------------------------------------------------------------------------------ What's new in each version of Interchange ------------------------------------------------------------------------------ Interchange 4.8.9 released 2004-03-29. Security -------- * Plug a security hole which allows an attacker to expose arbitrary variable contents by using an URL like http://shop.example.com/cgi-bin/store/__SQLUSER__. All Interchange applications using the standard "missing" special page from the demo catalog or a similar one are vulnerable to this attack. The attacker may learn the SQL access information for your Interchange application and use this information to read and manipulate sensitive data. * Fix security hole with possible SQL injection. Miscellaneous ------------- * Fix order import problem found by Karen Gold. ------------------------------------------------------------------------------ Interchange 4.8.8 released 2003-12-16. Security -------- * Fix security hole in @@MV_PREV_PAGE@@ -- in the standard Foundation this is found in special_pages/missing.html and special_pages/violation.html. ------------------------------------------------------------------------------ Interchange 4.8.7 released 2003-01-30. Core ---- * Fix bug where Interchange got stuck into an infinite loop on startup in case of wrong SQL database access information, which occurs on the second table maybe due to the bad setting in DBI. * UserDB.pm: [userdb function=logout clear=1] will now restore the appropriate ScratchDefault and ValuesDefault values instead of simply deleting the scratches and values under its control. * Fix persistence problems in PreFork mode: - [more-list] settings - profile state * Table/DBI.pm: Simplify field_settor subroutines with prepared query and placeholder. Prevents infamous DBD::Pg::do errors. * Server.pm: - Output proper header so missing script will be seen as 404. - Fix whitespace transform, tolerate leading whitespace on header lines. - Apache 2.0.x compatibility fix for problem described here: http://www.icdevgroup.org/pipermail/interchange-users/2002-August/024212.html * Fix bug where bad [nitems compare=...] could cause server error. * Tolerate following previously unallowed constructs: [if-loop-param fieldname =~ /abc/i] (and/or options s, m, x) [if-loop-param fieldname =~ /abc/ ] [if-loop-param fieldname =~ /a b c/] (space in or after regex caused regex compilation to fail before) * Fixed a problem that prevented the following from working: [input-filter name="[quantity-name]" op="nullselect digits_dot"] [/input-filter] * Config.pm: - Tolerate missing configdb database, issue warning only. - pass Perl error message if Sub fails to compile * Allow the 'md' (mv_more_decade) parameter to be specified with tags such as [query]. * Don't reject ZIP+4 without hyphen in 'zip' profile check. * Search.pm: Change stupid behavior where last sort_option is forwarded to all future unset options; always default to 'none' if not set. * Interpolate.pm: Ensure the $Tag object is not wrapped more than once. Usertags -------- * [button] - Allow tag to work with an unnamed form. - Make sure that the current button being pressed is the only one whose mv_click_map_* variable gets set. This works around the problem of a user clicking one button, using the browser's Back button, then clicking on a different button, and both mv_clicks execute instead of just the most recent one. * [formel] - Pass value to display tag. * [summary] - Avoid persistent storage to make tag safe in PreFork mode. Payment ------- * Signio.pm: Fixed several bad function mappings. Unlink temp file when done. Prefer pfpro over pfpro-file. Accept bin_path and library_path route settings. Handle ORIGID properly on delayed capture. * AuthorizeNet.pm: Fixed a typo that kept 'auth' type from working. * Payment.pm: Display errors from payment modules in credit card header on checkout page. Foundation ---------- * Change catalog.cfg default for MaxServers in "rpc" profile to zero. This is probably best for the vast majority of servers running in PreFork mode. * Reconfig seems to be always timing out on faster processors, made more reliable.... * Be more tolerant with zip/postal codes -- don't remove hyphen from ZIP+4 (99686-2933) or space from Canadian postal code (T0L 0R0). * Fix orderline import deficiency found by Karen Gold (KarenG@LOADUP.com). Miscellaneous ------------- * Included latest mod_interchange code with several bugfixes and improvements. * Fix makecat bug that prevented the cgi-bin link program from being associated with the chosen owner and group. Patch by Carl Bailey. * Make outdated bin/update command work better. * Update copyright notices, Interchange URLs, and email addresses. Build/Packaging --------------- * Prevent test from failing during upgrade -- remove the installation library directories from @INC if MINIVEND_ROOT =~ blib. * When it is an update, don't send out "you are now ready to run makecat" message which confuses people. * Debian package build process didn't install scripts properly into usr/lib/interchange/bin when running with Perl 5.8.x. * Cleanse mod_interchange directory in Debian's clean target. * No need to restart Interchange for log rotation. * Separate package creation process into architecture dependent and architecture independent run (fixes Debian bug #172940). ------------------------------------------------------------------------------ Interchange 4.8.6 released 2002-08-12. Core ---- * IMPORTANT: All Interchange installations should update to 4.8.6. * Close serious security hole that can occur when running in INET mode. * Global configuration directive LockType works now as advertised in the documentation (problem reported by Bill Carr ). * SOAP server returns proper headers now, which not only makes it compliant with the SOAP standard, but also makes it work with the more recent versions of SOAP::Lite, including the latest 0.55 with the security fix. * Fixed missing usertags in catalog subs called from Autoload. * Fixed a bug in Server.pm that caused Opera users, and possibly users of other browsers, to get intermittent "CGI mapping error" failures when POSTing forms. * Fixed a bug in Server.pm that would cause loss of query string info in 'POST' URLs (only applicable when using TolerateGet). * Skip host checking if configuration directive WideOpen is set. * Fix addAttr setting for [order] tag, restoring ability to use 'base' and 'cart' attributes. * Restored functionality of mv_max_matches: for paged searches using [more-list], it determines the maximum number of search results returned; mv_matchlimit determines how to divide those up into pages. * Fixed set_slice bug that remove all values from array after code, if code was passed in array (separately from code parameter in sub call). Patch by Mark Johnson. * Apply patch to fix problem found by Cameron Prince -- messing with JavaScript callouts in Vend::Util::change_url(). * Fix bug in change_pass function which could prevent and cause case-matching problems with ignore_case set. Found and patch supplied by Mike Weisenborn . * Fixed error in Vend::Interpolate::tag_mail where a code reference is used as a hash reference if the passed body is empty. * Pass the locale name instead of the locale settings in Vend::Config::parse_locales() to POSIX::setlocale. This bug was discovered due to a buffer overflow in the FreeBSD C library. Thanks to Joachim Leidinger for reporting and pursuing this problem and Alexander Leidinger for debugging. * Set SQL database attribute _Auto_number in Vend::Table::DBI::create method as we already did in Vend::Table::DBI::open_table. * Removed unused code from Vend::Table::DBI which caused error in recent versions of DBI and DBD::Pg. * Log proper status codes from failed PGP runs. * Fixed shipping.asc SQL query method. Usertags -------- * Fixed a bug in profile handling of table-editor tag that kept '$' in profiles from working right ($Values->{whatever} etc.). Also tolerate profiles that don't end with a newline (e.g. when quoted with |...|). * [fedex-query] -- Updated FedEx URL, reported by Rick Boykin * Allow bounce targets (Window-Target: header). * Fixed missing labels for checkbox and radio types and added display type to formel tag. Admin UI -------- * Added capability to page editor to cope with any ITL page instead of only the ones derived from the foundation demo. * Owner field in the permission editor didn't propagate to the database. * Fixed a bug in the permission check in the order resp. traffic statistics pages. * Avoid spurious image on login page which appeared under certain conditions if the session has been expired. * Import page has a new option to replace existing items seamlessly by the imported set. * Fix spurious "backup" error message in page_edit caused by search without backup database. * Added mv_session_id to the forms in the layout page. * Modifying Promotions using the Page Editor now references the correct Promotions list (from "Merchandising" or "Item Editor" meta data) instead of a static list specified in each component. It is now possible to add a promotion without having to modify component source code. * Update b_company instead of company with other Bill To information. Reported by Grant Guttero . * Fixed HTML output of table editor. * Removed limit (effectively) on number of categories that can be generated with the "auto-populate" admin function. * Fixed problem with wrong route in order entry page. * Fixed bug in profile handling of table editor that kept '$' in profiles from working right ($Values->{whatever} and so on). Also tolerate profiles that don't end in a newline (e.g. when quoted with |...| in the table-editor tag). Payment ------- * Fixed bug where decimal pricing would not be forced, causing failure for round amounts with some gateways. * Add penny_pricing option for those gateways which might not accept decimals. Foundation ---------- * Use standard description display in cart to make sure onfly item descriptions work correctly. * SQLDSN variable added. * Fix postal abbreviation for Nunavut. Thanks to Kari Suomela for reporting. * Relocated payment routes to the top of the Route chain to avoid order submission failures that can occur when customizing order routing calls. * Relocated code on pages/ord/checkout that was outside of the page content area and therefore subject to truncation by the Page Editor. * Fixed German translation of October in locale.txt. * Moved code in checkout.html which manipulates shipmode for download-only orders to avoid lopping it off with the UI page editor. Packaging --------- * Minor RPM changes: Don't set Interchange to autostart on boot, since we're not starting it after install anyway. Administrator should decide whether to do those things. * Check for demo catalog added in interchange-ui's postinst (fixes Debian bug #147705). Fixes inaccessible demo catalog if only interchange-ui is upgraded. * Turned Depends of the libapache-mod-interchange Debian package on interchange into a Suggests, thanks to Christopher F. Miller for the suggestion. * doc-base support added to libapache-mod-interchange Debian package. * Fix bug in Makefile.PL when nocopy option passed, which wasn't fatal before Perl 5.8.0. * Moved man pages in "doc" directory to "man". * Added code to makecat to enable turning on INET mode and setting TcpMap when making a catalog using INET mode. I18N ---- * Spanish locale added made by Ignacio Lizarán and José Mª Revuelto . * Continued the preparation of the UI pages and usertags for translation. * Allow keys with dashes, dots and at symbols for locales. * Introduced MV_LOCALE_NO_DEFAULTS to avoid defaults for currency settings on demand. * Enabled locale parsing in the UI page viewer. Miscellaneous ------------- * Expire script didn't work with a VariableDatabase in SQL. ------------------------------------------------------------------------------ Interchange 4.8.5 released 2002-05-06. * Fix bug in Vend::Util::send_mail, introduced when preventing possible security breach. The sendmail command needs the -t option if recipient is only listed in the headers. Thanks to Kari Suomela and Gur for reporting. * Improved German UI localization file. * Clean up minor things on a few Foundation and UI pages. ------------------------------------------------------------------------------ Interchange 4.8.4 released 2002-04-30. Core ---- * Avoid potential security problems if unsafe email address is passed to Vend::Util::send_mail function. * Fixed cgi and value filters which were completely broken (Bug #380). Thanks to Jonathan Clark for reporting. * Allow output of '0' from [if]...[else]0[/else][/if]. Thanks to Murahashi for finding this bug. * Fixed bug in [if-item-param field eq string] which would now work due to improper field pointer type. * Prevent converting exchange rates twice for shipping -- bug found and patch supplied by Frederic Steinfels . * Reset &fail and &success before any profile check, otherwise stale values may appear even across catalogs. * Fixed searches with op=em as single specification. * row_hash returns undef now for memory databases too instead of throwing an error if no row is found. * Give better error message when a required catalog directive is missing (Bug #337). Use main file (usually catalog.cfg) instead of empty string or catalog_after.cfg (etc.) as example of where directive should go. Thanks to Jeff Murphy (jcmurphy+rhic@jeffmurphy.org) for reporting. * Don't drop the session on the first time we switch over to the secure server. * Reworked escaping while generating URLs, so now you can safely use: [area href="Catalog/Food/Hot Dogs"] * Vend::Util::errmsg don't call sprintf anymore if only one parameter is passed which protects against unwanted expansion. * Use the usage function in interchange.PL in a more sensible way (it doesn't return anything). Usertags -------- * Changed ups_query to only pass on 5-digit base ZIP code in U.S., since UPS rejects ZIP+4. Thanks to Bill Carr for pointing out this requirement in Business::UPS docs. * Added extra and js parameters to options tag. * Added cause option to formel tag. Admin UI -------- * Fixed permission checks in several pages (thanks to Massimiliano Ciancio for investigating to audit the permission checks) and a typo in if-mm. * Make link_template in layout.html editable (thanks to Mark Johnson for the patch) * About links are working now in catalogs that are not based on foundation. * Edit button which appears on flex_select page if database attribute LARGE is set works now as expected. * Fixed display tag so it doesn't try to display empty labels. * Fixed funny bug in date widget which occurred only on the 29th through 31st days of the month. * Personal CSS removed from preferences. Neither worked nor maked much sense. * Make both icmenu searches of type db. Payment ------- * Updated Bank of America module from Mark Johnson. * Improved documentation and added default URL in the Skipjack module. Thanks to Ron Phipps for this patch. * Mispelled month name fixed in iTransact module which caused failure. Found by Cameron Prince. * Fixed field name in AuthorizeNet module and a typo in the corresponding global sub (the latter reported by Daryl Houston). Foundation ---------- * Make sure mv_successpage gets passed on from login page, so customers can go straight to an arbitrary members_only page instead of always 'customerservice' (Bug #392). Thanks to Ron Phipps for reporting this problem. * Removed trailing whitespace that caused browse page to contain Perl code garbage. Found by Salvador Caballe. * Removed duplicates from category selection on the "Advanced Search" page. * Added missing Database UPPERCASE 1 settings in the Oracle database configuration. Thanks to Jonathan Lee for reporting this problem. * Avoid Oracle constraint errors where empty string looks like NULL in country database. * Changed way password is retrieved from userdb to preserve [ (without danger of tag output). * Made dynamic_variable_file_only standard so that UI works. * Fixed typo in checkout page (thanks to Seth Stone for detecting this problem). Packaging --------- * Username and password for UI superuser account is queried from the user by debconf for the interchange-cat-foundation Debian package. * Directory /etc/interchange/usertag for locally used global usertags add to the interchange Debian package. * Fixed overly strict dependency of the libapache-mod-interchange Debian package on apache-common. Thanks to Matthew Wilcox ). * Added version to dependency of the interchange Debian package on libsql-statement-perl, because newer versions cause Interchange to fail in some cases. * interchange-ui Debian package now suggests a HTTPS server. * added check for expireall binary to cron job I18N ---- * New usertag [parse_locale] to allow on-the-fly parsing of [L]...[/L] and alike in usertags and variables. * Allow here documents in locale configuration (depending on the value of MV_LOCALE_CHOMP_VALUES, see ja_JP.cfg for an example). * New MV_CHARSET locale setting. * Prepared more template pages for translation. * Improved UI translations. Quickbooks Extension -------------------- * restricted item description to 30 characters to avoid coredumps (thanks to Michael Wilk for pursuing this long enough) * "INTL" showing up without country fixed. * keep regular quickbooks invoice number progression * Quickbooks 2000 requires INVOICE instead of CASH SALE transaction type, even with "auto_create" users. * Remove Phone number & e-mail from bottom of "ship to" and "bill to" addresses. Miscellaneous ------------- * stop expire script if catalog configuration fails and add catalog name to error message ------------------------------------------------------------------------------ Interchange 4.8.3 released 2001-11-27. Core and usertags ----------------- * Some fairly major changes to limit exposure to the cross-site JavaScript vulnerabilities described in: http://www.cert.org/advisories/CA-2000-02.html The vulnerability is only serious if you have "CookieLogin Yes" in your catalog.cfg definition (as unfortunately was in foundation). It is recommended that you either set CookieLogin to No, or at least do SaveExpire 8 hours - Notably, [cgi ...] and [value ...] will not display < characters unless you specifically enable it with the enable-html=1 option. Normally this should cause no problems. If your site breaks because of this update, you can temporarily re-enable this with: Promiscuous Yes in your catalog.cfg file. * New filter restrict_html. Called with: [filter restrict_html.a.b.i.u.p.br] [/filter] which prevents the