whitespace leaking into CREDIT_CARDS_ACCEPTED variable (#209).
* Sort customer orders by order date, descending (was arbitrary).
(By Rene Hertell, RT #203.)
* Someone removed email_copy field from userdb table, which meant that
email was not sent to customers by default on status updates. Changed
to default to yes if email_copy field not present in user table.
* Added tracking_number field to order status if field exists in orderline,
and handle it in update_order_status tag.
* If the tmp/wget directory (or more properly "$Vend::Cfg->{ScratchDir}/wget")
directory did not exist, use_wget mode failed. Changed code to make
directory if non-existent, and give better error if by some strange chance
a file existed there.
* fixes by Josh Lavin of Perusion:
Allow mv_transaction_id to be sent when mv_order_number has not yet been
created (the case with all newer catalogs, as they use tid.counter).
Allow Business Checking type of 'CCD' (defaults to WEB if not set or sent).
Standard demo
* Added SQLite support.
* Disabled product comment to prevent spam showing up on default installations.
* Provide reasonable defaults for shipping mode and country at checkout to avoid
"not enough information" errors.
* Increased default length of orderline.order_number to 24.
* Modified include/checkout forms to use evalue. There are undoubtedly many
other places it should be put in. But until this is evaluated properly I
don't want to do it all over the place. You can do so with this one liner,
at least pretty reliably:
perl -pi -e 's{value="\[(value\s+[-\w]+\])}{value="[e$1}g'
I think we have gotten rid of all VALUE= uppercase kind of things,
but if not we should now.
* Numerous Debian packaging and localization updates.
* Modernize RPM packaging:
Bundled version of HTML::Entities has been removed, so don't look for it.
Update syntax used for chown and find.
Install all man pages to section 8, so the man page for Interchange's
crontab script doesn't conflict with the system crontab program, and since
Interchange's "binaries" aren't typically in PATH anyway.
Stop using deprecated RPM PreReq tag.
Explicitly require Safe::Hole and Set::Crontab, which the RPM dependency
checker misses.
Force use of /usr/lib, not /usr/lib64, on x86_64. We're not installing
binaries (except the cgi-bin which is in /var/www anyway) and many things
depend on the /usr/lib location.
Require Perl 5.8.8 or newer for build and installation to be compatible
with system threaded Perl.
Use interchange-* helper scripts directly from SPECS/ in source tarball,
instead of copying. Enables use of rpmbuild -ta directly on tarball.
Don't check for anymore as it's part of dist/lib now.
Interchange 5.7.0 never formally released.