Permalink
Commits on Sep 19, 2011
  1. Log error if SASL auth fails.

    committed Sep 19, 2011
  2. Added support for SASL authentication to Net::SMTP

    if you are using Nt::SMTP and you set the MV_SMTPUSER and MV_SMTPPASS with  your
    authenticated username and password respectively then IC will now authenticate
    to the target server.
    committed Sep 11, 2011
Commits on Sep 16, 2011
  1. Add optional cache exprire variable as pointed out here: http://www.i…

    …cdevgroup.org/pipermail/interchange-users/2003-June/033985.html
    
    Signed-off-by: Peter Ajamian <peter@pajamian.dhs.org>
    
    Author:    Steve Graham <icdev@mrlock.com>
    dtlgc committed with Sep 16, 2011
  2. enforce integer weights when writing to ups_cache database

    Signed-off-by: Peter Ajamian <peter@pajamian.dhs.org>
    
    Author:    Steve Graham <icdev@mrlock.com>
    dtlgc committed with Sep 16, 2011
Commits on Aug 22, 2011
Commits on Jul 11, 2011
  1. Encode UI error message to eliminate XSS

    Josh Lavin committed with jonjensen Jul 11, 2011
Commits on Jun 29, 2011
  1. Fix bug in parse_dir_array

    Reported by Bill Carr
    machack666 committed Jun 29, 2011
Commits on Jun 18, 2011
Commits on Jun 13, 2011
  1. add additional da.po file

    machack666 committed May 9, 2011
Commits on May 3, 2011
  1. Remove outdated CVS tags

    jonjensen committed May 3, 2011
Commits on Apr 29, 2011
  1. Option to allow Authorize.net's "hold for review" orders, via Fraud D…

    …etection Suite
    Josh Lavin committed with jonjensen Apr 29, 2011
Commits on Apr 22, 2011
Commits on Apr 14, 2011
  1. Fix [charge] to not populate $Vend::Session->{errors}{mv_credit_card_…

    …valid}
    
    when payment module returned an empty error message.
    
    This happens with PayPaypalExpress when using setrequest request and
    results in [if errors]...[/if] being true but [error all=1 show_error=1]
    displaying nothing.
    racke committed Apr 14, 2011
Commits on Apr 11, 2011
  1. Reducing a warning message when using vlink.pl

    Gert van der Spoel committed Apr 11, 2011
Commits on Apr 2, 2011
  1. Disallow name="" in Content-Disposition header.

    Jon Jensen noticed that the last commit (b29f34f) introduced a new
    problem by relaxing the constraint a little too much and allowing
    empty strings. This patch by Mike Heins goes back to requiring at
    least one character, while still allowing 0.
    danielbr committed Apr 2, 2011
  2. Enhance TrustProxy to handle multiple chained proxies

    This can happen if, for example, you have a first proxy at 10.10.10.1
    which proxies to 10.10.10.2 which then hits your web server that passes
    control to Interchange.
    
    If you visit from 192.168.1.1, Interchange will see this HTTP header:
    
    X-Forwarded-For: 192.168.1.1, 10.10.10.1
    
    and the request will have the source IP address 10.10.10.2.
    
    But if you set this in interchange.cfg:
    
    TrustProxy 10.10.10.1, 10.10.10.2    # order irrelevant
    
    then Interchange will see past the two trusted proxies and set its
    standard variable $CGI::remote_addr to 192.168.1.1, so that the customer's
    IP address gets used.
    jonjensen committed Apr 1, 2011
  3. Add new pragma cache_control to set HTTP Cache-Control response header

    Can be used in a page like this:
    
    [tag pragma cache_control]max-age=600[/tag]
    
    That will send this response header:
    
    Cache-Control: max-age=600
    
    Which will tell upstream proxies and browsers to cache the page for 10 minutes.
    jonjensen committed Mar 28, 2011
  4. Allow name="0" in Content-Disposition header.

    Interchange was checking the Content-Disposition name for perly truth
    rather than definedness, which caused it to incorrectly disallow the valid
    name of "0". I ran into one particular program in the wild that happens
    to generate requests with just such headers:
    
     https://github.com/valums/file-uploader/
    danielbr committed Apr 2, 2011
  5. Enable case-insensitivity in UserDB for indirect_login.

    This patch allows catalogs that are using the indirect_login feature to
    combine that with ignore_case to enable case-insensitive logins.
    
    A common use-case is to have email address be the indirect login field, so
    one thing to be aware of is that it's legal for two separate e-mail
    addresses to differ in capitalization only (e.g. user@domain is distinct
    from User@domain).
    danielbr committed Apr 2, 2011
  6. Enable case-insensitivity in UserDB for unencrypted passwords.

    This patch makes ignore_case function correctly on unencrypted passwords
    even when mixed-case passwords exist in the UserDB table.
    
    Currently, ignore_case only works if the stored passwords are lower case.
    There are at least two ways for mixed-case passwords to make it into the
    UserDB table:
    
     * If some user records were created with UserDB before ignore_case was set.
       (In this case, newer accounts get the expected behavior while older ones
       don't -- a recipe for "fun".)
    
     * If the password column is populated by more than just UserDB, such as
       through custom IC code or integration with other software.
    
    Case-insensitivity is a nice convenience; both for users who tend not to
    notice when caps lock has been toggled, and for help desk workers who field
    their calls. The cost is that it reduces the effective number of ASCII
    password characters by about one quarter. While it's true that it makes it
    ever so slightly easier to crack passwords, other factors (e.g. password
    length, use of dictionary words) far outweigh its importance.
    
    One alternative to this patch would be to change all current and future
    passwords in the UserDB table to lower case, then the existing ignore_case
    would suffice to provide case-insensitive functionality. One downside of
    that approach would be that it's irreversible, whereas this patch allows
    switching back and forth by simply changing the ignore_case configuration.
    
    This feature is enabled under the following example configuration:
    
    UserDB    default    crypt         0
    UserDB    default    ignore_case   1
    danielbr committed Apr 2, 2011
  7. Promote UserDB encryption methods from anonymous subs to named methods.

    The method body of md5_salted was long enough to justify its own named sub,
    and as soon as you do it for one of them, you know the rest are just going
    to whine until they get it too. I prefer named subs for style anyway.
    danielbr committed Apr 2, 2011
  8. Add salted md5 password support to UserDB.

    The specific format used here is to store the password and salt in a single
    field, separated by a colon. I used it to convert a Zen Cart store to
    Interchange.
    
    To use this feature, set the following catalog configuration parameters:
    
    UserDB    default    md5_salted    1
    UserDB    default    crypt         1
    danielbr committed Apr 2, 2011
Commits on Mar 30, 2011
  1. Add better ability to set file umask from various upload locations

    Basic changes added to admin file_upload page to allow passing of umask more easily. Users trying to upload files for web viewing needed better control
    
    Also modified slightly the uploadhelper widget to provide means to pass umask option, and subsequently altered process_filter where there were previously no means to pass umask through
    perusiongreg committed Mar 30, 2011
Commits on Mar 29, 2011
Commits on Mar 28, 2011
  1. Keep using URL session ID & counter in admin

    This provides maximum safety for browsers with cache problems such as
    old versions of Internet Explorer.
    jonjensen committed Mar 28, 2011