[interchange-cvs] [SCM] Interchange branch, STABLE_5_6-branch, updated. 4334287f258c50cc482f6a5799b18b0de3b8c321
Jon Jensen
interchange-cvs at icdevgroup.org
Thu Sep 17 22:10:31 UTC 2009
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Interchange".
The branch, STABLE_5_6-branch has been updated
via 4334287f258c50cc482f6a5799b18b0de3b8c321 (commit)
via 32277eb5951a35434fe7c475797dfef3d4bcc2f2 (commit)
via 4387b5468090c760b43672d6454d0a1c536fd045 (commit)
via e108da714d6b67f26d6b0820fd3076f72222df87 (commit)
via a22d436f98d39936155387564d5fbc957d928465 (commit)
via 81cb89650985fa424e4a947195d4ef15d4e5667a (commit)
via a980bd146cfb454e4a1a52c5eee2ee7a492056ec (commit)
via 0cf9f998079a7739f2c950b6c4a40b7bb5581919 (commit)
via 7c71c1e40ed74d65e95cc33e8fb1d466159390c7 (commit)
via f0284271cd910c4cb2977015ca8aeca6a958aae5 (commit)
via 5606d16ab90adcf69743a20831c0eb61f6ab0fb4 (commit)
via 8cc0689924585e7dfeca0d8a3dbf05d9fb8e06b2 (commit)
via 92080d385cf4c5316dfea572a2b95e883bf275f0 (commit)
via 204ee8941f31cf1cfa3ea1448e911d859075366a (commit)
via 9187360b8e29ea315943139efb9c6b7d9a88ebdc (commit)
via d53e98ef7f83908cfedbe26799565d655f028a0e (commit)
via fa406f47603f3e25c0175cc422d5e3d5146c00cf (commit)
via 625f06c2421bc177e22a47724028980d432a1543 (commit)
via a071a7c1e90a62f949bb370940bdfd2bf28e4063 (commit)
via d4225dac393291e07cc36d3b877a565b1e11d564 (commit)
via cc4e2e1f542cc1be65a746dc688423b6a75818b0 (commit)
via b7277900fedf03c30a1bb47b23deeb4d78c9afbf (commit)
via 586547ad68fbeadfc5cba14fabc34564b2f08003 (commit)
via e7026fca1081a5b79c53fb15d599b9ca884dc189 (commit)
via 6f6ed4a6b7e916985a04cb6c1dbae265ed0faab9 (commit)
via 84f1ca4798c91781578208ee703ba447f83ee9ef (commit)
via d7ccf10bcbf37e30aa68f1b3288a256bfcd2d46c (commit)
via 26a34b5e69e68f990ce818be8a55522ea9c886be (commit)
via 5631458fd077bba9896325d9de89f4db7cf01804 (commit)
via 10ad96e62fe6e9f45255124c06c07beba5db18b0 (commit)
via 29f5151a4bdc513666a1142eacd1c6d80382a38f (commit)
via 09fe58fd0d7f27effb768eed428a13cf5cc222c7 (commit)
via e61f8eb01f1ef8a7414caef78489b1e8653195ae (commit)
via 5dd0cf2a516f8edcea9212a7191fd776916f46df (commit)
via 5ec0f91820a74ccd17033af7b8ca7e9564ab0340 (commit)
via 21283ad40d9d4e02f1b590d5b5d2b52a5d147c01 (commit)
via f5c679c50ef03172f0ad477f39bcece91f2a171a (commit)
via 58cb83e179000300bb5fa90e30b357a35b32c3c8 (commit)
via 6d618a6ea8cd0303f0312321679c9f65343f27db (commit)
via f34ce1b78f76a266ec61d581f67a04a4b8d46890 (commit)
via 3e2bc5fc14cc1d3d7374be19d8a6e80397678814 (commit)
via e9d7464c98c0a7bc88fd30d1e4250b9c9fbf7f42 (commit)
via 172bde2e38c68c1d2a2b2e1a9c56a35202a94291 (commit)
from 6474979578adcd017764a5c302a3a0f6ada5cf77 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 4334287f258c50cc482f6a5799b18b0de3b8c321
Author: Jon Jensen <jon at endpoint.com>
Date: Wed Sep 16 09:58:56 2009 -0600
Sync manifest
commit 32277eb5951a35434fe7c475797dfef3d4bcc2f2
Author: Stefan Hornburg (Racke) <racke at linuxia.de>
Date: Wed Sep 16 17:45:17 2009 +0200
bump up version number and date
updates to documentation (WHATSNEW, README-DEVELOPMENT)
commit 4387b5468090c760b43672d6454d0a1c536fd045
Author: Jon Jensen <jon at endpoint.com>
Date: Wed Sep 16 08:24:46 2009 -0600
Update release notes with changes backported from master
commit e108da714d6b67f26d6b0820fd3076f72222df87
Author: Jon Jensen <jon at endpoint.com>
Date: Sun Nov 16 05:04:07 2008 +0000
Fix two occasionally broken tests.
Two tests of the [query] tag and built-in SQL parser relied on the results
being returned in a particular, even though SQL's result sets are not ordered
by default.
Fixed this by specifying a sort order and setting the results to match.
commit a22d436f98d39936155387564d5fbc957d928465
Author: Jon Jensen <jon at endpoint.com>
Date: Thu Dec 4 23:37:16 2008 +0000
Fix default shipmode due to incomplete [either] clause.
Also remove stray ] above and clean up indenting.
Fix by JT Justman <jt at endpoint.com>.
commit 81cb89650985fa424e4a947195d4ef15d4e5667a
Author: Jon Jensen <jon at endpoint.com>
Date: Wed Dec 31 17:46:05 2008 +0000
Fixed rare bug that caused requests to / URL with a query string to fail, e.g.:
http://hostname/?somevar=1
Interchange in that case looked for a page called "?somevar=1" and of course
didn't find it.
Thanks to David Christensen <david at endpoint.com> for the fix.
commit a980bd146cfb454e4a1a52c5eee2ee7a492056ec
Author: Davor Ocelic <docelic at spinlocksolutions.com>
Date: Thu Jan 8 18:43:13 2009 +0000
* Correct .access functionality directly in pages/
.access worked in subdirectories like pages/abc/, but didn't work directly
under pages/. (Instead of looking for pages/.access, it was looking for
pages/PAGENAME/.access)
commit 0cf9f998079a7739f2c950b6c4a40b7bb5581919
Author: Mike Heins <mike at perusion.com>
Date: Wed Jan 28 03:59:44 2009 +0000
* Add framekiller for clickjacking defense in template. Probably we are
unlikely to have problems in the standard template, but you never know.
commit 7c71c1e40ed74d65e95cc33e8fb1d466159390c7
Author: Gert van der Spoel <gert at 3edge.com>
Date: Tue Feb 10 15:06:54 2009 +0000
there is no ::Catalog aparently (anymore?), ::Cat does return the catalog name, this is for the DebugTemplate directive
commit f0284271cd910c4cb2977015ca8aeca6a958aae5
Author: Mike Heins <mike at perusion.com>
Date: Fri Feb 27 16:23:07 2009 +0000
* Make forum only available for logged-in users, as spammers are
exploiting it constantly.
commit 5606d16ab90adcf69743a20831c0eb61f6ab0fb4
Author: Mark Johnson <mark at endpoint.com>
Date: Fri Mar 6 01:38:25 2009 +0000
Map from Josh Lavin for countries in country.txt that need to be changed for USPS
commit 8cc0689924585e7dfeca0d8a3dbf05d9fb8e06b2
Author: Mike Heins <mike at perusion.com>
Date: Fri Mar 20 18:59:35 2009 +0000
* Fix bug found by Jeff Boes <jeff at endpoint.com> which prevented custom
widget type from working.
commit 92080d385cf4c5316dfea572a2b95e883bf275f0
Author: Mike Heins <mike at perusion.com>
Date: Tue Apr 7 13:29:37 2009 +0000
* Prevent an incomprehensible error when following an order link that was
created on an mv_tmp_session page or other non-connecting session.
commit 204ee8941f31cf1cfa3ea1448e911d859075366a
Author: Jon Jensen <jon at endpoint.com>
Date: Wed Apr 8 17:25:21 2009 +0000
Avoid possible problem with read-only variable table by using @@MV_PAGE@@ instead of @_MV_PAGE_ at .
This is the only place in Interchange we use @_MV_PAGE_@, which isn't
necessary because MV_PAGE is always global.
More details at this blog comment I wrote:
http://blog.endpoint.com/2009/04/subverting-subversion-for-fun-and.html?showComment=1239148380000#c3445687618157063638
commit 9187360b8e29ea315943139efb9c6b7d9a88ebdc
Author: Jon Jensen <jon at endpoint.com>
Date: Thu May 28 14:36:11 2009 -0700
Fix omission of media type in <link> output
Patch by Thomas J.M. Burton <tom at globalfocusdm.com>. Thanks!
commit d53e98ef7f83908cfedbe26799565d655f028a0e
Author: René Hertell <interchange at hertell.com>
Date: Wed Jun 10 01:26:28 2009 +0300
Removed javascript that submits the form if the user changes his email-preferences.
It's better to let the user make the final decision if he wants to submit the stock-alert form after all..
commit fa406f47603f3e25c0175cc422d5e3d5146c00cf
Author: René Hertell <interchange at hertell.com>
Date: Wed Jun 10 01:43:35 2009 +0300
Added some missing end-tags
commit 625f06c2421bc177e22a47724028980d432a1543
Author: Stefan Hornburg (Racke) <racke at linuxia.de>
Date: Mon Jun 15 16:10:39 2009 +0200
Added job group name to error message on missing catalog.
commit a071a7c1e90a62f949bb370940bdfd2bf28e4063
Author: Jon Jensen <jon at endpoint.com>
Date: Thu Jun 18 22:56:42 2009 -0600
Remove CVV2/CSC from default credit card encrypted block template
The card security code should not be stored at all, even in encrypted
form. This makes the default behavior compliant with section 3.2.2 of
PCI-DSS 1.2:
https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.pdf
It is of course still possible to manually supply a template that
stores the card security code in violation of PCI-DSS requirements, so
developers should review any custom credit card encryption templates
to make sure that the CVV2 is not included, and purge it from any
historical data they have stored.
Thanks to Mark Lipscombe for calling attention to this.
commit d4225dac393291e07cc36d3b877a565b1e11d564
Author: Jon Jensen <jon at endpoint.com>
Date: Thu Jun 25 15:48:24 2009 +0200
Unbuffer output as early as possible
This stops the confusing out-of-order mixing of regular and error messages
during startup. And output was being unbuffered later on anyway.
Also update copyright years and remove CVS $Id$ tag.
commit cc4e2e1f542cc1be65a746dc688423b6a75818b0
Author: Jon Jensen <jon at endpoint.com>
Date: Thu Jun 25 15:50:04 2009 +0200
Specifically require Digest::SHA1 module
This should give more helpful error messages for those upgrading since
Digest::SHA1 wasn't part of Bundle::Interchange historically but has
been since January 2008.
commit b7277900fedf03c30a1bb47b23deeb4d78c9afbf
Author: Jon Jensen <jon at endpoint.com>
Date: Sat Jun 27 17:38:50 2009 +0200
Abort daemon startup when required module is missing and clean up error output
Fix problem with eval $@ error result's scope in global Perl module
require routine. This was caused because logGlobal contains an eval
itself that overrides $@. Now when a "Require module Something::Special"
directive is issued and not satisfied, it is fatal as was originally
intended.
Remove logGlobal call that results in duplicate error output.
Correctly say "Aborting Interchange daemon" instead of "Aborting
catalog" when dying on global config errors.
commit 586547ad68fbeadfc5cba14fabc34564b2f08003
Author: Gert van der Spoel <ic at 3edge.com>
Date: Tue Jul 14 10:20:08 2009 +0200
Corrected min/max username length
Currently you can set a username with a length between 2 and 64.
ship_addresses.html was testing on usernames bewteen 4 and 10.
Any account created with a username < 4 or > 10 would result in
an error such as: username length XX more than maximum length 10.
Reported by René Hertell.
commit e7026fca1081a5b79c53fb15d599b9ca884dc189
Author: Gert van der Spoel <ic at 3edge.com>
Date: Tue Jul 14 15:00:29 2009 +0200
Correct update of saved company value for shipping address
get_shipping on ord/shipping.html does not update the company-field in
the demo. All other values are getting updated.
This was due to missing 'company' in @S_FIELDS list.
Reported by René Hertell (http://rt.icdevgroup.org/125)
commit 6f6ed4a6b7e916985a04cb6c1dbae265ed0faab9
Author: Peter Ajamian <peter at pajamian.dhs.org>
Date: Sat Aug 15 04:32:02 2009 -0700
Don't ignore case of passed options to compile_link.
compile_link was confusing the -s socketfile option with the new -S status
because Getopt::Long ignores option case by default. This fixes the problem by
passing the no_ignore_case config parameter to Getopt::Long.
commit 84f1ca4798c91781578208ee703ba447f83ee9ef
Author: Jon Jensen <jon at endpoint.com>
Date: Wed Sep 16 07:42:33 2009 -0600
Remove bogus execute bit
commit d7ccf10bcbf37e30aa68f1b3288a256bfcd2d46c
Author: Mark Johnson <mark at endpoint.com>
Date: Tue Sep 1 14:53:37 2009 -0600
Fix problem restarting daemon in PreFork mode
Previously, restart was failing, stating it couldn't find the previous
Interchange running, and would keep creating StartServers new servers on
every restart. Only SIGKILL was able to kill all PreFork children.
The original code was just being stupid (and I can say that freely
since I wrote it). I had in my head that as child PIDs died, %Page_pids
and %Starting_pids would be culled. However, that process only happens
through normal operations (housekeeping, ChildLife or MRPC, etc.)--not
when I send the kid a TERM!
commit 26a34b5e69e68f990ce818be8a55522ea9c886be
Author: Jon Jensen <jon at endpoint.com>
Date: Tue Sep 1 15:43:29 2009 -0600
Update USPS international rate names and add script that fetches them
Also cleaned up some POD errors.
Thanks to Josh Lavin and Mat Jones.
commit 5631458fd077bba9896325d9de89f4db7cf01804
Author: Jon Jensen <jon at endpoint.com>
Date: Tue Sep 1 17:52:32 2009 -0600
Update copyright year in Standard demo page footer
commit 10ad96e62fe6e9f45255124c06c07beba5db18b0
Author: Jon Jensen <jon at endpoint.com>
Date: Tue Sep 1 18:02:27 2009 -0600
Fix test failing because 12/2008 is now in the past
commit 29f5151a4bdc513666a1142eacd1c6d80382a38f
Author: Peter Ajamian <peter at pajamian.dhs.org>
Date: Tue Sep 15 21:08:45 2009 -0700
Note recent commits
commit 09fe58fd0d7f27effb768eed428a13cf5cc222c7
Author: Stefan Hornburg (Racke) <racke at linuxia.de>
Date: Tue Sep 8 19:57:42 2009 +0200
check whether directory is allowed before, not after path expansion
(cherry picked from commit 4f17bcc6c33d2f891be2256005a835061159e9b9)
commit e61f8eb01f1ef8a7414caef78489b1e8653195ae
Author: Jon Jensen <jon at endpoint.com>
Date: Tue Sep 8 09:15:14 2009 -0600
Fix bug that didn't tolerate relative TemplateDir settings
(cherry picked from commit 45471c43eacbf641c205a3abdd5f787d8b499347)
commit 5dd0cf2a516f8edcea9212a7191fd776916f46df
Author: Jon Jensen <jon at endpoint.com>
Date: Mon Sep 7 23:45:39 2009 -0600
Disallow abuse of writes via ErrorFile when NoAbsolute is set
Exploit reported by Peter Ajamian.
(cherry picked from commit 9b6872cabea98440451efac8565f4050350116ef)
commit 5ec0f91820a74ccd17033af7b8ca7e9564ab0340
Author: Jon Jensen <jon at endpoint.com>
Date: Mon Sep 7 23:07:31 2009 -0600
parse_dir_array: Validate paths for NoAbsolute etc.
(cherry picked from commit 08a1fdeb0cf66e2499844c96ab9e826857174fe3)
commit 21283ad40d9d4e02f1b590d5b5d2b52a5d147c01
Author: Jon Jensen <jon at endpoint.com>
Date: Mon Sep 7 23:05:24 2009 -0600
parse_relative_dir: Use standard absolute_or_relative() check
Use standard routines to check for absolute or subdirectory-escaping
paths instead of duplicate logic here.
Remove comment that's somewhat misleading since relative paths are
absolutized all over in other routines too.
(cherry picked from commit 7fcf35230ecfa91929165bf0129847752272576a)
commit f5c679c50ef03172f0ad477f39bcece91f2a171a
Author: Jon Jensen <jon at endpoint.com>
Date: Mon Sep 7 23:03:18 2009 -0600
Make sure catalog TemplateDir directives are safe when NoAbsolute is set
(cherry picked from commit 239f9a3b19506dd2da369c3c8c047acf0f3b2d7f)
commit 58cb83e179000300bb5fa90e30b357a35b32c3c8
Author: Jon Jensen <jon at endpoint.com>
Date: Mon Sep 7 23:01:47 2009 -0600
Set $Vend::Cat as early as possible
This solves a chicken-and-egg problem for configuration-time code that
works fine once the catalog is fully configured.
(cherry picked from commit 74803e29a89d02d353739b9ee4f74c9db3a88938)
commit 6d618a6ea8cd0303f0312321679c9f65343f27db
Author: Jon Jensen <jon at endpoint.com>
Date: Tue Sep 1 19:53:25 2009 -0600
Prevent TemplateDir from circumventing NoAbsolute constraints
Problem reported by Peter Ajamian.
(cherry picked from commit f265e8a282e61bb46a14ebfd41a842f13d96db17)
commit f34ce1b78f76a266ec61d581f67a04a4b8d46890
Author: Jon Jensen <jon at endpoint.com>
Date: Tue Sep 1 18:28:12 2009 -0600
Move AllowedFileRegex from catalog into global configuration
This prevents catalog-level tampering of the regular expression used for
checking paths are allowed by NoAbsolute. It is set at startup time but
before as a catalog configuration entry could be manipulated even in
Safe page code.
Problem reported by Peter Ajamian.
commit 3e2bc5fc14cc1d3d7374be19d8a6e80397678814
Author: Jon Jensen <jon at endpoint.com>
Date: Tue Sep 15 16:24:55 2009 -0600
Move version number to 5.6.2
commit e9d7464c98c0a7bc88fd30d1e4250b9c9fbf7f42
Author: Jon Jensen <jon at endpoint.com>
Date: Tue Sep 15 16:24:47 2009 -0600
Development moved from CVS to Git
commit 172bde2e38c68c1d2a2b2e1a9c56a35202a94291
Author: Mark Lipscombe <markl at gasupnow.com>
Date: Wed Jul 8 08:33:28 2009 +0000
Fix remote disclosure security vulnerability
Add new configuration option AllowRemoteSearch to selectively re-enable
remote searches on "safe" tables. Defaults to products, variants and
options.
Please see UPGRADE for important information on upgrading your catalogs
to prevent any problems.
-----------------------------------------------------------------------
Summary of changes and diff:
MANIFEST | 4 +-
Makefile.PL | 4 +-
README | 8 +-
README-DEVELOPMENT | 108 +++++++++++++
README.cvs | 167 --------------------
README.rpm-dist | 12 +-
SPECS/interchange.spec | 5 +-
UPGRADE | 163 +++++++++++++++++++
WHATSNEW-5.6 | 82 +++++++++-
code/Filter/sha1.filter | 6 +-
.../base_url.coretag => SystemTag/search.coretag} | 10 +-
code/UserTag/css.tag | 6 +-
code/UserTag/usps_query.tag | 101 ++++++++----
configure | 4 +-
debian/changelog | 5 +-
debian/interchange.docs | 4 +-
dist/lib/UI/pages/admin/entry.html | 9 +-
dist/lib/UI/pages/include/templates/ui_type1 | 1 +
dist/lib/UI/pages/include/templates/ui_type2 | 1 +
dist/lib/UI/pages/include/templates/ui_type3 | 1 +
dist/lib/UI/pages/include/templates/ui_type5 | 1 +
dist/lib/UI/vars/UI_STD_FILE_NAV | 6 +-
dist/standard/catalog.cfg | 30 ++---
dist/standard/etc/profiles.order | 10 ++
dist/standard/include/layout/leftonly | 1 +
dist/standard/include/layout/leftright | 1 +
dist/standard/include/layout/noleft | 1 +
dist/standard/pages/forum/display.html | 4 +-
dist/standard/pages/forum/reply.html | 1 +
dist/standard/pages/forum/submit.html | 1 +
dist/standard/pages/function/stock_alert.html | 2 +-
dist/standard/pages/lost_password.html | 160 +++++++++++++------
dist/standard/pages/member/ship_addresses.html | 2 +-
dist/standard/pages/query/unsub.html | 5 +
dist/standard/products/mv_metadata.asc | 2 +-
dist/standard/variables/COPYRIGHT | 2 +-
dist/test/products/tests.asc | 90 ++++++++++-
eg/usps/get-intl-rate-names | 70 ++++++++
lib/Vend/Config.pm | 49 ++++---
lib/Vend/Dispatch.pm | 20 ++--
lib/Vend/File.pm | 16 +-
lib/Vend/Interpolate.pm | 2 +-
lib/Vend/Order.pm | 1 -
lib/Vend/Page.pm | 27 +++-
lib/Vend/Scan.pm | 5 +-
lib/Vend/Server.pm | 31 ++---
lib/Vend/Table/Editor.pm | 5 +-
lib/Vend/UserDB.pm | 1 +
lib/Vend/Util.pm | 48 ++++--
scripts/compile_link.PL | 2 +-
scripts/interchange.PL | 27 ++--
51 files changed, 888 insertions(+), 436 deletions(-)
create mode 100644 README-DEVELOPMENT
delete mode 100644 README.cvs
copy code/{UI_Tag/base_url.coretag => SystemTag/search.coretag} (51%)
mode change 100644 => 100755 debian/changelog
mode change 100644 => 100755 debian/interchange.docs
create mode 100755 eg/usps/get-intl-rate-names
mode change 100755 => 100644 lib/Vend/UserDB.pm
diff --git a/MANIFEST b/MANIFEST
index 3bd7490..84def75 100644
--- a/MANIFEST
+++ b/MANIFEST
@@ -177,6 +177,7 @@ code/SystemTag/row.coretag
code/SystemTag/salestax.coretag
code/SystemTag/scratch.coretag
code/SystemTag/scratchd.coretag
+code/SystemTag/search.coretag
code/SystemTag/search_region.coretag
code/SystemTag/selected.coretag
code/SystemTag/set.coretag
@@ -1039,6 +1040,7 @@ eg/te
eg/usertag/benchmark.tag
eg/usertag/isindex.tag
eg/usertag/sleep.tag
+eg/usps/get-intl-rate-names
eg/usps/html2tab
eg/usps/join123local
eg/usps/makezone
@@ -1157,7 +1159,7 @@ Makefile.PL
MANIFEST This list of files
MANIFEST.SKIP
README
-README.cvs
+README-DEVELOPMENT
README.debian
README.rpm-dist
relocate.pl
diff --git a/Makefile.PL b/Makefile.PL
index b104e00..45cbdad 100644
--- a/Makefile.PL
+++ b/Makefile.PL
@@ -28,7 +28,7 @@ my @mods_to_get;
my @remove_old;
my $Lock_troubles;
-$VERSION = '5.6.1';
+$VERSION = '5.6.2';
my @os_hints;
eval {
@@ -154,7 +154,7 @@ sub copyright_prompt {
Interchange V$VERSION
- Copyright (C) 2002-2008 Interchange Development Group.
+ Copyright (C) 2002-2009 Interchange Development Group.
Copyright (C) 1996-2002 Red Hat, Inc.
Interchange is free under the terms of the GNU General Public License.
diff --git a/README b/README
index 632a280..306d49a 100644
--- a/README
+++ b/README
@@ -2,9 +2,9 @@
I N T E R C H A N G E
-Interchange 5.6.1
+Interchange 5.6.2
-Copyright (C) 2002-2008 Interchange Development Group
+Copyright (C) 2002-2009 Interchange Development Group
Copyright (C) 1996-2002 Red Hat, Inc.
Originally based on Vend 0.2 and 0.3, copyright 1995-96 by Andrew M. Wilcox.
@@ -101,8 +101,8 @@ as an unprivileged user who will be the only one modifying Interchange files.
Here is the quick installation summary:
- tar xvzf interchange-5.6.1.tar.gz
- cd interchange-5.6.1
+ tar xvzf interchange-5.6.2.tar.gz
+ cd interchange-5.6.2
perl Makefile.PL
make
make test
diff --git a/README-DEVELOPMENT b/README-DEVELOPMENT
new file mode 100644
index 0000000..cb54f6d
--- /dev/null
+++ b/README-DEVELOPMENT
@@ -0,0 +1,108 @@
+------------------------------------------------------------------------------
+
+ Tracking Interchange development in Git
+
+------------------------------------------------------------------------------
+
+If you don't want to wait for an official release, you can use Git to follow
+the latest Interchange development.
+
+WARNING: There may be bugs introduced at any time! Thoroughly test any changes
+before incorporating. Better yet, don't use Git changes for anything but
+fixing relevant bugs, and run the latest stable release.
+
+
+Browse Git tree online
+----------------------
+
+To browse the Interchange Git repository online, visit:
+
+http://git.icdevgroup.org/interchange/
+
+
+Clone a local copy
+------------------
+
+See instructions on cloning and working with a local Git working copy at:
+
+http://www.icdevgroup.org/i/dev/download
+
+
+Make a distribution tar file
+----------------------------
+
+It's best to build a distribution tar file to install from, rather than
+installing straight from your Git working copy. To do so:
+
+ $ cd interchange
+ $ perl Makefile.PL nocopy
+ Writing Makefile for Interchange
+ $ make tardist
+ # much output ...
+ $ ls interch*.tar.gz
+ interchange-5.7.1.tar.gz
+
+
+Unpack and install
+------------------
+
+Unpack the tar file and install as normal. See the README file and other
+documentation for help. You should already be familiar with the Interchange
+developer website at:
+
+ http://www.icdevgroup.org/
+
+Make sure you don't put your Git working copy at $HOME/interchange
+and then install on top of it, since $HOME/interchange is the default
+install directory.
+
+
+Updating
+--------
+
+Follow development discussions by joining the interchange-announce and
+interchange-users mailing lists.
+
+Keep track of ongoing code changes by joining the interchange-cvs mailing
+list, or watching the interchange/interchange repository in GitHub.
+
+In many cases, the major differences in the distribution will be easily
+updateable. You can copy any changed files directly to these library
+directories:
+
+ lib/Vend (and all subdirectories)
+ lib/UI (and all subdirectories)
+
+You should check the files:
+
+ catalog_after.cfg (infrequently updated)
+ catalog_before.cfg (frequently updated)
+ interchange.cfg.dist (infrequently updated)
+ usertag/* (infrequently updated)
+
+Finally, you should check differences in the bin/* files. While they
+are not as frequently updated as the lib/* files, they do change. Run
+diffs against the source files in scripts/*.PL, or do another install
+to a blank directory and do a diff to that.
+
+
+Keeping the catalog in sync
+---------------------------
+
+If you are patterning your order methods after one of the template
+catalogs, you will want to check the products/*.txt and products/*.asc
+files for changes. In particular, mv_metadata.asc is used to format
+and present quite a few things in the user interface. You may have
+to merge the databases, but there is an automated admin UI facility
+that can help you do this.
+
+
+Troubleshooting
+---------------
+
+If you get a complaint that a "file is not found" when trying to do a
+'make tardist' or 'make dist', that means your MANIFEST file is out of
+sync with the current codebase. Just do:
+
+ rm MANIFEST
+ make manifest
diff --git a/README.cvs b/README.cvs
deleted file mode 100644
index 1e648c6..0000000
--- a/README.cvs
+++ /dev/null
@@ -1,167 +0,0 @@
-------------------------------------------------------------------------------
-
- Tracking Interchange development in CVS
-
-------------------------------------------------------------------------------
-
-If you don't want to wait for an official release, you can use anonymous
-CVS to follow the latest Interchange development.
-
-WARNING: There may be bugs introduced at any time! Thoroughly test any
-changes before incorporating. Better yet, don't use CVS changes for
-anything but fixing present bugs, and run the latest release.
-
-
-Browse CVS tree online
-----------------------
-
-To browse Interchange CVS contents online, simply point your web
-browser to http://www.icdevgroup.org/cgi-bin/cvsweb/interchange/ .
-
-
-Check-out a local copy
-----------------------
-
-You need to have CVS installed on your system, to begin with. It
-comes pre-installed on most free Unix-like systems if you selected
-the development tools at install time. See http://www.cvshome.org/
-for download locations if you don't have it.
-
-If you are already an experienced CVS user, the information is:
-
- CVSROOT :pserver:cvs at cvs.icdevgroup.org:/var/cvs
- password (none)
- module interchange
-
-If you are not experienced with CVS, it is still easy to get going by
-following these steps. First, choose a place to put the local copy you're
-going to check out. A good choice is somewhere in your home directory,
-probably a src/ subdirectory:
-
- $ cd
- $ mkdir src
- $ cd src
- $ cvs -z3 -d :pserver:cvs at cvs.icdevgroup.org:/var/cvs checkout -P interchange
-
-It will take a while, as there are several megabytes of files to download.
-
-
-Make a distribution tar file
-----------------------------
-
-If it is your first time installing Interchange from the CVS, you will want
-to make a distribution tar file:
-
- $ cd interchange
- $ perl Makefile.PL nocopy
- Writing Makefile for Interchange
- $ make tardist
- /usr/local/bin/perl -I/YOUR/PERL/LIB -MExtUtils::Manifest=manicopy,maniread \
- -e "manicopy(maniread(),'interchange-4.9.x', 'best');"
- mkdir interchange-5.0.0
- mkdir interchange-5.0.0/dist
- ....
- $ ls interch*.tar.gz
- interchange-5.0.0.tar.gz
-
-
-Unpack and install
-------------------
-
-Unpack the tar file and install as normal. See the README file and other
-documentation for help. You should already be familiar with the Interchange
-developer website at:
-
- http://www.icdevgroup.org/
-
-Make sure you don't check out your CVS copy into $HOME/interchange
-and then install on top of it, since $HOME/interchange is the default
-install directory.
-
-
-Checking for differences
-------------------------
-
-If you want to see how your current working files compare to the versions
-you checked out from the repository, cd into your checked out CVS copy and
-do:
-
- cvs diff | less
-
-
-Updating
---------
-
-To update the distribution, change to your checked out CVS directory
-(e.g. src/interchange), and then run:
-
- $ cvs update -Pd
- U MANIFEST
- U WHATSNEW
- ....
-
-In many cases, the major differences in the distribution will be easily
-updateable. You can copy any changed files directly to these library
-directories:
-
- lib/Vend (and all subdirectories)
- lib/UI (and all subdirectories)
-
-You should check the files:
-
- catalog_after.cfg (infrequently updated)
- catalog_before.cfg (frequently updated)
- interchange.cfg.dist (infrequently updated)
- usertag/* (infrequently updated)
-
-Finally, you should check differences in the bin/* files. While they
-are not as frequently updated as the lib/* files, they do change. Run
-diffs against the source files in scripts/*.PL, or do another install
-to a blank directory and do a diff to that.
-
-
-Keeping the catalog in sync
----------------------------
-
-If you are patterning your order methods after one of the template
-catalogs, you will want to check the products/*.txt and products/*.asc
-files for changes. In particular, mv_metadata.asc is used to format
-and present quite a few things in the user interface. You may have
-to merge the databases, but there is an automated admin UI facility
-that can help you do this.
-
-
-Troubleshooting
----------------
-
-If you get a complaint that a "file is not found" when trying to do a
-'make tardist' or 'make dist', that means your MANIFEST file is out of
-sync with the current codebase. Just do:
-
- rm MANIFEST
- make manifest
-
-
-More on CVS
------------
-
-It is highly recommended that you create a .cvsrc file in your home
-directory to automatically use common options such as these:
-
- cvs -z3 -q
- diff -u
- update -Pd
- checkout -P
-
-This directs CVS to (1) automatically compress all data communicated
-between you and our server (saving bandwidth) and be quiet (printing
-out fewer diagnostic messages); (2) show context-sensitive, recursive
-diffs; (3) prune empty directories and create any new directories added
-to the repository since your checkout; and (4) prune empty directories
-during your checkouts.
-
-Please see the CVS website for complete documentation:
-
- http://www.cvshome.org/
-
-
diff --git a/README.rpm-dist b/README.rpm-dist
index b9d43c0..980e34b 100644
--- a/README.rpm-dist
+++ b/README.rpm-dist
@@ -31,7 +31,7 @@ the Interchange user ID to write/create files.
Sessions and temporary files: /var/cache/interchange.
-Documentation: /usr/share/doc/interchange-5.6.1.
+Documentation: /usr/share/doc/interchange-5.6.2.
On a dedicated production server, it is wise to segregate as many of these
directories as possible onto their own partitions, to prevent problems if
@@ -45,7 +45,7 @@ usually come supplied with your operating system, so you will need to
install them yourself. It's best to locate RPMs for each of the needed
Perl modules and install them. To get a complete list of dependencies, do:
-rpm -qp --requires interchange-5.6.1-1.*.rpm
+rpm -qp --requires interchange-5.6.2-1.*.rpm
Unfortunately, there's not currently a reliable, steady source of the latest
CPAN modules in RPM format for most operating systems. Thus the easiest way
@@ -66,14 +66,14 @@ perl -MCPAN -e'install Bundle::InterchangeKitchenSink'
INSTALL
-rpm -Uvh interchange-5.6.1-1.*.rpm
-rpm -Uvh interchange-standard-5.6.1-1.*.rpm
+rpm -Uvh interchange-5.6.2-1.*.rpm
+rpm -Uvh interchange-standard-5.6.2-1.*.rpm
If you have installed CPAN modules from source, rather than RPM, you'll need
to install the main interchange package without dependency checking because
RPM doesn't know about those modules you installed:
-rpm -Uvh --nodeps interchange-5.6.1-1.*.rpm
+rpm -Uvh --nodeps interchange-5.6.2-1.*.rpm
STARTING/RESTARTING INTERCHANGE
@@ -133,7 +133,7 @@ installation:
INSTALL
-rpm -Uvh interchange-standard-demo-5.6.1-1.*.rpm
+rpm -Uvh interchange-standard-demo-5.6.2-1.*.rpm
USING THE DEMO
diff --git a/SPECS/interchange.spec b/SPECS/interchange.spec
index e362bcc..788f81f 100644
--- a/SPECS/interchange.spec
+++ b/SPECS/interchange.spec
@@ -19,7 +19,7 @@
Summary: Interchange web application platform
Name: interchange
-Version: 5.6.1
+Version: 5.6.2
Release: 1
Vendor: Interchange Development Group
Group: System Environment/Daemons
@@ -383,6 +383,9 @@ fi
%changelog
+* Tue Sep 15 2009 Jon Jensen <jon at endpoint.com> 5.6.2-1
+- Update for new release.
+
* Sun Nov 9 2008 Jon Jensen <jon at endpoint.com> 5.6.1-1
- Update for new release.
diff --git a/UPGRADE b/UPGRADE
index 556e686..360cef7 100644
--- a/UPGRADE
+++ b/UPGRADE
@@ -28,6 +28,12 @@ following versions:
facing side should be fairly straightforward to port. See
"UPGRADING FROM 4.6.x" below.
+ ALL VERSIONS -- A security vulnerability has been found that allows
+ remote searching of any table in your database configured in
+ Interchange. To fix this vulnerability, you may need to
+ make some adjustments to your catalog. See "REMOTE SEARCHING"
+ below.
+
INSTALLING INTERCHANGE IN THE SAME LOCATION
--------------------------------------------
@@ -487,3 +493,160 @@ Interchange:
UserTags, UI_Tag etc.) The message is only a warning as your local UserTag
will override the global one. If you didn't mean to override the global
tag of the same name then simply rename your tag and restart Interchange.
+
+
+REMOTE SEARCHING
+----------------
+
+A security vulnerability was recently discovered where any table configured
+in your Interchange installation could be viewed remotely by an unauthenticated
+user via a specially crafted search request.
+
+This is a serious vulnerability, and all previous versions of Interchange are
+affected. Even if you do not use the default search structure, your catalog
+is likely to still be vulnerable.
+
+To resolve this, a new configuration option, AllowRemoteSearch has been
+introduced. It should be specified in each catalog configuration, and defaults
+to:
+
+ AllowRemoteSearch products variants options
+
+Any table specified in this option will be remotely searchable, and you should
+not permit any table with sensitive information to be searched in this way. You
+should carefully consider the implications of adding any further tables to this
+configuration option.
+
+Remote searches may be used by your existing catalog. These should continue
+working without any changes as long as they only search tables that are permitted
+by the AllowRemoteSearch configuration. You should carefully examine your
+catalog for uses of the "search" form action, or pages which submit a form to
+a page called "search" or "scan". If they specify a search file other than
+products, variants or options, you should consider rewriting that page to just
+accept the search terms via CGI parameters, and not the entire search. Please
+consult the documentation on in page searches at:
+
+ http://www.icdevgroup.org/doc/icdatabase.html#In-Page%20Searches
+
+If your catalog makes use of ActionMaps that perform searches, these should
+continue to work as intended as long as they search a table allowed by
+AllowRemoteSearch. However, you should consider updating them to use the
+new "search" tag. For example, an existing ActionMap that performs a search
+like this:
+
+ ActionMap old_cat <<EOR
+ sub {
+ my ($action, $class) = split('/', shift);
+
+ $class =~ s/_/ /g;
+
+ # Originally, search parameters were placed in the CGI hash.
+ $CGI->{co} = 1;
+ $CGI->{fi} = 'products';
+ $CGI->{st} = 'db';
+ $CGI->{sf} = 'category';
+ $CGI->{se} = "$class";
+ $CGI->{sp} = 'results';
+ $CGI->{tf} = 'category,description:f';
+ $CGI->{op} = 'eq';
+
+ $CGI->{mv_todo} = 'search';
+ $CGI->{mv_nextpage} = 'results';
+ # And the "update" tag was called to re-evaluate the page with
+ # the provided search parameters.
+ $Tag->update('process');
+ return 1;
+ }
+ EOR
+
+Would be updated to instead look like this:
+
+ ActionMap new_cat <<EOR
+ sub {
+ my ($action, $class) = split('/', shift);
+
+ $class =~ s/_/ /g;
+
+ # Now, you must create a hash to hold the search
+ # parameters.
+ my $search;
+ $search->{co} = 1;
+ $search->{fi} = 'products';
+ $search->{st} = 'db';
+ $search->{sf} = 'category';
+ $search->{se} = "$class";
+ $search->{sp} = 'results';
+ $search->{tf} = 'category,description:f';
+ $search->{op} = "eq";
+
+ $CGI->{mv_nextpage} = 'results';
+ # And call the new search tag, which isn't subject to the
+ # AllowRemoteSearch restrictions.
+ $Tag->search({ search => $search });
+
+ return 1;
+ }
+ EOR
+
+If you are using a modern version of the standard catalog as the basis
+for your catalog, there is a special subroutine that provides friendly
+URLs for product categories, but is not a traditional ActionMap. Similar
+to the example above, you will need to alter your catalog.cfg, replacing
+the entire Sub ncheck_category with:
+
+Sub ncheck_category <<EOS
+sub {
+ my ($name) = @_;
+ return unless $name =~ m{^[A-Z]};
+ $name =~ s,_, ,g;
+ my ($prod_group, $category) = split m{/}, $name;
+
+ my $search;
+ $search->{co} = 1;
+ $search->{fi} = 'products';
+ $search->{st} = 'db';
+ $search->{sf} = join "\0", 'prod_group', 'category';
+ $search->{op} = join "\0", 'eq', 'eq';
+ $search->{se} = join "\0", $prod_group, $category;
+ $search->{sp} = 'results';
+ $search->{mv_todo} = 'search';
+ $Tag->search({ search => $search });
+ if (($o = $Search->{''}) && @{$o->{mv_results}}) {
+ return (1, $Config->{Special}->{results});
+ }
+
+ return;
+}
+EOS
+
+In the standard and foundation catalogs, the "lost password" feature makes use
+of the remote search feature to be able to retrieve lost passwords. We recommend
+that you remove catalog/pages/query/get_password.html from your catalog, and
+replace catalog/pages/lost_password.html with an updated version from this
+distribution. As an alternative, you may apply the following patch to your
+existing catalog/pages/query/get_password.html:
+
+diff --git a/dist/standard/pages/query/get_password.html
+b/dist/standard/pages/query/get_password.html
+index 2d70c84..5aa51f1 100644
+--- a/dist/standard/pages/query/get_password.html
++++ b/dist/standard/pages/query/get_password.html
+@@ -32,8 +32,10 @@ ui_template_name: leftonly
+ if( $Scratch->{tried_pw_retrieve}++ > 10 ) {
+ return "No way, José. Too many times.";
+ }
+ $CGI->{mv_todo} = 'search';
+ $Config->{NoSearch} = '';
++ push(@{$Config->{AllowRemoteSearch}},'userdb');
++ return;
+ [/perl]
+ [update process]
+ [search-region]
+
+This is not a recommended solution, and is only a workaround until you can
+consider the changes in the updated lost password page.
+
+If you do not wish to upgrade your Interchange installation to fix this
+vulnerability, patches for all currently supported Interchange versions are
+also available from http://www.icdevgroup.org/. You will still need to
+follow the upgrade advice contained here.
diff --git a/WHATSNEW-5.6 b/WHATSNEW-5.6
index ab271dc..d9e1d35 100644
--- a/WHATSNEW-5.6
+++ b/WHATSNEW-5.6
@@ -8,16 +8,19 @@
See UPGRADE document for a list of incompatible changes.
-Interchange 5.6.2 not yet released.
+Interchange 5.6.2 released 2009-09-17.
-UserTag
--------
-
-* Made [email] process cc and bcc options for plain text emails (#250).
Core
----
+* Close remote disclosure security vulnerability, and added new configuration
+ option AllowRemoteSearch to selectively re-enable remote searches on "safe"
+ tables. Defaults to products, variants and options.
+
+ Please see UPGRADE for important information on upgrading your
+ catalogs to prevent any problems.
+
* Fixed rare bug that caused requests to / URL with a query string to fail, e.g.:
http://hostname/?somevar=1
@@ -36,10 +39,51 @@ Core
* Fixed cross site scripting exploit in account creation (#306).
+* Make sure catalog TemplateDir and ErrorFile directives are safe when
+ NoAbsolute is set.
+
+* Remove CVV2 (Card Security Code) from default credit card encrypted block
+ template so that it will not even be stored in encrypted form. This makes
+ the default behavior compliant with section 3.2.2 of PCI-DSS 1.2:
+
+ https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.pdf
+
+ It is of course still possible to manually supply a template that stores
+ the card security code in violation of PCI-DSS requirements, so developers
+ should review any custom credit card encryption templates to make sure that
+ the CVV2 is not included, and purge it from any historical data.
+
+* Fixed rare bug that caused requests to / URL with a query string to fail.
+
+* Correct .access functionality directly in pages/
+
+ .access worked in subdirectories like pages/abc/, but didn't work directly
+ under pages/. Instead of looking for pages/.access, it was looking for
+ pages/PAGENAME/.access
+
+* Fix catalog name not appearing in DebugTemplate output.
+
+* Fix bug which prevented custom widget type from working. Found by Jeff Boes.
+
+* Remove CVV2/CSC from default credit card encrypted block template for
+ PCI-DSS compliance.
+
+* Require Digest::SHA1 module in the sha1 filter.
+
+* Abort daemon startup when required module is missing and clean up error output.
+
+* Don't ignore case of passed options to compile_link.
+
+* Fix problem restarting daemon in PreFork mode.
+
Tags
----
-* Made [email] process Cc and Bcc options for plain text emails.
+* Made [email] process cc and bcc options for plain text emails (#250).
+
+* Updated usps-query tag with country map and latest shipmodes. By Josh Lavin.
+
+* Fix omission of media type in <link> output. By Thomas J.M. Burton.
UI
--
@@ -48,6 +92,14 @@ UI
* Fix broken form action quoting. Thanks to Richard Templet <richard at endpoint.com>.
+* Add framekiller for clickjacking defense in template. Probably we are
+ unlikely to have problems in the standard template, but you never know.
+
+Jobs
+----
+
+* Added job group name to error message on missing catalog.
+
Standard demo
-------------
@@ -56,6 +108,24 @@ Standard demo
* Fix cross site scripting error found by Josh Lavin of Perusion.
+* Fix default shipmode on admin/entry page.
+
+* Make forum only available for logged-in users, as spammers are exploiting it
+ constantly.
+
+* Prevent an incomprehensible error when following an order link that was
+ created on an mv_tmp_session page or other non-connecting session.
+
+* Avoid possible problem with read-only variable table by using @@MV_PAGE@@
+ instead of @_MV_PAGE_@
+
+* Removed javascript that submits the form if the user changes his
+ email preferences. By René Hertell.
+
+* Corrected min/max username length.
+
+* Correct update of saved company value for shipping address.
+
Packaging
---------
diff --git a/code/Filter/sha1.filter b/code/Filter/sha1.filter
index 2246872..640f0f4 100644
--- a/code/Filter/sha1.filter
+++ b/code/Filter/sha1.filter
@@ -1,11 +1,11 @@
-# Copyright 2007 Interchange Development Group and others
+# Copyright 2007-2009 Interchange Development Group and others
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version. See the LICENSE file for details.
-#
-# $Id: sha1.filter,v 1.1 2007-07-24 02:24:43 jon Exp $
+
+Require module Digest::SHA1
CodeDef sha1 Filter
CodeDef sha1 Description sha1 sum
diff --git a/code/UI_Tag/base_url.coretag b/code/SystemTag/search.coretag
similarity index 51%
copy from code/UI_Tag/base_url.coretag
copy to code/SystemTag/search.coretag
index 003f7a9..0b0413b 100644
--- a/code/UI_Tag/base_url.coretag
+++ b/code/SystemTag/search.coretag
@@ -1,11 +1,11 @@
-# Copyright 2002-2007 Interchange Development Group and others
+# Copyright 2002-2009 Interchange Development Group and others
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version. See the LICENSE file for details.
-#
-# $Id: base_url.coretag,v 1.4 2007-03-30 23:40:54 pajamian Exp $
-UserTag base-url Version $Revision: 1.4 $
-UserTag base-url Routine sub { return $Vend::Cfg->{VendURL} }
+UserTag search Order search
+UserTag search addAttr
+UserTag search Version $Revision: 1.5 $
+UserTag search MapRoutine Vend::Page::do_search
diff --git a/code/UserTag/css.tag b/code/UserTag/css.tag
index ebd2bd1..65105d9 100644
--- a/code/UserTag/css.tag
+++ b/code/UserTag/css.tag
@@ -1,11 +1,9 @@
-# Copyright 2003-2007 Interchange Development Group and others
+# Copyright 2003-2009 Interchange Development Group and others
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version. See the LICENSE file for details.
-#
-# $Id: css.tag,v 1.8 2007-03-30 23:40:56 pajamian Exp $
UserTag css Order name
UserTag css addAttr
@@ -124,7 +122,7 @@ sub {
or logError("Error writing CSS file %s, returning in page", $fn);
}
- return qq{<link rel="stylesheet" href="$url">} if $success;
+ return qq{<link rel="stylesheet" href="$url"$extra>} if $success;
return qq{<style type="text/css">\n$css</style>};
}
EOR
diff --git a/code/UserTag/usps_query.tag b/code/UserTag/usps_query.tag
index 405db32..a9a249f 100644
--- a/code/UserTag/usps_query.tag
+++ b/code/UserTag/usps_query.tag
@@ -1,15 +1,13 @@
-# Copyright 2002-2007 Interchange Development Group and others
+# Copyright 2002-2009 Interchange Development Group and others
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version. See the LICENSE file for details.
-#
-# $Id: usps_query.tag,v 1.7 2007-03-30 23:40:57 pajamian Exp $
UserTag usps-query Order service weight
UserTag usps-query addAttr
-UserTag usps-query Version $Revision: 1.7 $
+UserTag usps-query Version 1.10
UserTag usps-query Routine <<EOR
sub {
@@ -23,18 +21,19 @@ sub {
'BPM' => 1,
'LIBRARY' => 1,
'MEDIA' => 1,
- 'GLOBAL EXPRESS GUARANTEED DOCUMENT SERVICE' => 1,
- 'GLOBAL EXPRESS GUARANTEED NON-DOCUMENT SERVICE' => 1,
- 'GLOBAL EXPRESS MAIL (EMS)' => 1,
- 'GLOBAL PRIORITY MAIL - FLAT-RATE ENVELOPE (LARGE)' => 1,
- 'GLOBAL PRIORITY MAIL - FLAT-RATE ENVELOPE (SMALL)' => 1,
- 'GLOBAL PRIORITY MAIL - VARIABLE WEIGHT (SINGLE)' => 1,
- 'AIRMAIL LETTER-POST' => 1,
- 'AIRMAIL PARCEL POST' => 1,
- 'ECONOMY (SURFACE) LETTER-POST' => 1,
- 'ECONOMY (SURFACE) PARCEL POST' => 1,
- 'POSTCARDS - AIRMAIL' => 1,
- 'AEROGRAMMES - AIRMAIL' => 1,
+ 'GLOBAL EXPRESS GUARANTEED' => 1,
+ 'GLOBAL EXPRESS GUARANTEED NON-DOCUMENT RECTANGULAR' => 1,
+ 'GLOBAL EXPRESS GUARANTEED NON-DOCUMENT NON-RECTANGULAR' => 1,
+ 'USPS GXG ENVELOPES' => 1,
+ 'EXPRESS MAIL INTERNATIONAL (EMS)' => 1,
+ 'EXPRESS MAIL INTERNATIONAL (EMS) FLAT-RATE ENVELOPE' => 1,
+ 'PRIORITY MAIL INTERNATIONAL' => 1,
+ 'PRIORITY MAIL INTERNATIONAL FLAT-RATE ENVELOPE' => 1,
+ 'PRIORITY MAIL INTERNATIONAL REGULAR FLAT-RATE BOXES' => 1,
+ 'PRIORITY MAIL INTERNATIONAL LARGE FLAT-RATE BOX' => 1,
+ 'PRIORITY MAIL INTERNATIONAL SMALL FLAT-RATE BOX' => 1,
+ 'FIRST CLASS MAIL INTERNATIONAL LARGE ENVELOPE' => 1,
+ 'FIRST CLASS MAIL INTERNATIONAL PACKAGE' => 1,
'MATTER FOR THE BLIND - ECONOMY MAIL' => 1,
);
my %package_sizes = (
@@ -97,13 +96,44 @@ RATEQUOTE: {
$weight = int $weight;
if ($opt->{country}) {
+ my %map = (
+ q{United Kingdom} => q{Great Britain},
+ q{Virgin Islands, British} => q{British Virgin Islands},
+ q{Viet Nam} => q{Vietnam},
+ q{Tanzania, United Republic Of} => q{Tanzania},
+ q{Slovakia} => q{Slovak Republic},
+ q{Serbia} => q{Serbia-Montenegro},
+ q{Montenegro} => q{Serbia-Montenegro},
+ q{Samoa} => q{Western Samoa},
+ q{Saint Kitts And Nevis} => q{St. Christopher and Nevis},
+ q{Russian Federation} => q{Russia},
+ q{Pitcairn} => q{Pitcairn Island},
+ q{Moldova, Republic Of} => q{Moldova},
+ q{Marshall Islands} => q{Republic of the Marshall Islands},
+ q{Macedonia, The Former Yugoslav R} => q{Macedonia, Republic of},
+ q{Libyan Arab Jamahiriya} => q{Libya},
+ q{Lao People's Democratic Republic} => q{Laos},
+ q{Korea, Republic of} => q{South Korea},
+ q{Iran, Islamic Republic Of} => q{Iran},
+ q{Holy See (Vatican City State)} => q{Vatican City},
+ q{Georgia} => q{Georgia, Republic of},
+ q{Falkland Islands (Malvinas)} => q{Falkland Islands},
+ q{Cote d'Ivoire (Ivory Coast)} => q{Cote d'Ivoire},
+ q{Congo, The Democratic Republic O} => q{Democratic Republic of the Congo},
+ q{Congo} => q{Congo, Republic of the},
+ q{Bosnia And Herzegowina} => q{Bosnia-Herzegovina},
+ );
+
+ my $usps_country = $map{ $opt->{country} }
+ || $opt->{country};
+
$xml = qq{API=IntlRate\&XML=<IntlRateRequest USERID="$userid" PASSWORD="$passwd">};
$xml .= <<EOXML;
<Package ID="0">
<Pounds>$weight</Pounds>
<Ounces>$ounces</Ounces>
<MailType>$mailtype</MailType>
- <Country>$opt->{country}</Country>
+ <Country>$usps_country</Country>
</Package>
</IntlRateRequest>
EOXML
@@ -231,18 +261,19 @@ The USPS service you wish to get a rate quote for. Services currently supported:
BPM
LIBRARY
MEDIA
- GLOBAL EXPRESS GUARANTEED DOCUMENT SERVICE
- GLOBAL EXPRESS GUARANTEED NON-DOCUMENT SERVICE
- GLOBAL EXPRESS MAIL (EMS)
- GLOBAL PRIORITY MAIL - FLAT-RATE ENVELOPE (LARGE)
- GLOBAL PRIORITY MAIL - FLAT-RATE ENVELOPE (SMALL)
- GLOBAL PRIORITY MAIL - VARIABLE WEIGHT (SINGLE)
- AIRMAIL LETTER-POST
- AIRMAIL PARCEL POST
- ECONOMY (SURFACE) LETTER-POST
- ECONOMY (SURFACE) PARCEL POST
- POSTCARDS - AIRMAIL
- AEROGRAMMES - AIRMAIL
+ GLOBAL EXPRESS GUARANTEED
+ GLOBAL EXPRESS GUARANTEED NON-DOCUMENT RECTANGULAR
+ GLOBAL EXPRESS GUARANTEED NON-DOCUMENT NON-RECTANGULAR
+ USPS GXG ENVELOPES
+ EXPRESS MAIL INTERNATIONAL (EMS)
+ EXPRESS MAIL INTERNATIONAL (EMS) FLAT-RATE ENVELOPE
+ PRIORITY MAIL INTERNATIONAL
+ PRIORITY MAIL INTERNATIONAL FLAT-RATE ENVELOPE
+ PRIORITY MAIL INTERNATIONAL REGULAR FLAT-RATE BOXES
+ PRIORITY MAIL INTERNATIONAL LARGE FLAT-RATE BOX
+ PRIORITY MAIL INTERNATIONAL SMALL FLAT-RATE BOX
+ FIRST CLASS MAIL INTERNATIONAL LARGE ENVELOPE
+ FIRST CLASS MAIL INTERNATIONAL PACKAGE
MATTER FOR THE BLIND - ECONOMY MAIL
@@ -262,7 +293,7 @@ Your USPS webtools passwd, which was obtained by registering.
This will default to $Variable->{USPS_PASSWORD}, which is the
preferred way to set this parameter.
-=back 4
+=back
=head2 Extended Parameters (domestic and international services)
@@ -284,7 +315,7 @@ the whole shipment, and the total rate will be calculated accordingly.
Example: with modulo = 10, a 34.5lbs. shipment will be calculated as 3 parcels
weighing 10lbs. each, plus one parcel weighing 4lbs. 8oz.
-=back 4
+=back
=head2 Extended Parameters for domestic (U.S.) services only
@@ -319,7 +350,7 @@ Possible value are 'True' and 'False'. Indicates whether or not the shipment
qualifies for machine processing by UPS. Default is $Variable->{USPS_MACHINABLE}
or 'False". Consult the USPS service guides for more info on this subject.
-=back 4
+=back
=head2 Extended parameters for International services only
@@ -347,7 +378,7 @@ table which is distributed with the standard demo, so modifications may be neede
if you intend to use USPS international services. Consult the USPS International
Services guide for more information.
-=back 4
+=back
=head1 BUGS
@@ -355,7 +386,9 @@ We shall see....
=head1 AUTHORS
-Ed LaFrance <edl at newmediaems.com>.
+ Ed LaFrance <edl at newmediaems.com>
+ Josh Lavin <josh at perusion.com>
+ Mathew Jones <mat at bibliopolis.com>
=cut
EOD
diff --git a/configure b/configure
index 8581c51..acdccfd 100755
--- a/configure
+++ b/configure
@@ -1,12 +1,10 @@
#!/bin/sh
-# $Id: configure,v 2.23 2008-05-17 14:39:48 jon Exp $
-
cat <<EOF
Interchange
- Copyright 2002-2008 Interchange Development Group (http://www.icdevgroup.org/)
+ Copyright 2002-2009 Interchange Development Group (http://www.icdevgroup.org/)
Copyright 1996-2002 Red Hat, Inc.
Interchange was originally based on Vend 0.2 and 0.3
diff --git a/debian/changelog b/debian/changelog
old mode 100644
new mode 100755
index 42fcc28..cdf59cd
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,10 +1,11 @@
-interchange (5.6.1-2.1) unstable; urgency=low
+interchange (5.6.2-1) unstable; urgency=low
+ * new upstream release
* updated Vietnamese translation of Debconf templates (Closes: #513664,
thanks to Clytie Siddall <clytie at riverland.net.au>)
* added homepage field to debian/control
- -- Stefan Hornburg (Racke) <racke at linuxia.de> Mon, 23 Mar 2009 08:32:36 +0100
+ -- Stefan Hornburg (Racke) <racke at linuxia.de> Wed, 16 Sep 2009 17:39:40 +0200
interchange (5.6.1-2) unstable; urgency=low
diff --git a/debian/interchange.docs b/debian/interchange.docs
old mode 100644
new mode 100755
index eca098b..282998d
--- a/debian/interchange.docs
+++ b/debian/interchange.docs
@@ -1,9 +1,11 @@
README
-README.cvs
+README-DEVELOPMENT
UPGRADE
WHATSNEW-4.5
WHATSNEW-4.7
WHATSNEW-4.9
WHATSNEW-5.1
WHATSNEW-5.3
+WHATSNEW-5.5
+WHATSNEW-5.6
debian/CREDITS.debian
diff --git a/dist/lib/UI/pages/admin/entry.html b/dist/lib/UI/pages/admin/entry.html
index 35e6661..235d35a 100644
--- a/dist/lib/UI/pages/admin/entry.html
+++ b/dist/lib/UI/pages/admin/entry.html
@@ -499,12 +499,13 @@ mv_nextpage=@@MV_PAGE@@
<TABLE WIDTH=600>
<TR><TD>
<SELECT onChange="this.form.submit()" NAME=mv_shipmode>
- ]
- [shipping
+ [shipping
label=1
free="[L]free of charge[/L]"
- mode=| [data table=country key='[either][value country]' sf=selector col=shipmodes]|
- ]
+ mode=|
+ [data table=country key='[either][value country][or]__SHIP_DEFAULT_COUNTRY__[/either]' sf=selector col=shipmodes]
+ |
+ ]
</SELECT>
</TD>
<TD ALIGN=RIGHT><INPUT TYPE=submit VALUE="[L]Update[/L]"></TD>
diff --git a/dist/lib/UI/pages/include/templates/ui_type1 b/dist/lib/UI/pages/include/templates/ui_type1
index 8bbb444..6dab9a8 100644
--- a/dist/lib/UI/pages/include/templates/ui_type1
+++ b/dist/lib/UI/pages/include/templates/ui_type1
@@ -1,6 +1,7 @@
<html[scratch ui_language_direction]>
<head>
<title>[scratch page_title]</title>
+<script type="text/javascript">if (top!=self) top.location.href=self.location.href;</script>
[tmp window_name][tag time]%m%d%H%M%S[/tag][/tmp]
@@UI_JSLIB@@
<link href="__UI_IMG__interchange.css" rel="stylesheet" type="text/css">
diff --git a/dist/lib/UI/pages/include/templates/ui_type2 b/dist/lib/UI/pages/include/templates/ui_type2
index 876448c..d2d4c7f 100644
--- a/dist/lib/UI/pages/include/templates/ui_type2
+++ b/dist/lib/UI/pages/include/templates/ui_type2
@@ -1,6 +1,7 @@
<html[scratch ui_language_direction]>
<head>
<title>[scratch page_title]</title>
+<script type="text/javascript">if (top!=self) top.location.href=self.location.href;</script>
[tmp window_name][tag time]%m%d%H%M%S[/tag][/tmp]
@@UI_JSLIB@@
<link href="__UI_IMG__interchange.css" rel="stylesheet" type="text/css">
diff --git a/dist/lib/UI/pages/include/templates/ui_type3 b/dist/lib/UI/pages/include/templates/ui_type3
index 1880515..14713d7 100644
--- a/dist/lib/UI/pages/include/templates/ui_type3
+++ b/dist/lib/UI/pages/include/templates/ui_type3
@@ -1,6 +1,7 @@
<html[scratch ui_language_direction]>
<head>
<title>[scratch page_title]</title>
+<script type="text/javascript">if (top!=self) top.location.href=self.location.href;</script>
[tmp window_name][tag time]%m%d%H%M%S[/tag][/tmp]
@@UI_JSLIB@@
<link href="__UI_IMG__interchange.css" rel="stylesheet" type="text/css">
diff --git a/dist/lib/UI/pages/include/templates/ui_type5 b/dist/lib/UI/pages/include/templates/ui_type5
index 8daeb2e..df757d5 100644
--- a/dist/lib/UI/pages/include/templates/ui_type5
+++ b/dist/lib/UI/pages/include/templates/ui_type5
@@ -1,6 +1,7 @@
<html[scratch ui_language_direction]>
<head>
<title>[scratch page_title]</title>
+<script type="text/javascript">if (top!=self) top.location.href=self.location.href;</script>
[tmp window_name][tag time]%m%d%H%M%S[/tag][/tmp]
@@UI_JSLIB@@
<link href="__UI_IMG__interchange.css" rel="stylesheet" type="text/css">
diff --git a/dist/lib/UI/vars/UI_STD_FILE_NAV b/dist/lib/UI/vars/UI_STD_FILE_NAV
index 5b92c49..6358c8f 100644
--- a/dist/lib/UI/vars/UI_STD_FILE_NAV
+++ b/dist/lib/UI/vars/UI_STD_FILE_NAV
@@ -21,7 +21,7 @@ Variable UI_STD_FILE_NAV <<EONav
</SMALL>
</td>
<td>
- <FORM ACTION="[area @_MV_PAGE_@]" METHOD=GET>
+ <FORM ACTION="[area @@MV_PAGE@@]" METHOD=GET>
<INPUT TYPE=hidden NAME=mv_action VALUE=back>
<INPUT TYPE=hidden NAME=action VALUE=find>
[msg]Find files in and under current directory:[/msg]<BR>
@@ -53,9 +53,9 @@ Variable UI_STD_FILE_NAV <<EONav
}
$Scratch->{details_coming} = $status;
`]
- [page href="@_MV_PAGE_@" form="details=0"][msg]Hide file details[/msg]</A>
+ [page href="@@MV_PAGE@@" form="details=0"][msg]Hide file details[/msg]</A>
[else]
- [page href="@_MV_PAGE_@" form="details=1"][msg]Show file details[/msg]</A>
+ [page href="@@MV_PAGE@@" form="details=1"][msg]Show file details[/msg]</A>
[/else]
[/if]
</small>
diff --git a/dist/standard/catalog.cfg b/dist/standard/catalog.cfg
index 291da55..2233ac9 100644
--- a/dist/standard/catalog.cfg
+++ b/dist/standard/catalog.cfg
@@ -483,17 +483,6 @@ sub {
}
EOR
-# Allow customers to have their passwords emailed to them.
-ActionMap get_password <<EOR
-sub {
- $Config->{NoSearch} = '';
- $CGI->{mv_nextpage} = $CGI->{mv_search_page} = 'action/get_password';
- $CGI->{mv_todo} = 'search';
- $Tag->update('process');
- return 1;
-}
-EOR
-
# Pricing setup
#
# If the user is logged in and is marked as a "dealer" (1 in the dealer
@@ -688,15 +677,16 @@ sub {
$name =~ s,_, ,g;
my ($prod_group, $category) = split m{/}, $name;
- $CGI->{co} = 1;
- $CGI->{fi} = 'products';
- $CGI->{st} = 'db';
- $CGI->{sf} = join "\0", 'prod_group', 'category';
- $CGI->{op} = join "\0", 'eq', 'eq';
- $CGI->{se} = join "\0", $prod_group, $category;
- $CGI->{sp} = 'results';
- $CGI->{mv_todo} = 'search';
- $Tag->update('process');
+ my $search;
+ $search->{co} = 1;
+ $search->{fi} = 'products';
+ $search->{st} = 'db';
+ $search->{sf} = join "\0", 'prod_group', 'category';
+ $search->{op} = join "\0", 'eq', 'eq';
+ $search->{se} = join "\0", $prod_group, $category;
+ $search->{sp} = 'results';
+ $search->{mv_todo} = 'search';
+ $Tag->search({ search => $search });
if (($o = $Search->{''}) && @{$o->{mv_results}}) {
return (1, $Config->{Special}->{results});
}
diff --git a/dist/standard/etc/profiles.order b/dist/standard/etc/profiles.order
index ef0b7eb..a11da55 100644
--- a/dist/standard/etc/profiles.order
+++ b/dist/standard/etc/profiles.order
@@ -216,3 +216,13 @@ email=email
__END__
+__NAME__ check_opt
+
+[comment]
+ This profile prevents an incomprehensible error if someone follows a bookmarked
+ link to a flypage.
+[/comment]
+
+expired=always_fail That link was expired. Please try ordering again.
+
+__END__
diff --git a/dist/standard/include/layout/leftonly b/dist/standard/include/layout/leftonly
index 88f238f..5a30d34 100644
--- a/dist/standard/include/layout/leftonly
+++ b/dist/standard/include/layout/leftonly
@@ -2,6 +2,7 @@
<html>
<head>
<title>[scratch page_title]</title>
+<script type="text/javascript">if (top!=self) top.location.href=self.location.href;</script>
[scratch meta_header]
{{MAIN_CSS}}
</head>
diff --git a/dist/standard/include/layout/leftright b/dist/standard/include/layout/leftright
index d99602e..f3282c9 100644
--- a/dist/standard/include/layout/leftright
+++ b/dist/standard/include/layout/leftright
@@ -2,6 +2,7 @@
<html>
<head>
<title>[scratch page_title]</title>
+<script type="text/javascript">if (top!=self) top.location.href=self.location.href;</script>
[scratch meta_header]
{{MAIN_CSS}}
</head>
diff --git a/dist/standard/include/layout/noleft b/dist/standard/include/layout/noleft
index 8054013..a52c599 100644
--- a/dist/standard/include/layout/noleft
+++ b/dist/standard/include/layout/noleft
@@ -2,6 +2,7 @@
<html>
<head>
<title>[scratch page_title]</title>
+<script type="text/javascript">if (top!=self) top.location.href=self.location.href;</script>
[scratch meta_header]
{{MAIN_CSS}}
</head>
diff --git a/dist/standard/pages/forum/display.html b/dist/standard/pages/forum/display.html
index 5207315..dac96a8 100644
--- a/dist/standard/pages/forum/display.html
+++ b/dist/standard/pages/forum/display.html
@@ -1,8 +1,10 @@
[comment]
-ui_template: Yes
+ui_template: Yes
ui_template_name: leftonly
[/comment]
+[tmpn members_only]1[/tmpn]
+
[tmp page_title]
Forum thread: [data table=forum col=subject key="[data session arg]"]
[/tmp]
diff --git a/dist/standard/pages/forum/reply.html b/dist/standard/pages/forum/reply.html
index eb1f972..b77c5f7 100644
--- a/dist/standard/pages/forum/reply.html
+++ b/dist/standard/pages/forum/reply.html
@@ -3,6 +3,7 @@ ui_template: Yes
ui_template_name: leftonly
[/comment]
+[tmpn members_only]1[/tmpn]
[flag type=write table=forum]
[tmp page_title]Reply to [data table=forum col=subject key="[data session arg]"][/tmp]
diff --git a/dist/standard/pages/forum/submit.html b/dist/standard/pages/forum/submit.html
index abaae40..0b316f9 100644
--- a/dist/standard/pages/forum/submit.html
+++ b/dist/standard/pages/forum/submit.html
@@ -3,6 +3,7 @@ ui_template: Yes
ui_template_name: leftonly
[/comment]
+[tmpn members_only]1[/tmpn]
[flag type=write table=forum]
[tmp page_title]Submit a forum story[/tmp]
diff --git a/dist/standard/pages/function/stock_alert.html b/dist/standard/pages/function/stock_alert.html
index 59be4cd..ad5d5e0 100644
--- a/dist/standard/pages/function/stock_alert.html
+++ b/dist/standard/pages/function/stock_alert.html
@@ -137,7 +137,7 @@ ui_template_name: leftonly
</tr>
<tr>
<td align="center" valign="middle">
- <SELECT onChange="this.form.submit()" NAME=mail_list>
+ <SELECT NAME="mail_list">
<OPTION VALUE="0">[L]No[/L]
<OPTION [selected mail_list 1] VALUE="1">[L]Yes[/L]
</SELECT>
diff --git a/dist/standard/pages/lost_password.html b/dist/standard/pages/lost_password.html
index c3335ca..6809d13 100644
--- a/dist/standard/pages/lost_password.html
+++ b/dist/standard/pages/lost_password.html
@@ -3,7 +3,7 @@ ui_template: Yes
ui_template_name: leftonly
[/comment]
-[tmp page_title]__COMPANY__ -- [L]Lost your password?[/L][/tmp]
+[tmp page_title]__COMPANY__ -- [L LOST_PASSWORD_TITLE]Lost your username or password?[/L][/tmp]
[control reset=1]
@@ -22,86 +22,142 @@ ui_template_name: leftonly
<!-- BEGIN CONTENT -->
<br>
-
+<table width="80%">
+<tr><td __HEADERBG__>
+ <font size="+1" color="__HEADERTEXT__">[L LOST_PASSWORD_TITLE]Lost your username or password?[/L]</font>
+ </td>
+</tr></table>
+<br/>
+
+[if cgi lost_email]
+[or cgi lost_username]
+[perl]
+ if( $Scratch->{tried_pw_retrieve}++ > 10 ) {
+ $Tmp->{not_ok} = 1;
+ return '<font color="red">' . errmsg("Too many failed attempts.") . '</font>';
+ }
+ $Config->{NoSearch} = '';
+ return;
+[/perl]
+
+[loop search="
+ co=yes
+ st=db
+ fi=userdb
+ rf=username,password,email
+ sf=email
+ se=[cgi lost_email]
+ op=em
+ sf=username
+ se=[cgi lost_username]
+ op=em
+ os=yes"
+]
+[tmp get_id_matches][loop-param username][/tmp]
+[/loop]
+
+[if value mv_search_match_count > 1]
+[msg arg.0='<a href="[area contact]">' arg.1='</a>']Please %scontact us%s to assist you with the retrieval of your account details.[/msg]
+[tmp get_id_matches][/tmp]
+[/if]
+[if value mv_search_match_count == 0]
<table width="95%" align="center">
<tr>
<td>
+ <table width="80%">
+ <tr>
+ <td>
+<font color="red">[msg arg.0='<a href="[area contact]">' arg.1='</a>']Sorry, we did not find a match for the provided details. Please try again, or %scontact us%s for assistance.[/msg]</font>
+ </td>
+ </tr>
+ </table>
+ </td>
+ </tr>
+</table>
+[tmp not_ok]1[/tmp]
+<br/>
+[/if]
+
+[if scratch get_id_matches]
+[tmp name=id_ok][/tmp]
+[tmp name=id_ok interpolate=1][loop arg="[scratch get_id_matches]"][email
+ to="[loop-data userdb email]"
+ subject="[L]Your login information[/L]"
+ from="__COMPANY__ [L]password minder[/L] <__EMAIL_SERVICE__>"
+ reply="__EMAIL_SERVICE__"]
+
+[L GET_PASSWORD_MSG1]Hello! You requested that your ID and password be sent to your email address of record. The information is[/L]:
+
+[L]Username[/L]: [loop-code]
+[L]Password[/L]: [data table=userdb col=password key="[loop-code]" safe-data=1]
+
+[L]You can log in at[/L]:
+[area login]
+
+[L GET_PASSWORD_MSG2]Please contact us if we can be of service, and thank you for doing business with us.[/L]
+[/email][/loop][/tmp]
+
+[if !scratch id_ok]
+[msg arg.0='<a href="[area contact]">' arg.1='</a>']Please %scontact us%s to assist you with the retrieval or your account details.[/msg]
+[else]
+[L]An e-mail with your credentials has been sent.[/L]
+<br/><br/>
+[L LOST_PASSWORD_SHORTNOTE]If you do not receive an email within the next 24 hours after submission, please <a href="[area contact]">contact us</a> for further assistance.[/L]
+<br/><br/>
+[L LOST_PASSWORD_NOTE_AOL]<b>Note:</b> If you are using email filter options that help reduce spam, please make sure you allow e-mail to be sent to you from __EMAIL_SERVICE__[/L]
+[/else]
+[/if]
+[/if]
+[/if]
+
+[if scratch not_ok]
+[or cgi lost_email eq '']
+[and cgi lost_username eq '']
- [if session failure]
-
- <br><br>
- <B>[calc] delete $Session->{failure}[/calc]</b>
- <br>
- [/if]
-
-
-<form method="post" action="[area query/get_password]">
+<table width="95%" align="center">
+<tr>
+ <td>
+<form method="post" action="@@MV_PAGE@@">
[form-session-id]
-<input type="hidden" name="mv_coordinate" value="yes">
-<input type="hidden" name="mv_searchtype" value="db">
-<input type="hidden" name="mv_search_file" value="userdb">
-
-<input type="hidden" name="mv_search_field" value="fname">
-<input type="hidden" name="mv_search_field" value="lname">
-<input type="hidden" name="mv_search_field" value="email">
-<input type="hidden" name="mv_search_field" value="zip">
-<input type="hidden" name="mv_substring_match" value="no">
-<input type="hidden" name="mv_substring_match" value="no">
-<input type="hidden" name="mv_substring_match" value="no">
-<input type="hidden" name="mv_substring_match" value="yes">
-<input type="hidden" name="mv_column_op" value="rm">
-<input type="hidden" name="mv_column_op" value="rm">
-<input type="hidden" name="mv_column_op" value="rm">
-<input type="hidden" name="mv_column_op" value="rm">
-<table width="80%">
-<tr><td __HEADERBG__>
- <font size="+1" color="__HEADERTEXT__">[L]Lost your customer ID?[/L]</font>
- </td>
-</tr></table>
-
-<blockquote>
- [L]Just complete enough to ensure one match.[/L]
-</blockquote>
+[L LOST_PASSWORD_INTRO]Please enter your username or email address to get your credentials emailed to you:[/L]
+<br/><br/>
<table width="80%">
<tr>
<td align="right">
- [L]First Name[/L]
+ [L]Username[/L]
</td>
- <td><input name="mv_searchspec" type="text" size="24"></td>
+ <td><input name="lost_username" type="text" size="24"></td>
</tr>
<tr>
- <td align="right">
- [L]Last Name[/L]
- </td>
- <td><input name="mv_searchspec" type="text" size="24"></td>
+ <td></td>
+ <td align="left"><b>[L]or[/L]</b></td>
</tr>
<tr>
<td align="right">
[L]Email[/L]
</td>
- <td><input name="mv_searchspec" type="text" size="24"></td>
-</tr>
-<tr>
- <td align="right">
- [L]Zip Code[/L]
- </td>
- <td><input name="mv_searchspec" type="text" size="24"></td>
-
+ <td><input name="lost_email" type="text" size="24"></td>
</tr>
<tr>
<td align="right"> </td>
- <td><input type="submit" value="[L]Submit[/L]"><input type="reset"></td>
+ <td><br/><input type="submit" value="[L]Submit[/L]"><input type="reset"></td>
</tr>
</table>
</form>
+[L LOST_PASSWORD_NOTE]If you do not remember neither your username nor your email address you used upon registration, or if you do not receive an email within the next 24 hours after submission, please <a href="[area contact]">contact us</a> for further assistance.[/L]
+<br/><br/>
+[L LOST_PASSWORD_NOTE_AOL]<b>Note:</b> If you are using email filter options that help reduce spam, please make sure you allow e-mail to be sent to you from __EMAIL_SERVICE__[/L]
</td>
</tr>
</table>
+[/if]
+<br/><br/>
+<br/><br/>
<!-- END CONTENT -->
-
@_LEFTONLY_BOTTOM_@
+
diff --git a/dist/standard/pages/member/ship_addresses.html b/dist/standard/pages/member/ship_addresses.html
index 30026ae..14cfca7 100644
--- a/dist/standard/pages/member/ship_addresses.html
+++ b/dist/standard/pages/member/ship_addresses.html
@@ -299,7 +299,7 @@ A.rtitle:active,A.rtitle:link,A.rtitle:visited {
"
check.username="
regex ^\w+$ '[L]Username must be of characters [A-Za-z0-9][/L]'
- length 4-10
+ length 2-64
"
get=1
ui_data_fields="username company fname lname address1 address2 city state zip country phone_day"
diff --git a/dist/standard/pages/query/unsub.html b/dist/standard/pages/query/unsub.html
index bae7f73..bee7c9d 100644
--- a/dist/standard/pages/query/unsub.html
+++ b/dist/standard/pages/query/unsub.html
@@ -71,6 +71,11 @@ ui_template_name: leftonly
}
return "<UL><LI>" . join("<LI>", @out) . "</UL>";
[/perl]
+</blockquote>
+
+ </td>
+</tr>
+</table>
<!-- END CONTENT -->
diff --git a/dist/standard/products/mv_metadata.asc b/dist/standard/products/mv_metadata.asc
index a8fa04a..658eab2 100644
--- a/dist/standard/products/mv_metadata.asc
+++ b/dist/standard/products/mv_metadata.asc
@@ -281,7 +281,7 @@ transactions::auth_code text 16 Authorization
transactions::deleted yesno Deleted
transactions::order_id text 32 Order ID
transactions::status select pending=Pending, shipped=Shipped, partial=Partially shipped, backorder=Back ordered, waiting=Waiting for payment, credit=Waiting for credit check, canceled=Canceled nullselect
-ui-version 5.6.1
+ui-version 5.6.2
ui_component::mv_metadata table ui_component mv_metadata {'ui_data_fields' => "=Main
code
label
default
type
width
height
options
filter
=Database lookup
lookup
field
db
=Help and misc
help
help_url
prepend
append
pre_filter",'table_width' => "80%",'left_width' => "30%",}
ui_component::mv_metadata::append textarea 60 5 Append HTML <SMALL>HTML to be appended to the widget.
Will substitute in the macros _UI_TABLE_, _UI_COLUMN_,
_UI_KEY, and _UI_VALUE_, and will resolve relative links
with absolute links.</SMALL>
ui_component::mv_metadata::attribute text 20 Column name Do not set this.
diff --git a/dist/standard/variables/COPYRIGHT b/dist/standard/variables/COPYRIGHT
index eb6fa23..d290ad1 100644
--- a/dist/standard/variables/COPYRIGHT
+++ b/dist/standard/variables/COPYRIGHT
@@ -2,6 +2,6 @@
[if variable MV_DEMO_MODE]
<p>[page admin/index][L]Admin[/L]</a></p>
[/if]
- <p style="font-size: 10px; color: #000000">Portions copyright 2002-2008 Interchange Development Group, freely redistributable under GPL</p>
+ <p style="font-size: 10px; color: #000000">Portions copyright 2002-2009 Interchange Development Group, freely redistributable under GPL</p>
</div>
diff --git a/dist/test/products/tests.asc b/dist/test/products/tests.asc
index 15a8ec0..c715f3b 100644
--- a/dist/test/products/tests.asc
+++ b/dist/test/products/tests.asc
@@ -257,9 +257,9 @@ Fly-list tag
%%%
000020
%%
-[query list=1 sql="select artist from products where category like 'Americana'" tolerant-like=1][sql-param artist] [/query]
+[query list=1 sql="select artist from products where category like 'Americana' order by artist" tolerant-like=1][sql-param artist] [/query]
%%
-Grant Wood The Art Store Jean Langan
+Grant Wood Jean Langan The Art Store
%%
%%
@@ -269,9 +269,9 @@ Grant Wood The Art Store Jean Langan
%%%
000021
%%
-[query list=1 sql="select * from products where category like '%Americana%'"][sql-field artist] [/query]
+[query list=1 sql="select * from products where category like '%Americana%' order by artist desc"][sql-field artist] [/query]
%%
-Grant Wood The Art Store Jean Langan
+The Art Store Jean Langan Grant Wood
%%
%%
@@ -1253,11 +1253,11 @@ ERROR
%%%
000086
%%
-[if validcc 5959595959595959 mc 12/08]OK[else]ERROR[/else][/if] 1.
-[if validcc 5959595959595958 mc 12/08]ERROR[else]OK[/else][/if] 2.
+[if validcc 5959595959595959 mc 12/18]OK[else]ERROR[/else][/if] 1.
+[if validcc 5959595959595958 mc 12/18]ERROR[else]OK[/else][/if] 2.
[if validcc 5959595959595959 mc 12/94]ERROR[else]OK[/else][/if] 3.
-[if type=validcc term=5959595959595959 op="mc" comp=12/08]OK[else]ERROR[/else][/if] 1.
-[if type=validcc term=5959595959595958 op=mc comp=12/08]ERROR[else]OK[/else][/if] 2.
+[if type=validcc term=5959595959595959 op="mc" comp=12/18]OK[else]ERROR[/else][/if] 1.
+[if type=validcc term=5959595959595958 op=mc comp=12/18]ERROR[else]OK[/else][/if] 2.
[if type=validcc term=5959595959595959 op=mc comp=12/94]ERROR[else]OK[/else][/if] 3.
%%
OK
@@ -2889,6 +2889,80 @@ wrong
%%
Test of catalog variable conditional (short and long forms) with "if" tag.
%%%
+000166
+%%
+<pre>Before munging AllowedFileRegex:
+Should fail: [write-relative-file file='/tmp/superdogfood']One special line[/write-relative-file]
+Should succeed: [write-relative-file file='tmp/superdogfood']One special line[/write-relative-file]
+[calcn]
+ $Config->{AllowedFileRegex} = '.*';
+ return;
+[/calcn]
+After munging AllowedFileRegex:
+Should fail: [write-relative-file file='/tmp/superdogfood']One special line[/write-relative-file]
+Should succeed: [write-relative-file file='tmp/superdogfood']One special line[/write-relative-file]
+</pre>
+%%
+<pre>Before munging AllowedFileRegex:
+Should fail:
+Should succeed: 1
+
+After munging AllowedFileRegex:
+Should fail:
+Should succeed: 1
+</pre>
+%%
+%%
+
+%%
+Verify fix of AllowedFileRegex circumvention
+%%%
+000167
+%%
+[calcn]
+ # /etc/passwd makes a good demonstration
+ unshift @{$Config->{TemplateDir}}, '/etc';
+ return;
+[/calcn]
+<pre>[file passwd]</pre>
+[calcn]
+ # clean up after our mess
+ shift @{$Config->{TemplateDir}};
+ return;
+[/calcn]
+%%
+
+<pre></pre>
+
+%%
+%%
+
+%%
+Verify fix of TemplateDir circumvention of NoAbsolute constraints
+%%%
+000168
+%%
+[if file /tmp/ic.bad.file]
+ The bad test file /tmp/ic.bad.file already exists!
+ Please delete it before re-running this test.
+[/if]
+[calcn]
+ my $oldfile = $Config->{ErrorFile};
+ $Config->{ErrorFile} = '/tmp/ic.bad.file';
+ Log 'This is a new file that is being created and written where it should not be.';
+ $Config->{ErrorFile} = $oldfile;
+ return;
+[/calcn]
+[if file /tmp/ic.bad.file]bad[else]good[/else][/if]ness
+%%
+goodness
+%%
+already exists
+%%
+
+%%
+Verify fix of ErrorFile circumvention of NoAbsolute constraints
+%%%
999999
%%
[the test] [perl]
diff --git a/eg/usps/get-intl-rate-names b/eg/usps/get-intl-rate-names
new file mode 100755
index 0000000..4558993
--- /dev/null
+++ b/eg/usps/get-intl-rate-names
@@ -0,0 +1,70 @@
+#!/usr/bin/perl
+
+=for docs
+
+from http://www.icdevgroup.org/pipermail/interchange-users/2009-May/050480.html
+
+Date: Wed, 6 May 2009 09:14:45 -0500
+From: Josh Lavin <josh-ic at att.net>
+To: interchange-users at icdevgroup.org
+Subject: Re: [ic] Updated usps_query.tag
+
+[...]
+
+Note that I do not use this tag any longer, due to USPS WebTools being
+offline for over a week a few months ago. I made the switch to rate
+tables, which I update when new prices are posted.
+
+Below is a Perl script I wrote to grab service names from the XML
+response to a rate request. Add your WebTools user and password, then
+you can use the output of this script to update the tag. USPS seems to
+change service names often, sometimes just adding or removing a hyphen,
+and the only documentation of valid service names is found via a rate
+request.
+
+=cut
+
+require LWP::UserAgent;
+
+$userid = 'your id here';
+$passwd = 'your pass here';
+$url = 'http://Production.ShippingAPIs.com/ShippingAPI.dll';
+
+$weight = '0';
+$ounces = '10';
+$mailtype = 'Package';
+$country = 'Canada';
+
+$xml = qq{API=IntlRate\&XML=<IntlRateRequest USERID="$userid" PASSWORD="$passwd">};
+$xml .= <<EOXML;
+<Package ID="0">
+ <Pounds>$weight</Pounds>
+ <Ounces>$ounces</Ounces>
+ <MailType>$mailtype</MailType>
+ <Country>$country</Country>
+</Package>
+</IntlRateRequest>
+EOXML
+
+my $ua = new LWP::UserAgent;
+my $req = new HTTP::Request 'POST', "$url";
+$req->content_type('application/x-www-form-urlencoded');
+$req->content($xml);
+my $response = $ua->request($req);
+
+$error_msg = 'USPS: ';
+if ($response->is_success) {
+ $resp = $response->content;
+}
+else {
+ $error_msg .= 'Error obtaining rate quote from usps.com.';
+}
+
+ at intl = split /<Service/, $resp;
+foreach (@intl) {
+ m|<SvcDescription>(.+)</SvcDescription>|;
+ $svc = uc $1;
+ print "$svc\n";
+}
+
+#print $resp
diff --git a/lib/Vend/Config.pm b/lib/Vend/Config.pm
index c997106..e1029f8 100644
--- a/lib/Vend/Config.pm
+++ b/lib/Vend/Config.pm
@@ -54,7 +54,7 @@ use Vend::File;
use Vend::Data;
use Vend::Cron;
-$VERSION = substr(q$Revision: 2.238 $, 10);
+$VERSION = '2.238';
my %CDname;
my %CPname;
@@ -351,7 +351,6 @@ sub config_error {
warn "$msg\n" unless $Vend::Quiet;
}
else {
- logGlobal({level => 'warn'}, $msg);
die "$msg\n";
}
}
@@ -611,6 +610,7 @@ sub catalog_directives {
['DirConfig', 'dirconfig', ''],
['FileDatabase', undef, ''],
['NoSearch', 'wildcard', 'userdb'],
+ ['AllowRemoteSearch', 'array_complete', 'products variants options'],
['OrderCounter', undef, ''],
['MimeType', 'hash', ''],
['AliasTable', undef, ''],
@@ -998,6 +998,8 @@ sub config {
my($catalog, $dir, $confdir, $subconfig, $existing, $passed_file) = @_;
my($d, $parse, $var, $value, $lvar);
+ $Vend::Cat = $catalog;
+
if(ref $existing eq 'HASH') {
#::logDebug("existing=$existing");
$C = $existing;
@@ -2669,8 +2671,8 @@ sub parse_require {
}
else {
$carptype = \&config_error;
- $error_message = 'Required %s %s not present. Aborting catalog.'
- unless $error_message;
+ $error_message ||= 'Required %s %s not present. Aborting '
+ . ($C ? 'catalog' : 'Interchange daemon') . '.';
}
my $vref = $C ? $C->{Variable} : $Global::Variable;
@@ -2732,11 +2734,12 @@ sub parse_require {
unshift(@INC, $pathinfo);
}
eval "require $module$oldtype;";
+ my $error = $@;
if ($pathinfo) {
shift(@INC);
}
- ::logGlobal("while eval'ing module %s got [%s]", $module, $@) if ($@);
- return ! $@;
+ ::logGlobal("while eval'ing module %s got [%s]\n", $module, $error) if $error;
+ return ! $error;
}
else {
# Since we aren't safe to actually require, we will
@@ -3545,12 +3548,20 @@ sub set_default_search {
},
ProductFiles => \&set_default_search,
VendRoot => sub {
+ my $cat_template_dirs = $C->{TemplateDir} || [];
+ if ($Global::NoAbsolute) {
+ for (@$cat_template_dirs) {
+ if (absolute_or_relative($_) and ! /^$C->{VendRoot}/) {
+ config_error("TemplateDir path %s is prohibited by NoAbsolute", $_);
+ }
+ }
+ }
my @paths = map { quotemeta $_ }
$C->{VendRoot},
- @{$C->{TemplateDir} || []},
+ @$cat_template_dirs,
@{$Global::TemplateDir || []};
my $re = join "|", @paths;
- $C->{AllowedFileRegex} = qr{^($re)};
+ $Global::AllowedFileRegex->{$C->{CatalogName}} = qr{^($re)};
return 1;
},
Autoload => sub {
@@ -3847,31 +3858,27 @@ sub parse_root_dir_array {
sub parse_dir_array {
my($var, $value) = @_;
return [] unless $value;
+
+ unless (allowed_file($value)) {
+ config_error('Path %s not allowed in %s directive',
+ $value, $var);
+ }
$value = "$C->{VendRoot}/$value"
unless file_name_is_absolute($value);
$value =~ s./+$..;
+
$C->{$var} = [] unless $C->{$var};
my $c = $C->{$var} || [];
push @$c, $value;
return $c;
}
-# Prepend the CatalogRoot pathname to the relative directory specified,
-# unless it already starts with a leading /.
-
sub parse_relative_dir {
my($var, $value) = @_;
- if ($Global::NoAbsolute) {
- # sanity check on filenames
- if (file_name_is_absolute($value)) {
- config_error('Absolute path %s not allowed in %s directive',
- $value, $var)
- }
- if ($value =~ m#^\.\./.*\.\.#) {
- config_error('Path %s outside of catalog directory not allowed in %s directive',
- $value, $var)
- }
+ if (absolute_or_relative($value)) {
+ config_error('Path %s not allowed in %s directive',
+ $value, $var);
}
$C->{Source}{$var} = $value;
diff --git a/lib/Vend/Dispatch.pm b/lib/Vend/Dispatch.pm
index 0f17c01..0db15cc 100644
--- a/lib/Vend/Dispatch.pm
+++ b/lib/Vend/Dispatch.pm
@@ -1,7 +1,5 @@
# Vend::Dispatch - Handle Interchange page requests
#
-# $Id: Dispatch.pm,v 1.101.2.3 2009-01-14 04:59:15 jon Exp $
-#
# Copyright (C) 2002-2009 Interchange Development Group
# Copyright (C) 2002 Mike Heins <mike at perusion.net>
#
@@ -26,7 +24,7 @@
package Vend::Dispatch;
use vars qw($VERSION);
-$VERSION = substr(q$Revision: 1.101.2.3 $, 10);
+$VERSION = '1.101.2.3';
use POSIX qw(strftime);
use Vend::Util;
@@ -713,7 +711,7 @@ sub run_in_catalog {
$g = $Global::Catalog{$cat};
unless (defined $g) {
- logGlobal( "Can't find catalog '%s'" , $cat );
+ logGlobal( "Can't find catalog '%s' for jobs group %s" , $cat, $job );
return undef;
}
@@ -728,16 +726,17 @@ sub run_in_catalog {
my $dir;
my @itl;
if($job) {
- my ($d, $global_dir, $tmp);
my @jobdirs = ([$jobscfg->{base_directory} || 'etc/jobs', 0]);
if (is_yes($jobscfg->{use_global}) || is_yes($Global::Jobs->{UseGlobal})) {
push (@jobdirs, ["$Global::ConfDir/jobs", 1]);
}
+ my $global_dir;
for my $r (@jobdirs) {
-#::logGlobal("check directory=$d for $job");
+ my $d;
($d, $global_dir) = @$r;
+#::logGlobal("check directory=$d for $job");
next unless $d;
next unless -d "$d/$job";
$dir = "$d/$job";
@@ -745,9 +744,10 @@ sub run_in_catalog {
}
if($dir) {
+ my $tmp;
if ($global_dir) {
- $tmp = $Vend::Cfg->{AllowedFileRegex};
- $Vend::Cfg->{AllowedFileRegex} = qr{^$dir};
+ $tmp = $Global::AllowedFileRegex->{$cat};
+ $Global::AllowedFileRegex->{$cat} = qr{^$dir};
}
my @f = glob("$dir/*");
@@ -760,7 +760,7 @@ sub run_in_catalog {
}
if ($global_dir) {
- $Vend::Cfg->{AllowedFileRegex} = $tmp;
+ $Global::AllowedFileRegex->{$cat} = $tmp;
}
}
}
@@ -1595,7 +1595,7 @@ EOF
$Vend::FinalPath = $CGI::request_uri;
# remove any trailing query string
$Vend::FinalPath =~ s/\?.*//;
-#::logDebug("FinalPath now $Vend::FinalPath");
+#::logDebug("FinalPath now $CGI::request_uri");
}
else {
$Vend::FinalPath = find_special_page('catalog');
diff --git a/lib/Vend/File.pm b/lib/Vend/File.pm
index 54c8817..bcd42da 100644
--- a/lib/Vend/File.pm
+++ b/lib/Vend/File.pm
@@ -1,8 +1,6 @@
# Vend::File - Interchange file functions
#
-# $Id: File.pm,v 2.28.2.1 2008-11-10 05:55:09 jon Exp $
-#
-# Copyright (C) 2002-2008 Interchange Development Group
+# Copyright (C) 2002-2009 Interchange Development Group
# Copyright (C) 1996-2002 Red Hat, Inc.
#
# This program was originally based on Vend 0.2 and 0.3
@@ -56,7 +54,7 @@ use File::Path;
use File::Copy;
use subs qw(logError logGlobal);
use vars qw($VERSION @EXPORT @EXPORT_OK $errstr);
-$VERSION = substr(q$Revision: 2.28.2.1 $, 10);
+$VERSION = '2.28.2.1';
sub writefile {
my($file, $data, $opt) = @_;
@@ -191,9 +189,11 @@ sub readfile {
$file = $ifile;
}
else {
- for( ".", @{$Vend::Cfg->{TemplateDir} || []}, @{$Global::TemplateDir || []}) {
- next if ! -f "$_/$ifile";
- $file = "$_/$ifile";
+ for (".", @{$Vend::Cfg->{TemplateDir} || []}, @{$Global::TemplateDir || []}) {
+ my $candidate = "$_/$ifile";
+ log_file_violation($candidate), next if ! allowed_file($candidate);
+ next if ! -f $candidate;
+ $file = $candidate;
last;
}
}
@@ -672,7 +672,7 @@ sub allowed_file {
$Vend::File::errstr = '';
if( $Global::NoAbsolute
and
- $fn !~ $Vend::Cfg->{AllowedFileRegex}
+ $fn !~ $Global::AllowedFileRegex->{$Vend::Cat}
and
absolute_or_relative($fn)
)
diff --git a/lib/Vend/Interpolate.pm b/lib/Vend/Interpolate.pm
index 653a3d8..7d26f54 100644
--- a/lib/Vend/Interpolate.pm
+++ b/lib/Vend/Interpolate.pm
@@ -4652,7 +4652,7 @@ sub region {
if($CGI::values{mv_more_matches} || $CGI::values{MM}) {
### It is a more function, we need to get the parameters
- find_search_params();
+ find_search_params(\%CGI::values);
delete $CGI::values{mv_more_matches};
}
elsif ($opt->{search}) {
diff --git a/lib/Vend/Order.pm b/lib/Vend/Order.pm
index 94dc801..7cfb339 100644
--- a/lib/Vend/Order.pm
+++ b/lib/Vend/Order.pm
@@ -446,7 +446,6 @@ sub build_cc_info {
{MV_CREDIT_CARD_TYPE}
{MV_CREDIT_CARD_NUMBER}
{MV_CREDIT_CARD_EXP_MONTH}/{MV_CREDIT_CARD_EXP_YEAR}
- {MV_CREDIT_CARD_CVV2}
)) . "\n";
$cardinfo->{MV_CREDIT_CARD_TYPE} ||=
diff --git a/lib/Vend/Page.pm b/lib/Vend/Page.pm
index db4ae6f..3986f53 100644
--- a/lib/Vend/Page.pm
+++ b/lib/Vend/Page.pm
@@ -164,11 +164,34 @@ sub do_page {
display_page();
}
+sub _check_search_file {
+ my ($c) = @_;
+ my $f;
+
+ if ($c->{mv_search_file}) {
+ my(@files) = grep /\S/, split /\s*[,\0]\s*/, $c->{mv_search_file}, -1;
+ for $f (@files) {
+ unless (grep { $f eq $_ } @{$Vend::Cfg->{AllowRemoteSearch}}) {
+ ::logGlobal("Security violation, trying to remote search '%s', doesn't match '%s'",
+ $_, $Vend::Cfg->{AllowRemoteSearch});
+ die "Security violation";
+ }
+ }
+ }
+}
+
## DO SEARCH
sub do_search {
- my($c) = \%CGI::values;
+ my($c) = @_;
::update_user();
+ # If search parameters not passed in via function, then safely pull them from
+ # the CGI values.
+ if (!is_hash($c)) {
+ $c = find_search_params(\%CGI::values);
+ _check_search_file($c);
+ }
+
if ($c->{mv_more_matches}) {
$Vend::Session->{last_search} = "scan/MM=$c->{mv_more_matches}";
$c->{mv_more_matches} =~ m/([a-zA-Z0-9])+/;
@@ -202,6 +225,8 @@ sub do_scan {
$Vend::ScanPassed = "scan/$path";
find_search_params($c,$path);
+ _check_search_file($c);
+
if ($c->{mv_more_matches}) {
$Vend::Session->{last_search} = "scan/MM=$c->{mv_more_matches}";
$Vend::More_in_progress = 1;
diff --git a/lib/Vend/Scan.pm b/lib/Vend/Scan.pm
index 69274ff..4b5f627 100644
--- a/lib/Vend/Scan.pm
+++ b/lib/Vend/Scan.pm
@@ -276,10 +276,7 @@ sub create_last_search {
sub find_search_params {
my($c,$param) = @_;
my(@args);
- if(! $param) {
- $c = \%CGI::values;
- }
- else {
+ if($param) {
$param =~ s/-_NULL_-/\0/g;
@args = split m:/:, $param;
}
diff --git a/lib/Vend/Server.pm b/lib/Vend/Server.pm
index 1a6aab7..9a28bb3 100644
--- a/lib/Vend/Server.pm
+++ b/lib/Vend/Server.pm
@@ -1020,31 +1020,20 @@ my ($Sig_inc, $Sig_dec, $Counter);
sub sig_int_or_term {
$Signal_Terminate = 1;
- my $term_count = 0;
- TERM: {
- my %seen;
- my @pids =
- grep { !$seen{$_}++ }
- (keys %Page_pids, keys %Starting_pids);
+ my (%seen, $all_gone);
- last TERM unless @pids;
+ my @pids =
+ grep { !$seen{$_}++ }
+ (keys %Page_pids, keys %Starting_pids);
- kill TERM => $_ for @pids;
- sleep 1;
-
- redo TERM unless ++$term_count > 3;
+ for (1..3) {
+ $all_gone = ! kill TERM => @pids
+ and last;
+ select (undef, undef, undef, 0.5);
}
- KILL: {
- my %seen;
- my @pids =
- grep { !$seen{$_}++ }
- (keys %Page_pids, keys %Starting_pids);
-
- last KILL unless @pids;
-
- kill KILL => $_ for @pids;
- }
+ kill KILL => @pids
+ unless $all_gone;
return;
}
diff --git a/lib/Vend/Table/Editor.pm b/lib/Vend/Table/Editor.pm
index 455eeae..c9b8720 100644
--- a/lib/Vend/Table/Editor.pm
+++ b/lib/Vend/Table/Editor.pm
@@ -1,6 +1,6 @@
# Vend::Table::Editor - Swiss-army-knife table editor for Interchange
#
-# $Id: Editor.pm,v 1.92 2008-05-10 14:07:40 mheins Exp $
+# $Id: Editor.pm,v 1.93 2009-03-20 18:59:35 mheins Exp $
#
# Copyright (C) 2002-2008 Interchange Development Group
# Copyright (C) 2002 Mike Heins <mike at perusion.net>
@@ -26,7 +26,7 @@
package Vend::Table::Editor;
use vars qw($VERSION);
-$VERSION = substr(q$Revision: 1.92 $, 10);
+$VERSION = substr(q$Revision: 1.93 $, 10);
use Vend::Util;
use Vend::Interpolate;
@@ -902,7 +902,6 @@ sub display {
if ($record->{type} =~ s/^custom\s+//s) {
my $wid = lc $record->{type};
$wid =~ tr/-/_/;
- my $w;
$record->{attribute} ||= $column;
$record->{table} ||= $mtab;
$record->{rows} ||= $record->{height};
diff --git a/lib/Vend/UserDB.pm b/lib/Vend/UserDB.pm
old mode 100755
new mode 100644
index 834bc17..942f83c
--- a/lib/Vend/UserDB.pm
+++ b/lib/Vend/UserDB.pm
@@ -126,6 +126,7 @@ box or in a set of links.
@S_FIELDS = (
qw!
s_nickname
+ company
name
fname
lname
diff --git a/lib/Vend/Util.pm b/lib/Vend/Util.pm
index 950db09..866aa4f 100644
--- a/lib/Vend/Util.pm
+++ b/lib/Vend/Util.pm
@@ -1,8 +1,6 @@
# Vend::Util - Interchange utility functions
#
-# $Id: Util.pm,v 2.118 2008-03-27 15:56:49 ton Exp $
-#
-# Copyright (C) 2002-2008 Interchange Development Group
+# Copyright (C) 2002-2009 Interchange Development Group
# Copyright (C) 1996-2002 Red Hat, Inc.
#
# This program was originally based on Vend 0.2 and 0.3
@@ -1113,10 +1111,17 @@ sub readin {
logError( "Too many .. in file path '%s' for security.", $file );
$file = find_special_page('violation');
}
- $file =~ s#//+#/#g;
- $file =~ s#/+$##g;
- ($pathdir = $file) =~ s#/[^/]*$##;
- $pathdir =~ s:^/+::;
+
+ if(index($file, '/') < 0) {
+ $pathdir = '';
+ }
+ else {
+ $file =~ s#//+#/#g;
+ $file =~ s#/+$##g;
+ ($pathdir = $file) =~ s#/[^/]*$##;
+ $pathdir =~ s:^/+::;
+ }
+
my $try;
my $suffix = $Vend::Cfg->{HTMLsuffix};
my $db_tried;
@@ -1655,7 +1660,7 @@ sub logDebug {
$debug{tag} = $Vend::CurrentTag;
$debug{host} = $CGI::host || $CGI::remote_addr;
$debug{remote_addr} = $CGI::remote_addr;
- $debug{catalog} = $Vend::Catalog;
+ $debug{catalog} = $Vend::Cat;
if($tpl =~ /\{caller\d+\}/i) {
my @caller = caller();
for(my $i = 0; $i < @caller; $i++) {
@@ -1818,22 +1823,29 @@ sub logError {
$Vend::Errors .= $msg
if $Vend::Cfg->{DisplayErrors} || $Global::DisplayErrors;
- eval {
- open(MVERROR, ">> $opt->{file}")
- or die "open\n";
- lockfile(\*MVERROR, 1, 1) or die "lock\n";
- seek(MVERROR, 0, 2) or die "seek\n";
- print(MVERROR $msg, "\n") or die "write to\n";
- unlockfile(\*MVERROR) or die "unlock\n";
- close(MVERROR) or die "close\n";
- };
+ my $reason;
+ if (! allowed_file($opt->{file}, 1)) {
+ $@ = 'access';
+ $reason = 'prohibited by global configuration';
+ }
+ else {
+ eval {
+ open(MVERROR, ">> $opt->{file}")
+ or die "open\n";
+ lockfile(\*MVERROR, 1, 1) or die "lock\n";
+ seek(MVERROR, 0, 2) or die "seek\n";
+ print(MVERROR $msg, "\n") or die "write to\n";
+ unlockfile(\*MVERROR) or die "unlock\n";
+ close(MVERROR) or die "close\n";
+ };
+ }
if ($@) {
chomp $@;
logGlobal ({ level => 'info' },
"Could not %s error file %s: %s\nto report this error: %s",
$@,
$opt->{file},
- $!,
+ $reason || $!,
$msg,
);
}
diff --git a/scripts/compile_link.PL b/scripts/compile_link.PL
index 9a1bb37..a29bd9a 100644
--- a/scripts/compile_link.PL
+++ b/scripts/compile_link.PL
@@ -35,7 +35,7 @@ use Getopt::Long;
use vars qw/$Self/;
-Getopt::Long::config(qw/permute/);
+Getopt::Long::config(qw/permute no_ignore_case/);
BEGIN {
$::Self = {
diff --git a/scripts/interchange.PL b/scripts/interchange.PL
index ea80469..2dea0ea 100644
--- a/scripts/interchange.PL
+++ b/scripts/interchange.PL
@@ -1,11 +1,9 @@
#!/usr/bin/perl -w
##!~_~perlpath~_~
#
-# Interchange version 5.6.1
+# Interchange version 5.6.2
#
-# $Id: interchange.PL,v 2.105.2.2 2008-11-10 06:51:21 jon Exp $
-#
-# Copyright (C) 2002-2008 Interchange Development Group
+# Copyright (C) 2002-2009 Interchange Development Group
# Copyright (C) 1996-2002 Red Hat, Inc.
# http://www.icdevgroup.org/
#
@@ -32,6 +30,11 @@
use strict;
BEGIN {
+ select STDERR;
+ $| = 1;
+ select STDOUT;
+ $| = 1;
+
if ($ENV{INTERCHANGE_INSTALLPRIVLIB}) {
unshift @INC, $ENV{INTERCHANGE_INSTALLPRIVLIB};
}
@@ -155,7 +158,7 @@ use vars qw($VERSION);
require Exporter;
BEGIN {
- $VERSION = '5.6.1';
+ $VERSION = '5.6.2';
}
use Fcntl;
@@ -348,7 +351,7 @@ sub dontwarn {
}
sub version {
- print "Interchange version $VERSION copyright 2002-2008 Interchange Development Group and others.\n";
+ print "Interchange version $VERSION copyright 2002-2009 Interchange Development Group and others.\n";
}
=head1 NAME
@@ -361,7 +364,7 @@ interchange [--options] [file]
=head1 VERSION
-5.6.1
+5.6.2
=head1 DESCRIPTION
@@ -842,7 +845,6 @@ print errmsg("\n##### DEBUG MODE, running in foreground #####\n") if $Global::DE
exit;
}
- $| = 1;
logGlobal( "Interchange V$VERSION");
SIGNALCHECK: {
@@ -961,13 +963,6 @@ EOF
# This is all done in Vend::Server::set_process_name now.
Vend::Server::set_process_name($Global::VendRoot);
- # We won't have much output on any of this, but if we get some
- # we want it immediately
- select STDERR;
- $| = 1;
- select STDOUT;
- $| = 1;
-
# This should never return unless killed or a catastrophic error
Vend::Server::run_server();
}
@@ -1007,7 +1002,7 @@ GNU General Public License.
=head1 COPYRIGHT
- Copyright (C) 2002-2008 Interchange Development Group
+ Copyright (C) 2002-2009 Interchange Development Group
Copyright (C) 1995-2002 Red Hat, Inc.
All rights reserved except those granted in the license.
hooks/post-receive
--
Interchange
More information about the interchange-cvs
mailing list