------------------------------------------------------------------------------ What's new in each version of Interchange (since the version 5.0 branch) ------------------------------------------------------------------------------ Interchange 5.0.2 released 2005-09-22. Security -------- * Fix ITL injection hole in pages/forum/submit.html. ------------------------------------------------------------------------------ Interchange 5.0.1 released 2004-03-29. Security -------- * Plug a security hole which allows an attacker to expose arbitrary variable contents by using an URL like http://shop.example.com/cgi-bin/store/__SQLUSER__. All Interchange applications using the standard "missing" special page from the demo catalog or a similar one are vulnerable to this attack. The attacker may learn the SQL access information for your Interchange application and use this information to read and manipulate sensitive data. * Disallow [ and < in page names when setting MV_PAGE and MV_PREV_PAGE variables. * Prevent login information from getting re-saved on a session cancel. * Define a set of CGI keys that we don't want to save to disk, as @Global::HideCGI. * Don't show sensitive (i.e. @Global::HideCGI) CGI variables in a dump. This allows saving a session to disk for diagnositic purposes in case of order failure. Core ---- * Allow [dump no-cgi=1 no-session=1 no-env=1] to finetune dump. * Tolerate leading whitespace in query in Vend::Form. Admin ----- * Fix bug where affiliate reports don't filter based on that. * Make reports with no specified end_date work. * Fix missing relocation variables in Vend::Table::Editor found by Paul Vinciguerra. Usertags -------- * history-scan: Make pageonly=1 option work correctly when there's no History saved in the user's session. Foundation ---------- * Remove unmatched from cart_display component. Debian ------ * Add libhtml-parser-perl to Build-Depends to keep HTML::Entities module out of the package (Closes: #224435, thanks to Henrik Holmboe for the bug report) * Switch to gettext-based debconf templates (Closes: #235494, thanks to Martin Quinson for the patch) ------------------------------------------------------------------------------ (end)