API Removed "harness" feature

Too much risk of exposing payment data and logic publically.
Removed all related test forms and test form actions.

CHANGELOG.md

@@ -1,10 +1,38 @@
 # Changelog
 
-## 0.4.0
+## 0.4.1 - 2013-02-28
+
+ * Security: Payment Information Leak in Test Harness Controller (see 0.3.2)
+
+## 0.3.2 - 2013-02-28
+
+ * Security: DPS Payment Information Leak in Test Harness Controller
+
+Since 2010, the payment module included a "test harness" controller
+([commit](https://github.com/silverstripe-labs/silverstripe-payment/commit/8f27918294ac34b688f137e36b424616df55dd7f),
+which was not correctly secured against public access.
+It allowed a broad range of operations against the configured DPS API,
+including listing payments incl. amounts and transaction details,
+refunding and authenticate existing payments,  create new payments.
+It does not expose the actual payment API credentials, customer or credit card details.
+The vulnerability also doesn't allow directing payments to a different account.
+
+This affects all recent versions of the module, but is limited to the
+DPS/PaymentExpress payment provider.
+
+We have removed the functionality from the module. If you are using
+the functionality, please port it into your own codebase and ensure
+the controller is secured to ADMIN permissions.
+As a hotfix, you can also remove code/Harness.php to secure the installation.
+In this case, don't forget to flush the manifest cache by appending ?flush=1 to any SilverStripe URL.
+
+Reporter: Nicolaas Thiemen-Francken
+
+## 0.4.0 - 2013-02-20
 
  * Security: Information Leak in DPSAdapter (see 0.3.1)
 
-## 0.3.1
+## 0.3.1 - 2013-02-20
 
  * Security: Information Leak in DPSAdapter
 

_config.php

@@ -3,7 +3,6 @@
 Director::addRules(50, array(
 	WorldpayPayment_Handler::$URLSegment . '/$Action/$ID' => 'WorldpayPayment_Handler',
 	PayPalPayment_Handler::$URLSegment . '/$Action/$ID' => 'PayPalPayment_Handler',
-	'harness/$Action/$Class/$ID' => 'Harness', 
 ));
 
 Object::add_extension('Member', 'PayerHavingReceipt');