Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Commits on Jun 29, 2011
  1. @machack666

    Fix bug in parse_dir_array

    machack666 authored
    Reported by Bill Carr
Commits on Jun 18, 2011
  1. @machack666
  2. @machack666
Commits on Jun 13, 2011
  1. @machack666
  2. @machack666

    add additional da.po file

    machack666 authored
  3. @machack666
Commits on Mar 9, 2011
  1. @machack666

    update WHATSNEW

    machack666 authored
  2. @machack666

    Fix a bug in read_cookie's code path when using the single-arg form

    machack666 authored
    This issue was caused by a bug in the interchange read_cookie codepath
    which was being too lentient about its parsing of $CGI::cookie when
    looking up a specific cookie's value.
    
    Certain $CGI::cookie strings and requested cookie names can result in
    returning the wrong value for the cookie given the following
    circumstances: $CGI::cookie contains a value portion of the keyvalue
    pairs which include a word-break character, the (case-insensitive)
    target name and then an equals sign.  Additionally, this matching
    substring would need to appear before the actual cookie for the key in
    question.
    
    Example:
    
    Given $ENV{HTTP_COOKIE}:
      'foo.tracker={"url":"http://www.site.com/?mv_source=blah","count":3}; MV_SOURCE=foo'
    
    [read-cookie] without arguments would correctly parse and return the
    expected keypairs, however [read-cookie MV_SOURCE] would scan the
    $CGI::cookie string for a word-break, the specific cookie name, a
    literal '=' and then proceed to return the literal:
    
      MV_SOURCE => 'blah","count":3}'
    
    This fix tightens up the parsing to only look at the start of the
    string or immediately after a ';' (with optional whitespace between)
    when parsing a specific cookie value.
    
    ---
    Some additional comments:
    
    I had difficulty locating a specification for the cookie keys/values
    themselves, but I wonder if we should remove the /i regex modifier, as
    I'd personally expect cookie names to be case-sensitive.  Left in for
    backwards-compatibility.
    
    Additionally, the setter of the aforementioned cookie should likely
    have used some form of uriencoding instead of having the raw '{}='
    characters, however that's no excuse for us to barf on bad behavior.
Commits on Nov 12, 2010
  1. @machack666
Commits on Nov 11, 2010
  1. @machack666

    Fix encode_special_entities filter to prevent heredoc parsing error

    machack666 authored
    This resolves a "Bareword found where operator expected" message which
    prevents the load of the filter in question.  Apparently, IC's heredoc
    parsing fails to properly parse when the ending token is the last line
    of the file and that line does not end in a newline.
Commits on Oct 21, 2010
  1. @machack666

    Add MSIE and Gecko UA strings to the default list of NotRobotUA patterns

    machack666 authored
    This will correct a string of false positives found when checking the
    list of RobotUAs against the wide variety of toolbars found in the
    wild in User-Agent strings.
    
    This does open up the possibility of more obscure bots getting
    assigned sessions from the appserver, but this was deemed to be a
    reasonable tradeoff given the current bot/toolbar ecosystem.
Commits on May 13, 2010
  1. @machack666
Commits on Apr 18, 2010
  1. @machack666

    Add checks for MV_UTF8 in global variable space

    machack666 authored
    Depending on the context in which a particular piece of code is
    called, $::Variable will be aliased to either the variables defined in
    interchange.cfg (i.e., $Global::Variable) or in the specific
    catalog.cfg.
    
    In order to handle the fact that MV_UTF8 can be defined in either
    interchange.cfg or catalog.cfg, change all checks to look at both
    $::Variable and $Global::Variable explicitly.
    
    This is known to have affected the [import] tag at the very least, and
    likely had other subtle implications in other places.
Commits on Apr 16, 2010
  1. @machack666

    Move MYSQL_ENABLE_UTF8 to a connection-level attribute

    machack666 authored
    When MYSQL_ENABLE_UTF8 is set, it currently does not provide the
    mysql_enable_utf8 parameter to the DBI->connect call; instead it's
    part of the DBI handle attributes that get set on an already-created
    handle.
    
    From the docs for DBD::mysql, mysql_enable_utf8 needs to be set on
    connect, otherwise there are additional steps one needs to take to get
    the results returned in UTF8 (primarily issuing a $dbh->do("SET NAMES
    utf8") on the opened handle).
    
    With this change, when the catalog.cfg defines MYSQL_ENABLE_UTF8, the
    mysql_enable_utf8 => 1 attribute will be included in the hash of
    options returned by Vend::Table::DBI::find_dsn.  This will not occur
    unless said DatabaseDefault/Database attribute is defined.
    
    This corrects a bug when using MySQL with MV_UTF8 mode, as with the
    old behavior the UTF8 flag would be set on the values returned from
    the database, but they would not have been transferred in UTF8, but
    instead with the server's default character set (likely latin1).  The
    normal way to get around this issue when setting the $dbh attribute
    manually is to issue a $dbh->do("SET NAMES utf8"), which has the
    effect of setting the client's connection and results character sets
    to UTF8.
    
    This has the possibility of introducing some changes in application
    behavior, but since MYSQL_ENABLE_UTF8 is generally turned on in
    conjunction with MV_UTF8 mode, this is not judged to be a big risk.
    If existing user code was already working around this bug by issuing
    its own $dbh->do("SET NAMES utf8"), this will continue to work,
    essentially becoming a no-op.
Commits on Mar 24, 2010
  1. @machack666

    Update WHATSNEW for release

    machack666 authored
  2. @machack666

    Bump version number

    machack666 authored
  3. @machack666

    Fix css.tag to properly output the css when using the inline <style> …

    machack666 authored
    …block
    
    css.tag attempts to write a file out to the filesystem after reading
    in the css via either variable or literal.  If the file path it
    attempts to write to is not writable, for whatever reason, instead of
    creating a <link> tag to the written file, it attempts to create a
    <style> tag containing the css.
    
    Currently, if it ever creates the style tag, it will never contain the
    css.  When the location is not writable, it skips the portion of code
    that reads in the actual css, either from the literal option or the
    contents of the variable.
    
    This patch moves the reading of the css up to a point where it can't
    be skipped, allowing both the link and style tags to be created
    properly.
    
    Report and patch by Justin Otten <justin.lasotten@gmail.com>
Commits on Mar 22, 2010
  1. @machack666

    Fix "HTTP Response Splitting" security exploit

    machack666 authored
    Discovery and patch from Justin Otten <justin.otten@gmail.com>:
    
    Added new method to Util.pm for scrubbing newlines from header data.
    Updated all discovered instances of the use of the "Location" header
    ran the URL through the routine.
Commits on Feb 24, 2010
  1. @machack666
  2. @machack666
  3. @machack666
  4. @machack666
Commits on Feb 23, 2010
  1. @machack666

    Properly initialize BOP supplemental parameters.

    machack666 authored
    This fixes a bug where supplemental parameters passed to the payment
    module to initialize the Business::OnlinePayment gateway object get a
    value of 1 instead of what's in your catalog.cfg or
    products/variable.txt.
    
    Patch by Richard Siddall, with minor bugfixes by David Christensen
Commits on Dec 9, 2009
  1. @machack666
Commits on Nov 24, 2009
  1. @machack666

    Add Vend::CharSet::mime_name for installations which lack proper Enco…

    machack666 authored
    …de.pm support
    
    Not all versions of Encode in IC-supported perl versions support the
    mime_name method.  This patch adds checking for the existance of the
    method, and provides a simple replacement in the case that it lacks
    it.
    
    The main goal here is to support earlier versions of Encode.pm, while
    still allowing us to normalize and use the utf8 charset.
    
    Additional special-cases can be added to Vend::CharSet::mime_name as needed.
Commits on Nov 6, 2009
  1. @machack666

    Make the spider variable in $Vend::Session reflect $Vend::Robot statu…

    machack666 authored
    …s rather than mv_tmp_session
  2. @machack666
Commits on Nov 5, 2009
  1. @machack666
  2. @machack666

    Add BounceRobotSessionURL directive

    machack666 authored
    Add BounceRobotSessionURL directive to 301 redirect robots which
    provide an explicit mv_session_id to the canonical page URL without
    the explicit mv_session_id.  This prevents search engine urls from
    being indexed with an explicit session_id.
    
    This also excludes mv_tmp_session from redirect URLs when the
    BounceReferrals path is taken
  3. @machack666

    Add new $Vend::Robot variable to track when we're dealing with an act…

    machack666 authored
    …ual RobotUA
    
    This allows distinguishing between CGI-provided mv_tmp_session and
    actual robot usage, which just happens to set mv_tmp_session as a
    consequence.
Commits on Nov 3, 2009
  1. @machack666

    Remove the explicit display of an invalid user-provided session id

    machack666 authored
    Hypothetically, some stupid browsers could be coerced into doing
    Something Bad; in any case, it's cleaner to just exclude it from the
    output all together.
    
    Example URL:
    
    http://example.com/cgi-bin/catalog/catalogs.html?id=PMJCrmoJ%22%3E%3Cscript%3Ealert%28123%29%3C/script%3E
    
    Reported by Mat Jones.
Commits on Sep 25, 2009
  1. @machack666

    Revert "WIP: fix for later Encodes + Safe"

    machack666 authored
    This reverts commit 9005f43.
  2. @machack666
  3. @machack666
Commits on Sep 14, 2009
  1. @machack666
Something went wrong with that request. Please try again.