/
WHATSNEW-5.12
476 lines (304 loc) · 15.7 KB
/
WHATSNEW-5.12
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
------------------------------------------------------------------------------
What's new in each version of Interchange
(since the version 5.12 branch)
See UPGRADE document for a list of incompatible changes.
------------------------------------------------------------------------------
Interchange 5.12 not released yet
Interchange now requires Perl 5.16.3 or newer.
Please note that the official Interchange project site has moved from
icdevgroup.org to:
https://www.interchangecommerce.org/
The canonical Git repository is now hosted on GitHub at:
https://github.com/interchange/interchange
Installation
------------
* Assume that if a source code control repository is present in the
installation directory, we don't need to do the archaic .~* file copies.
Core
----
* Updated RobotUA handling.
* Improved UTF-8 handling and bugfixes.
* Improve image uploading via the table editor.
* Add support for [all-anchor] token in [more-list] template.
* Improve [image] extension handling to search for lower/uppercase versions
of file extensions.
* Add date-change "common" filter parameter to output date+time without "T"
separator.
* Add bcrypt filter.
* Allow a dash in the middle of a varname (and to end one).
* Allow changable varname regex for profile checks via
Limit profile_check_varname_regex \b\w[-+.\w]*
* Fix bug where only one address was possible for DebugHost. Now accepts a
range of IP addresses.
* Disallow comma character within email addresses in email and email_only
profile checks.
* Add "default" option on CGI tag. Negligible impact on performance, as
branch only followed on blank/zero value.
* Fix bug whereby certain LARGE or HUGE tables could have large searches
started by hitting return with the cursor in the entry box.
* Fix bug in hash version of [item-tag-*].
* Reprioritize (later) little-used loop tag scratchd.
* Refactor cookie-setting routine to avoid double ; and extra string copying
and use canonical capitalization.
* Teach pragma set_httponly to apply only to certain cookies.
E.g. for the default session cookie only:
Pragma set_httponly=MV_SESSION_ID
Or for that plus another arbitrary cookie "cart":
Pragma set_httponly=MV_SESSION_ID;cart
The old behavior of setting HttpOnly for all cookies still works as before, e.g.:
Pragma set_httponly
* Add CounterDir configuration to allow counters to be defined by default in
some place different than VendRoot.
* Extend PerlAlwaysGlobal to encompass [loop-calc].
* Fixed a bug in the [area] tag when a full URL is passed as the href.
* Pass through from [bounce] URL-generation options such as form, secure,
match_secure, etc.
* Add new AlwaysSecureGlob directive. It's not possible to enumerate all the
admin URLs or ActionMaps that should be generated secure-only, so this new
directive allows matching.
* Fix month and year adjustment wrapping issue in Vend::Util::adjust_time().
* Add [adjust-href] tag. Reads HTML passed to it, finds <a href> links
and adjusts ones that don't begin with an absolute path to
Interchange URLs. Normally done by setting "Pragma adjust_href" in
catalog.cfg (or [pragma adjust_href] at the top of the page).
* Add code to Server.pm to adjust <a href="link"> tags when "Pragma adjust_href"
is in force. Uses above tag.
* Cleanup of quite a few Perl module dependencies, removal of vestiges of
old version control systems from source files.
* Improved integration of CI tools for development.
* Add ability to return after Preload and Autoload routines. Setting
$Vend::PreloadReturn or $Vend::AutoloadReturn (i.e. they are defined)
means Vend::Dispatch::dispatch() will return that status. This allows
features like QueryCache and others that are hooked via Preload or
Autoload.
* Add skeleton module Vend::InDev, which does nothing but set a single
global variable if the file _indev is present in $Global::VendRoot.
This allows interchange.cfg bifurcation, useful when maintain a SCCS
repository.
* Multiple cleanups and bugfixes to handle more modern versions of Perl.
* Add x_accel_expires pragma to set X-Accel-Expires header for nginx proxy caching.
* Remove non-header from BounceReferrals HTTP response headers, which
breaks output with newer Apache versions.
* Support recipient addresses in CC and BCC when using Net::SMTP.
* Fix Vend::Util::timecard_stamp() to support a passed timestamp.
* Make Interchange reopen debug.log/STDERR when receiving HUP signal.
* Fix race conditions in timed-build output.
* Added support for CIDR notation (for both IPv4 & IPv6) in TrustProxy and
RobotIP directives.
* Normalize IPv6 addresses.
* Fix bug with mixed plaintext/crypted passwords on promotion.
* Quell error message for harmless empty JSON request body.
* Allow custom headers in [get-url].
* Add more unit tests.
* Make HTTP response codes more relevant.
* Improvements to [child-process] usertag.
* Allow setting cookies, even if no session is created.
* Add new global directive LogTimeFormat which allows customizing the prefix of
log lines from the default [%d/%B/%Y:%H:%M:%S %z] using strftime(3) format.
* Add new SMTPConfig hash directive for Net::SMTP configuration to support
SMTP AUTH user & password, alternate server port, SSL, and timeout options.
* New usertag [config] to pull catalog config params, or with 2nd-arg flag
global config params. Supports dot-syntax for pulling from complex config
params.
* New Pragma set_samesite to control SameSite settings on cookies.
To set all cookies Strict:
Pragma set_samesite=Strict
To set only foo to Lax:
Pragma set_samesite=foo=Lax
To add bar as Strict:
Pragma set_samesite=foo=Lax;bar=Strict
And add baz as None:
Pragma set_samesite=foo=Lax;bar=Strict;baz=None
If None is used, that forces Secure on those cookies as well.
Payments
--------
* Add BIN-2 MasterCard number support to Vend::Order, catalog templates,
admin, and Vend::Payment modules which require it.
* Include b_phone and phone in payment information.
* Remove defunct payment services: Vend::Payment::ECHO and Vend::Payment::Skipjack.
* Updated Vend::Payment::PayPal to latest available version.
* New Braintree payment module.
* Add Gateway Log feature for logging full details of payment gateway requests/
responses. (See extended section about the Gateway Log later in this document.)
Database
--------
* Support newer versions of MySQL.
* Prevent key-only inserts for new rows in [import-fields] tag.
* Allow admin user to export specific tables using [backup-database] despite
current NoExportExternal setting.
* Add ability to have a NO_UPDATE field in SQL tables, which field will
not affect a TIMESTAMP field (in MySQL or Postgres, at least).
Intended to allow mod_time in user logins to be updated without changing
a timestamp field. May have other uses, but is only honored at this
time in the set_field() method, so has limited applicability.
Assuming one has a timestamp field in the userdb table called
"update_date", this is effected by changing the configuration as:
Database userdb TIMESTAMP_FIELD update_date
Database userdb NO_UPDATE mod_time
* Fix bugs with MySQL and PostgreSQL handling of QUOTE_IDENTIFIERS.
* Update default field widths for userdb, transactions, and orderlines.
* Improve error handling/messaging when no access to database in Safe.
* Support MySQL's utf8mb4 character set encoding, to be able to store all
UTF-8 characters.
UserDB
------
* Add valref and scratchref options to UserDB, allowing the admin user to put
their stuff in someplace besides $Values. This would allow you to easily set
$Values to customer or affiliate settings, without impacting the admin user.
If you do:
UserDB ui valref user_record
UserTag uvalue Alias data base=session key=
you will then be able to reference the Admin "values" with
[uvalue name]
The [if-mm] tag probably needs to be adjusted for this to work
in the admin in real life.
* Check for admin status earlier so it's available to postlogin_action.
* Add support for prelogout_action to UserDB logout.
* Add "fallback_login" option, to be used with "indirect_login". If
indirect fails, it will fallback to the primary key (by default,
username). This could allow users to login with email (indirect_login
= usernick), but still support login via username if they opted to use
their username instead.
* Add "promote_admin" option, to be used with "scratch". The option
is set to the value of a field name, which also has to be a "scratch"
value. If that is true, and the value of the field is true, the user
will be promoted to $Vend::admin. They will not be $Vend::super. Note
that this does not gain access to the classic Interchange UI without
modification, since the login_table will not be admin (the test which is
used in most cases).
* Fix bug causing passwords to be blanked in the database when promoting
to e.g. bcrypt hashing but required modules are missing. This caused the
user to be unable to log in thereafter until a new password was set, but
did not allow any unauthorized access. (GitHub pull request #90)
Admin
-----
* Fix XSS injection vulnerabilities in help and quicklinks (CVE-2020-12685).
* Respect custom BACKUP_DIRECTORY in admin table downloads. This matches
behavior expected by [export-database].
* Fix bug which blew away user's yes_tables and yes_functions setting when
editing name/superuser status.
`
* Fix table editor composite key problems, both creating new and editing
existing rows.
* Exclude canceled orders from reports.
* Remove support for ancient browsers and unused variables.
* Remove old help content.
* Move access table into SQL to avoid locking between users. (GitHub pull
request #89)
Strap Demo Catalog
------------------
* Updated the versions of jQuery, Google Analytics, and Bootstrap used.
* Turn off UserDB ignore_case by default.
* Prevent browser autocomplete problems.
* Remove some legacy cart components.
* Formatting fixes on checkout pages.
* Fix broken random password number range; consistently make random
instead of using zip or phone.
* Lengthen ip_addr database fields to support IPv6.
* Remove the option for session IDs in URLs, so cookies are always required.
* Add base configuration and settings to delegate [salestax] to 3rd-party tax
APIs generally, and use of Tax Jar specifically.
* Support easy use of SQLite in makecat.
Other
-----
* Updated te utility with several new features.
* Quickbooks integration: Fix typos so that removing stray trailing
whitespace works.
* Added tools for viewing/manipulating existing Storage sessions.
* Removed old mod_perl artifacts.
* Added support for {NEWLINE} token in [error] templates, by René Hertell
from GitHub issue #40.
* Removed Vend::Email module that was added but never integrated
(GitHub issue #58).
* Taught [email-raw] to properly handle Unicode via the MV_EMAIL_CHARSET
variable.
* Removed vestigial Windows support and defunct Irix support.
Gateway Log
-----------
Vend::Payment::GatewayLog - Basic package and methods for enabling full
transaction logging in any of the gateways within the Vend::Payment::*
namespace.
Gateway logging is inactive by default. It can be explicitly enabled by
triggering the "gwl_enabled" option in any of the usual ways:
* As an option directly through the [charge] tag. E.g.,
[charge route=authorizenet gwl_enabled=1 ...]
* As an option defined in a payment route. E.g.,
Route authorizenet id "__MV_PAYMENT_ID__"
Route authorizenet gwl_enabled 1
...
* Globally for all payment modules where gateway logging support has been
added to the module, via MV_PAYMENT_* mechanism. E.g.,
Variable MV_PAYMENT_GWL_ENABLED 1
Note at this time, only a few payment modules have been fitted with gateway
logging support. It is assumed that the developer of each module, who is
familiar with the request/response structure of the specific API, will be
ideally suited to add gateway logging to the remaining modules. Those
currently supporting it are:
* AuthorizeNet
* Braintree
* CyberSource
* PayflowPro
* PaypalExpress (for dorequest API activity only)
Developers responsible for other payment gateways are encouraged to follow the
examples of the above payment modules and outfit remaining payment gateways
with their own gateway-logging hooks.
The format and fields of the gateway_log table as defined in the strap demo
should be used for maximal interoperability. The table name can be any name
you like, but because every payment module independently constructs the code
to populate the table, changing the field data types or names, and/or
adding/removing fields, will likely cause malfunction for the existing
modules' logging configurations.
There are 3 settings a catalog manager can control when enabling gateway
logging:
* Enabled (discussed above)
Boolean to indicate that actual logging should be performed. Default
is false; thus logging must be explicitly requested. Can be set with
Route param or [charge] options "gwl_enabled", or globally with
MV_PAYMENT_GWL_ENABLED in catalog.cfg.
* LogTable
Name of table to which logging should be directed. Default is
gateway_log. Can be set with Route param or [charge] option "gwl_table",
or globally with MV_PAYMENT_GWL_TABLE in catalog.cfg.
* Source
Maps to the request_source field in the log table. Value is most
meaningful in a distributed environment, where multiple servers
running the Interchange application may be handling requests behind a
load balancer. Default value obtained from `hostname -s`. Can be set
with Route param or [charge] option "gwl_source", or globally with
MV_PAYMENT_GWL_SOURCE in catalog.cfg.
3rd Party Tax Support
---------------------
Vend::Tax - alternative salestax framework to allow catalogs to leverage
3rd-party APIs for tax calculation, estimates, and reporting.
Vend::Tax defines 3 new tags to support each of the above identified
functions:
* [tax-lookup] - returns calculated tax amount determined by specific
3rd-party provider. Tax may be estimated or live lookup, depending on
settings. Data required to calculate tax will be provider dependent.
* [load-tax-averages] - requests and stores tax averages for running in
estimate mode, for providers that support it. Stores estimates by default in
"tax_averages" table. Further, allows for local tracking of jurisdictions
with nexus, which can be used by live lookups to determine if a particular
lookup can be skipped entirely. See load_tax_averages Job and "tax_averages"
table definition in strap demo.
* [send-tax-transaction] - report to provider the resulting tax transaction
for a given order, for providers that support it. By default, operates based
on transactions.tax_sent field. 0/empty indicates transaction not reported.
1 indicates transaction successfully reported. -1 indicates an error
attempting to report transaction, requiring manual intervention. See
send_tax_transactions Job in strap demo.
Conceptually, Vend::Tax is patterned off of Vend::Payment for payment
transactions. It provides the defined interface that Interchange will use,
via the 3 tags shown above, but must delegate to vendor-specific
implementations through tax gateway modules.
Currently, only Tax Jar is supported - see Vend::Tax::TaxJar. But Vend::Tax
was designed to facilitate and encourage the development of any 3rd-party
providers through the creation of new Vend::Tax::Service modules. A review of
Vend::Tax::TaxJar should be instructive for the expected interface with the 3
usertags.
Like the payment modules, in order to make a particular tax service available,
it must be "Required" from interchange.cfg. E.g.:
Require module Vend::Tax::TaxJar
See strap demo for example on integrating 3rd-party tax into your catalog via
the SalesTax configuration directive.
(end)