Skip to content
Commits on Mar 9, 2011
  1. @machack666

    Fix a bug in read_cookie's code path when using the single-arg form

    This issue was caused by a bug in the interchange read_cookie codepath
    which was being too lentient about its parsing of $CGI::cookie when
    looking up a specific cookie's value.
    
    Certain $CGI::cookie strings and requested cookie names can result in
    returning the wrong value for the cookie given the following
    circumstances: $CGI::cookie contains a value portion of the keyvalue
    pairs which include a word-break character, the (case-insensitive)
    target name and then an equals sign.  Additionally, this matching
    substring would need to appear before the actual cookie for the key in
    question.
    
    Example:
    
    Given $ENV{HTTP_COOKIE}:
      'foo.tracker={"url":"http://www.site.com/?mv_source=blah","count":3}; MV_SOURCE=foo'
    
    [read-cookie] without arguments would correctly parse and return the
    expected keypairs, however [read-cookie MV_SOURCE] would scan the
    $CGI::cookie string for a word-break, the specific cookie name, a
    literal '=' and then proceed to return the literal:
    
      MV_SOURCE => 'blah","count":3}'
    
    This fix tightens up the parsing to only look at the start of the
    string or immediately after a ';' (with optional whitespace between)
    when parsing a specific cookie value.
    
    ---
    Some additional comments:
    
    I had difficulty locating a specification for the cookie keys/values
    themselves, but I wonder if we should remove the /i regex modifier, as
    I'd personally expect cookie names to be case-sensitive.  Left in for
    backwards-compatibility.
    
    Additionally, the setter of the aforementioned cookie should likely
    have used some form of uriencoding instead of having the raw '{}='
    characters, however that's no excuse for us to barf on bad behavior.
    machack666 committed Mar 9, 2011
Commits on Apr 18, 2010
  1. @machack666

    Add checks for MV_UTF8 in global variable space

    Depending on the context in which a particular piece of code is
    called, $::Variable will be aliased to either the variables defined in
    interchange.cfg (i.e., $Global::Variable) or in the specific
    catalog.cfg.
    
    In order to handle the fact that MV_UTF8 can be defined in either
    interchange.cfg or catalog.cfg, change all checks to look at both
    $::Variable and $Global::Variable explicitly.
    
    This is known to have affected the [import] tag at the very least, and
    likely had other subtle implications in other places.
    machack666 committed Apr 18, 2010
Commits on Apr 16, 2010
  1. @machack666

    Move MYSQL_ENABLE_UTF8 to a connection-level attribute

    When MYSQL_ENABLE_UTF8 is set, it currently does not provide the
    mysql_enable_utf8 parameter to the DBI->connect call; instead it's
    part of the DBI handle attributes that get set on an already-created
    handle.
    
    From the docs for DBD::mysql, mysql_enable_utf8 needs to be set on
    connect, otherwise there are additional steps one needs to take to get
    the results returned in UTF8 (primarily issuing a $dbh->do("SET NAMES
    utf8") on the opened handle).
    
    With this change, when the catalog.cfg defines MYSQL_ENABLE_UTF8, the
    mysql_enable_utf8 => 1 attribute will be included in the hash of
    options returned by Vend::Table::DBI::find_dsn.  This will not occur
    unless said DatabaseDefault/Database attribute is defined.
    
    This corrects a bug when using MySQL with MV_UTF8 mode, as with the
    old behavior the UTF8 flag would be set on the values returned from
    the database, but they would not have been transferred in UTF8, but
    instead with the server's default character set (likely latin1).  The
    normal way to get around this issue when setting the $dbh attribute
    manually is to issue a $dbh->do("SET NAMES utf8"), which has the
    effect of setting the client's connection and results character sets
    to UTF8.
    
    This has the possibility of introducing some changes in application
    behavior, but since MYSQL_ENABLE_UTF8 is generally turned on in
    conjunction with MV_UTF8 mode, this is not judged to be a big risk.
    If existing user code was already working around this bug by issuing
    its own $dbh->do("SET NAMES utf8"), this will continue to work,
    essentially becoming a no-op.
    machack666 committed Apr 16, 2010
Commits on Mar 25, 2010
  1. @machack666

    Bump version number

    machack666 committed Mar 24, 2010
  2. @machack666

    Update Copyright Date

    machack666 committed Mar 24, 2010
Commits on Mar 24, 2010
  1. @machack666
  2. @machack666

    Fix css.tag to properly output the css when using the inline <style> …

    …block
    
    css.tag attempts to write a file out to the filesystem after reading
    in the css via either variable or literal.  If the file path it
    attempts to write to is not writable, for whatever reason, instead of
    creating a <link> tag to the written file, it attempts to create a
    <style> tag containing the css.
    
    Currently, if it ever creates the style tag, it will never contain the
    css.  When the location is not writable, it skips the portion of code
    that reads in the actual css, either from the literal option or the
    contents of the variable.
    
    This patch moves the reading of the css up to a point where it can't
    be skipped, allowing both the link and style tags to be created
    properly.
    
    Report and patch by Justin Otten <justin.lasotten@gmail.com>
    machack666 committed Mar 23, 2010
  3. @machack666

    Fix "HTTP Response Splitting" security exploit

    Discovery and patch from Justin Otten <justin.otten@gmail.com>:
    
    Added new method to Util.pm for scrubbing newlines from header data.
    Updated all discovered instances of the use of the "Location" header
    ran the URL through the routine.
    machack666 committed Mar 22, 2010
Commits on Feb 23, 2010
  1. @machack666

    Properly initialize BOP supplemental parameters.

    This fixes a bug where supplemental parameters passed to the payment
    module to initialize the Business::OnlinePayment gateway object get a
    value of 1 instead of what's in your catalog.cfg or
    products/variable.txt.
    
    Patch by Richard Siddall, with minor bugfixes by David Christensen
    machack666 committed Feb 22, 2010
Commits on Jan 5, 2010
Commits on Sep 25, 2009
  1. @machack666
Commits on Sep 24, 2009
  1. @machack666

    Do not specify a default charset if none is passed via MV_HTTP_CHARSET.

    Do not specify a default charset if none is passed via MV_HTTP_CHARSET.
    Thanks to Raymond Cheng <rayonnet@hotmail.com> for pointing out the regression
    caused by this.
    machack666 committed Sep 24, 2009
Commits on Sep 16, 2009
  1. @jonjensen

    Sync manifest

    jonjensen committed Sep 16, 2009
  2. @racke

    bump up version number and date

    updates to documentation (WHATSNEW, README-DEVELOPMENT)
    racke committed Sep 16, 2009
  3. @jonjensen
  4. @jonjensen

    Fix two occasionally broken tests.

    Two tests of the [query] tag and built-in SQL parser relied on the results
    being returned in a particular, even though SQL's result sets are not ordered
    by default.
    
    Fixed this by specifying a sort order and setting the results to match.
    jonjensen committed Nov 16, 2008
  5. @jonjensen

    Fix default shipmode due to incomplete [either] clause.

    Also remove stray ] above and clean up indenting.
    
    Fix by JT Justman <jt@endpoint.com>.
    jonjensen committed Dec 4, 2008
  6. @jonjensen

    Fixed rare bug that caused requests to / URL with a query string to f…

    …ail, e.g.:
    
        http://hostname/?somevar=1
    
    Interchange in that case looked for a page called "?somevar=1" and of course
    didn't find it.
    
    Thanks to David Christensen <david@endpoint.com> for the fix.
    jonjensen committed Dec 31, 2008
  7. @docelic @jonjensen

    * Correct .access functionality directly in pages/

      .access worked in subdirectories like pages/abc/, but didn't work directly
      under pages/. (Instead of looking for pages/.access, it was looking for
      pages/PAGENAME/.access)
    docelic committed with jonjensen Jan 8, 2009
  8. @perusionmike @jonjensen

    * Add framekiller for clickjacking defense in template. Probably we are

      unlikely to have problems in the standard template, but you never know.
    perusionmike committed with jonjensen Jan 28, 2009
  9. @jonjensen

    there is no ::Catalog aparently (anymore?), ::Cat does return the cat…

    …alog name, this is for the DebugTemplate directive
    Gert van der Spoel committed with jonjensen Feb 10, 2009
  10. @perusionmike @jonjensen

    * Make forum only available for logged-in users, as spammers are

      exploiting it constantly.
    perusionmike committed with jonjensen Feb 27, 2009
  11. @msjohns1 @jonjensen
  12. @perusionmike @jonjensen

    * Fix bug found by Jeff Boes <jeff@endpoint.com> which prevented custom

      widget type from working.
    perusionmike committed with jonjensen Mar 20, 2009
  13. @perusionmike @jonjensen

    * Prevent an incomprehensible error when following an order link that…

    … was
    
      created on an mv_tmp_session page or other non-connecting session.
    perusionmike committed with jonjensen Apr 7, 2009
  14. @jonjensen

    Avoid possible problem with read-only variable table by using @@MV_PA…

    …GE@@ instead of @_MV_PAGE_@.
    
    This is the only place in Interchange we use @_MV_PAGE_@, which isn't
    necessary because MV_PAGE is always global.
    
    More details at this blog comment I wrote:
    
    http://blog.endpoint.com/2009/04/subverting-subversion-for-fun-and.html?showComment=1239148380000#c3445687618157063638
    jonjensen committed Apr 8, 2009
  15. @jonjensen

    Fix omission of media type in <link> output

    Patch by Thomas J.M. Burton <tom@globalfocusdm.com>. Thanks!
    jonjensen committed May 28, 2009
  16. @jonjensen

    Removed javascript that submits the form if the user changes his emai…

    …l-preferences.
    
    It's better to let the user make the final decision if he wants to submit the stock-alert form after all..
    René Hertell committed with jonjensen Jun 10, 2009
  17. @jonjensen

    Added some missing end-tags

    René Hertell committed with jonjensen Jun 10, 2009
  18. @racke @jonjensen
  19. @jonjensen

    Remove CVV2/CSC from default credit card encrypted block template

    The card security code should not be stored at all, even in encrypted
    form. This makes the default behavior compliant with section 3.2.2 of
    PCI-DSS 1.2:
    
    https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.pdf
    
    It is of course still possible to manually supply a template that
    stores the card security code in violation of PCI-DSS requirements, so
    developers should review any custom credit card encryption templates
    to make sure that the CVV2 is not included, and purge it from any
    historical data they have stored.
    
    Thanks to Mark Lipscombe for calling attention to this.
    jonjensen committed Jun 18, 2009
  20. @jonjensen

    Unbuffer output as early as possible

    This stops the confusing out-of-order mixing of regular and error messages
    during startup. And output was being unbuffered later on anyway.
    
    Also update copyright years and remove CVS $Id$ tag.
    jonjensen committed Jun 25, 2009
  21. @jonjensen

    Specifically require Digest::SHA1 module

    This should give more helpful error messages for those upgrading since
    Digest::SHA1 wasn't part of Bundle::Interchange historically but has
    been since January 2008.
    jonjensen committed Jun 25, 2009
  22. @jonjensen

    Abort daemon startup when required module is missing and clean up err…

    …or output
    
    Fix problem with eval $@ error result's scope in global Perl module
    require routine. This was caused because logGlobal contains an eval
    itself that overrides $@. Now when a "Require module Something::Special"
    directive is issued and not satisfied, it is fatal as was originally
    intended.
    
    Remove logGlobal call that results in duplicate error output.
    
    Correctly say "Aborting Interchange daemon" instead of "Aborting
    catalog" when dying on global config errors.
    jonjensen committed Jun 27, 2009
  23. @jonjensen

    Corrected min/max username length

    Currently you can set a username with a length between 2 and 64.
    ship_addresses.html was testing on usernames bewteen 4 and 10.
    
    Any account created with a username < 4 or > 10 would result in
    an error such as: username length XX more than maximum length 10.
    
    Reported by René Hertell.
    Gert van der Spoel committed with jonjensen Jul 14, 2009
Something went wrong with that request. Please try again.