------------------------------------------------------------------------------ What's new in each version of Interchange (since the version 5.4 branch) ------------------------------------------------------------------------------ Interchange 5.4.2 released on 2007-02-06. Core ---- * Fixed a DoS exploit. A carefully crafted HTTP POST request could cause an Interchange page processor to hang until it's killed by Interchange's periodic housekeeping routine. If several of these requests are received in quick succession then it could be possible to disable all of the page processors, rendering Interchange unresponsive for a while. Fixed by Kevin Walsh; pointed out by Donald Alexander. * Worked around apparent Perl bug that allowed code called by DispatchRoutines to overwrite the routines arrays themselves. Found and fixed by Frederic Steinfels . * Fixed [sql-quote] sub-tag (in the [query] tag), which didn't work properly if the column data spanned multiple lines, as it may do with an INSERT or UPDATE etc. * Fixed masking of unencrypted credit card numbers to work with a custom MV_CREDIT_CARD_INFO_TEMPLATE that does not match the regexp. Also fixed the regexp so it removes the CVV2 value from the unencrypted data. * Fixed shipping problem: The temporary mv_shipping cart was left undefined instead of being removed in some cases, which caused problems in later cart recalculations. * Fixed a problem where get_option_hash would return the reference itself when passed one, instead of a copy. Thanks to Bruno Cantieni. * Fixed bug which prevented &and and &or profile commands from working on a line by itself when used to join the previous and next profile checks. The following now works: username=required You must enter a username. &and username=unique mytable Sorry, that username is already taken. Options ------- * Fixed spurious hidden form element output for matrix options with separate widgets and report option set. Payments -------- * When using Linkpoint, only run check_sub (usually AVS) on SALE and PREAUTH, not POSTAUTH. UI -- * Use 
 instead of the obsolete  element in the "Test code"
  page when using source mode for display. Don't filter entities when 
  using HTML mode for display.

* Use a path relative to the catroot instead of an absolute path to the
  catalog error.log file when displaying in the UI Administration/Info tab.

* Fixed broken admin 404 error page (which comes from Standard demo).

* Remove registration link to defunct icdevgroup.org page.

Standard demo
-------------

* Updated Discover Card logo. Provided by Steve Graham.

* Various special_pages/missing.html fixes:
  - Removed duplicate, sometimes-bogus MV_PREV_PAGE display.
  - Eliminated double-interpolation of page comparison.
  - Return missing special_page if there's no prod_group and catalog match.
  - Return results special_page if there is a match instead of results.html.

* If we don't match a prod_group and category in a missing page return the
  missing SpecialPage, not results.html. If we do have a match, display it in
  the results SpecialPage instead of hard coding it to results.html.

* Fixed bug in order returns for more than one return.

* Increased compatibility with XHTML and fixed some CSS.

* Cleaned up splash page and fixed broken links.

Packaging
---------

* Updated Czech and Swedish debconf template translation.

* Debian package requires Perl 5.8.8 and DBI 1.53 (etch versions).

* Fixed stupid typo in postinst script of interchange Debian package which
  caused creation of a directory named 775 

* Removed Business::UPS manual page on installation to avoid conflicts with
  libbusiness-ups-perl Debian package

------------------------------------------------------------------------------


Interchange 5.4.1 released on 2006-05-27.


Widgets
-------

* Fixed regression in htmlarea widget which kept it from working with MSIE or
  browsers claiming to be compatible.

Tags
----

* add-gpg-key: Made parsing of results message more tolerant.
  Patch by Gert van der Spoel <ic@3edge.com>.

* pay-cert-redeem: Fixed rounding error that could make total comparisons
  wrong.

Configuration
-------------

* Check for "GoogleBot", rather than just "Google", in the RobotUA list, to
  prevent confusion with other UA values such as "GoogleToolbar" etc.

* Removed never-used SOAP_Host directive.

Profiles
--------

* Fixed a profile parsing bug:

  When reading an OrderProfile from an external config file, for instance,
  etc/profiles.login or similar if there is a comment line immediately
  preceding the __NAME__ identifier then the first line of the profile is
  commented out. Actually any line preceding the __NAME__ line will silently
  be prepended to the first line of the profile; it just so happens a comment
  would be the likely offender.

  For example:

  # following profile confirms user input
  __NAME__ Login
    username=required Username had better be filled in.
    password=required Password is required.
  __END__

  Will result in a profile structure that looks like:

  # following profile confirms user input   username=required ...

  And the username check will never execute.

  Fixed by Brian Miller <brian@endpoint.com>.

Core
----

* Fixed bug in parser that can cause an infinite loop when malformed ITL
  opening tags are encountered. Bug found and original patch supplied by
  Dan Collis-Puro <dan@endpoint.com>.

* In Vend::Ship:
  - Fixed thread-safety problem with shipping adder (and potentially other
    things).
  - Made log message manageable with ErrorDestination.
  - Allow a "quiet" shipmode that won't log missing areas.

* Made timeout for menu blank in Vend::Menu settable. Patch by Greg Hanson
  <greg@perusion.com>.

* Allow numerals in all but first position in unpack output areas.

* Improved Linkpoint payment module based on work provided by Josh Lavin.
  - Add ability to do POSTAUTH (settle_prior) in Interchange admin,
    including partial captures.
  - Add check_sub capability ala Vend::Payment::Signio.

* Fixed bug introduced in previous change to cert_path logic attempting
  to allow relative paths. If the certs/ directory was not directly
  in VENDROOT and no cert_path was defined, no search for a certs/
  directory would happen.

* Fixed typo in logging subroutine call in Vend::Data.

Link
----

* Merged Interchange::Link changes from development branch, to add support for
  mod_perl 2.

Admin
-----

* In order_view page, display proper state and zip.

* Fixed non-interpolating [process] and [form-session-id] tags, remove stray
  double-quote from HTML tag, correct nonexistent cellmargin table attribute.
  Thanks to Steve Graham <icdev@mrlock.com> for reporting problem.

Standard demo
-------------

* Updated UPS Postal rates.

* In etc/mail_receipt, don't expose admin's session ID when they enter an
  order for a user.

* In checkout new_browser_payment* fragments, fix unmatched [msg] tags.
  Found by Steve Graham.

* Fixed bad SKU in cart links. Thanks to Steve Graham.

* Added closing font tag in search_box_small component. Thanks to Steve
  Graham.

Packaging
---------

* Made some minor corrections to the UPGRADING document.

* Fixed bug in interchange Debian package which caused 
  initial install to fail. 

* Added Swedish debconf template translation, updated Russian and French one.

* A number of other minor Debian package improvements.


------------------------------------------------------------------------------


Interchange 5.4.0 released on 2005-12-23.


------------------------------------------------------------------------------

(end)