------------------------------------------------------------------------------ What's new in each version of Interchange (on the version 5.6 stable branch) ------------------------------------------------------------------------------ See UPGRADE document for a list of incompatible changes. Interchange 5.6.2 released 2009-09-17. Core ---- * Close remote disclosure security vulnerability, and added new configuration option AllowRemoteSearch to selectively re-enable remote searches on "safe" tables. Defaults to products, variants and options. Please see UPGRADE for important information on upgrading your catalogs to prevent any problems. * Fixed rare bug that caused requests to / URL with a query string to fail, e.g.: http://hostname/?somevar=1 Interchange in that case looked for a page called "/?somevar=1". Thanks to David Christensen for the fix. * Fixed BounceReferrals bugs: Correctly pass through query strings, and prevent redirection loops. Use DirectoryIndex for root URL instead of "process". Thanks to David Christensen . * Various UTF-8 improvements. * Update broken getppid() detection for Perl 5.10.0. * Fixed cross site scripting exploit in account creation (#306). * Make sure catalog TemplateDir and ErrorFile directives are safe when NoAbsolute is set. * Remove CVV2 (Card Security Code) from default credit card encrypted block template so that it will not even be stored in encrypted form. This makes the default behavior compliant with section 3.2.2 of PCI-DSS 1.2: https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.pdf It is of course still possible to manually supply a template that stores the card security code in violation of PCI-DSS requirements, so developers should review any custom credit card encryption templates to make sure that the CVV2 is not included, and purge it from any historical data. * Fixed rare bug that caused requests to / URL with a query string to fail. * Correct .access functionality directly in pages/ .access worked in subdirectories like pages/abc/, but didn't work directly under pages/. Instead of looking for pages/.access, it was looking for pages/PAGENAME/.access * Fix catalog name not appearing in DebugTemplate output. * Fix bug which prevented custom widget type from working. Found by Jeff Boes. * Remove CVV2/CSC from default credit card encrypted block template for PCI-DSS compliance. * Require Digest::SHA1 module in the sha1 filter. * Abort daemon startup when required module is missing and clean up error output. * Don't ignore case of passed options to compile_link. * Fix problem restarting daemon in PreFork mode. Tags ---- * Made [email] process cc and bcc options for plain text emails (#250). * Updated usps-query tag with country map and latest shipmodes. By Josh Lavin. * Fix omission of media type in output. By Thomas J.M. Burton. UI -- * Recognize Opera as DHTML browser. Thanks to Don Hathaway for the patch. * Fix broken form action quoting. Thanks to Richard Templet . * Add framekiller for clickjacking defense in template. Probably we are unlikely to have problems in the standard template, but you never know. Jobs ---- * Added job group name to error message on missing catalog. Standard demo ------------- * Fixed wrong URLs in language selection (#265). Thanks to Friedrich Strohmaier for the report. * Fix cross site scripting error found by Josh Lavin of Perusion. * Fix default shipmode on admin/entry page. * Make forum only available for logged-in users, as spammers are exploiting it constantly. * Prevent an incomprehensible error when following an order link that was created on an mv_tmp_session page or other non-connecting session. * Avoid possible problem with read-only variable table by using @@MV_PAGE@@ instead of @_MV_PAGE_@ * Removed javascript that submits the form if the user changes his email preferences. By René Hertell. * Corrected min/max username length. * Correct update of saved company value for shipping address. Packaging --------- * Updated Debconf templates for Vietnamese, Swedish, German, French, and Basque. ------------------------------------------------------------------------------ Interchange 5.6.1 released 2008-11-13. Core ---- * Fixed regression in Vend::Table::DBI::set_slice for the following usage pattern (RT #200): $Db{table}->set_slice('', %parms)); * Quell bogus warnings from Encode::Alias (#224). Thanks to Andy and Rene Hertell . * Added Nunavut to the list of valid Canadian provinces (#231). Thanks to Mathew Jones for the report. * Fix vulnerability where a string passed in the mv_order_item CGI variable is displayed verbatim without any input sanitation if there is a valid sku in mv_sku. Thanks to Mat from Bibliopolis for discovering and reporting the vulnerability. * Fixed deficiency in Levies, where multiple handling modes separated by null would not work as in the old subtotal calculation model. * Allow XML posts by e.g. Google Checkout, which broke in Interchange 5.6.0 (RT #219). By Andy . * Corrected logic flaw that applied UTF-8 handling in some cases where it shouldn't have. Fixed by David Christensen . UserTag ------- * We are vulnerable to cross-site scripting problems any time there is a call. You can get around this, of course, with instead. That is a bit of a mess, though, so I added an alias for that called "evalue". You call it with [evalue address1], which is identical to [value keep=1 filter="encode_entities" name=address1]. Widgets ------- * Prevent cross-site scripting problem in the country-select widget. Found and fixed by Josh Lavin of Perusion. Admin UI -------- * Fixed regression in ContentEditor.pm to make it possible again to create files via the Admin interface. Payment ------- * If the tmp/wget directory (or more properly "$Vend::Cfg->{ScratchDir}/wget") directory did not exist, use_wget mode would error out. Change code to make directory if non-existent, and give better error if by some strange chance a file existed there. Standard demo ------------- * Made userdb password field nullable for Postgres, to avoid new user creation problems. * Disabled product comment to prevent spam showing up on default installations. * Provide reasonable defaults for shipping mode and country at checkout to avoid "not enough information" errors. * Modified include/checkout forms to use evalue. There are undoubtedly many other places it should be put in. But until this is evaluated properly I don't want to do it all over the place. You can do so with this one liner, at least pretty reliably: perl -pi -e 's{value="\[(value\s+[-\w]+\])}{value="[e$1}g' I think we have gotten rid of all VALUE= uppercase kind of things, but if not we should now. Packaging --------- * Numerous Debian packaging and localization updates. ------------------------------------------------------------------------------ Interchange 5.6.0 released on 2008-05-21. (end)