------------------------------------------------------------------------------

What's new in each version of Interchange

(since the version 5.12 branch)

See UPGRADE document for a list of incompatible changes.

------------------------------------------------------------------------------

Interchange 5.12 not released yet

Interchange now requires Perl 5.16.3 or newer.

Please note that the official Interchange project site has moved from

icdevgroup.org to:

https://www.interchangecommerce.org/

The canonical Git repository is now hosted on GitHub at:

https://github.com/interchange/interchange

Installation

------------

* Assume that if a source code control repository is present in the

installation directory, we don't need to do the archaic .~* file copies.

Core

----

* Updated RobotUA handling.

* Improved UTF-8 handling and bugfixes.

* Improve image uploading via the table editor.

* Add support for [all-anchor] token in [more-list] template.

* Improve [image] extension handling to search for lower/uppercase versions

of file extensions.

* Add date-change "common" filter parameter to output date+time without "T"

separator.

* Add bcrypt filter.

* Allow a dash in the middle of a varname (and to end one).

* Allow changable varname regex for profile checks via

Limit profile_check_varname_regex \b\w[-+.\w]*

* Fix bug where only one address was possible for DebugHost. Now accepts a

range of IP addresses.

* Disallow comma character within email addresses in email and email_only

profile checks.

* Add "default" option on CGI tag. Negligible impact on performance, as

branch only followed on blank/zero value.

* Fix bug whereby certain LARGE or HUGE tables could have large searches

started by hitting return with the cursor in the entry box.

* Fix bug in hash version of [item-tag-*].

* Reprioritize (later) little-used loop tag scratchd.

* Refactor cookie-setting routine to avoid double ; and extra string copying

and use canonical capitalization.

* Teach pragma set_httponly to apply only to certain cookies.

E.g. for the default session cookie only:

Pragma set_httponly=MV_SESSION_ID

Or for that plus another arbitrary cookie "cart":

Pragma set_httponly=MV_SESSION_ID;cart

The old behavior of setting HttpOnly for all cookies still works as before, e.g.:

Pragma set_httponly

* Add CounterDir configuration to allow counters to be defined by default in

some place different than VendRoot.

* Extend PerlAlwaysGlobal to encompass [loop-calc].

* Fixed a bug in the [area] tag when a full URL is passed as the href.

* Pass through from [bounce] URL-generation options such as form, secure,

match_secure, etc.

* Add new AlwaysSecureGlob directive. It's not possible to enumerate all the

admin URLs or ActionMaps that should be generated secure-only, so this new

directive allows matching.

* Fix month and year adjustment wrapping issue in Vend::Util::adjust_time().

* Add [adjust-href] tag. Reads HTML passed to it, finds <a href> links

and adjusts ones that don't begin with an absolute path to

Interchange URLs. Normally done by setting "Pragma adjust_href" in

catalog.cfg (or [pragma adjust_href] at the top of the page).

* Add code to Server.pm to adjust <a href="link"> tags when "Pragma adjust_href"

is in force. Uses above tag.

* Cleanup of quite a few Perl module dependencies, removal of vestiges of

old version control systems from source files.

* Improved integration of CI tools for development.

* Add ability to return after Preload and Autoload routines. Setting

$Vend::PreloadReturn or $Vend::AutoloadReturn (i.e. they are defined)

means Vend::Dispatch::dispatch() will return that status. This allows

features like QueryCache and others that are hooked via Preload or

Autoload.

* Add skeleton module Vend::InDev, which does nothing but set a single

global variable if the file _indev is present in $Global::VendRoot.

This allows interchange.cfg bifurcation, useful when maintain a SCCS

repository.

* Multiple cleanups and bugfixes to handle more modern versions of Perl.

* Add x_accel_expires pragma to set X-Accel-Expires header for nginx proxy caching.

* Remove non-header from BounceReferrals HTTP response headers, which

breaks output with newer Apache versions.

* Support recipient addresses in CC and BCC when using Net::SMTP.

* Fix Vend::Util::timecard_stamp() to support a passed timestamp.

* Make Interchange reopen debug.log/STDERR when receiving HUP signal.

* Fix race conditions in timed-build output.

* Added support for CIDR notation (for both IPv4 & IPv6) in TrustProxy and

RobotIP directives.

* Normalize IPv6 addresses.

* Fix bug with mixed plaintext/crypted passwords on promotion.

* Quell error message for harmless empty JSON request body.

* Allow custom headers in [get-url].

* Add more unit tests.

* Make HTTP response codes more relevant.

* Improvements to [child-process] usertag.

* Allow setting cookies, even if no session is created.

* Add new global directive LogTimeFormat which allows customizing the prefix of

log lines from the default [%d/%B/%Y:%H:%M:%S %z] using strftime(3) format.

* Add new SMTPConfig hash directive for Net::SMTP configuration to support

SMTP AUTH user & password, alternate server port, SSL, and timeout options.

* New usertag [config] to pull catalog config params, or with 2nd-arg flag

global config params. Supports dot-syntax for pulling from complex config

params.

* New Pragma set_samesite to control SameSite settings on cookies.

To set all cookies Strict:

Pragma set_samesite=Strict

To set only foo to Lax:

Pragma set_samesite=foo=Lax

To add bar as Strict:

Pragma set_samesite=foo=Lax;bar=Strict

And add baz as None:

Pragma set_samesite=foo=Lax;bar=Strict;baz=None

If None is used, that forces Secure on those cookies as well.

Payments

--------

* Add BIN-2 MasterCard number support to Vend::Order, catalog templates,

admin, and Vend::Payment modules which require it.

* Include b_phone and phone in payment information.

* Remove defunct payment services: Vend::Payment::ECHO and Vend::Payment::Skipjack.

* Updated Vend::Payment::PayPal to latest available version.

* New Braintree payment module.

* Add Gateway Log feature for logging full details of payment gateway requests/

responses. (See extended section about the Gateway Log later in this document.)

Database

--------

* Support newer versions of MySQL.

* Prevent key-only inserts for new rows in [import-fields] tag.

* Allow admin user to export specific tables using [backup-database] despite

current NoExportExternal setting.

* Add ability to have a NO_UPDATE field in SQL tables, which field will

not affect a TIMESTAMP field (in MySQL or Postgres, at least).

Intended to allow mod_time in user logins to be updated without changing

a timestamp field. May have other uses, but is only honored at this

time in the set_field() method, so has limited applicability.

Assuming one has a timestamp field in the userdb table called

"update_date", this is effected by changing the configuration as:

Database userdb TIMESTAMP_FIELD update_date

Database userdb NO_UPDATE mod_time

* Fix bugs with MySQL and PostgreSQL handling of QUOTE_IDENTIFIERS.

* Update default field widths for userdb, transactions, and orderlines.

* Improve error handling/messaging when no access to database in Safe.

* Support MySQL's utf8mb4 character set encoding, to be able to store all

UTF-8 characters.

UserDB

------

* Add valref and scratchref options to UserDB, allowing the admin user to put

their stuff in someplace besides $Values. This would allow you to easily set

$Values to customer or affiliate settings, without impacting the admin user.

If you do:

UserDB ui valref user_record

UserTag uvalue Alias data base=session key=

you will then be able to reference the Admin "values" with

[uvalue name]

The [if-mm] tag probably needs to be adjusted for this to work

in the admin in real life.

* Check for admin status earlier so it's available to postlogin_action.

* Add support for prelogout_action to UserDB logout.

* Add "fallback_login" option, to be used with "indirect_login". If

indirect fails, it will fallback to the primary key (by default,

username). This could allow users to login with email (indirect_login

= usernick), but still support login via username if they opted to use

their username instead.

* Add "promote_admin" option, to be used with "scratch". The option

is set to the value of a field name, which also has to be a "scratch"

value. If that is true, and the value of the field is true, the user

will be promoted to $Vend::admin. They will not be $Vend::super. Note

that this does not gain access to the classic Interchange UI without

modification, since the login_table will not be admin (the test which is

used in most cases).

* Fix bug causing passwords to be blanked in the database when promoting

to e.g. bcrypt hashing but required modules are missing. This caused the

user to be unable to log in thereafter until a new password was set, but

did not allow any unauthorized access. (GitHub pull request #90)

Admin

-----

* Fix XSS injection vulnerabilities in help and quicklinks (CVE-2020-12685).

* Respect custom BACKUP_DIRECTORY in admin table downloads. This matches

behavior expected by [export-database].

* Fix bug which blew away user's yes_tables and yes_functions setting when

editing name/superuser status.

`

* Fix table editor composite key problems, both creating new and editing

existing rows.

* Exclude canceled orders from reports.

* Remove support for ancient browsers and unused variables.

* Remove old help content.

* Move access table into SQL to avoid locking between users. (GitHub pull

request #89)

Strap Demo Catalog

------------------

* Updated the versions of jQuery, Google Analytics, and Bootstrap used.

* Turn off UserDB ignore_case by default.

* Prevent browser autocomplete problems.

* Remove some legacy cart components.

* Formatting fixes on checkout pages.

* Fix broken random password number range; consistently make random

instead of using zip or phone.

* Lengthen ip_addr database fields to support IPv6.

* Remove the option for session IDs in URLs, so cookies are always required.

* Add base configuration and settings to delegate [salestax] to 3rd-party tax

APIs generally, and use of Tax Jar specifically.

* Support easy use of SQLite in makecat.

Other

-----

* Updated te utility with several new features.

* Quickbooks integration: Fix typos so that removing stray trailing

whitespace works.

* Added tools for viewing/manipulating existing Storage sessions.

* Removed old mod_perl artifacts.

* Added support for {NEWLINE} token in [error] templates, by René Hertell

from GitHub issue #40.

* Removed Vend::Email module that was added but never integrated

(GitHub issue #58).

* Taught [email-raw] to properly handle Unicode via the MV_EMAIL_CHARSET

variable.

* Removed vestigial Windows support and defunct Irix support.

Gateway Log

-----------

Vend::Payment::GatewayLog - Basic package and methods for enabling full

transaction logging in any of the gateways within the Vend::Payment::*

namespace.

Gateway logging is inactive by default. It can be explicitly enabled by

triggering the "gwl_enabled" option in any of the usual ways:

* As an option directly through the [charge] tag. E.g.,

[charge route=authorizenet gwl_enabled=1 ...]

* As an option defined in a payment route. E.g.,

Route authorizenet id "__MV_PAYMENT_ID__"

Route authorizenet gwl_enabled 1

...

* Globally for all payment modules where gateway logging support has been

added to the module, via MV_PAYMENT_* mechanism. E.g.,

Variable MV_PAYMENT_GWL_ENABLED 1

Note at this time, only a few payment modules have been fitted with gateway

logging support. It is assumed that the developer of each module, who is

familiar with the request/response structure of the specific API, will be

ideally suited to add gateway logging to the remaining modules. Those

currently supporting it are:

* AuthorizeNet

* Braintree

* CyberSource

* PayflowPro

* PaypalExpress (for dorequest API activity only)

Developers responsible for other payment gateways are encouraged to follow the

examples of the above payment modules and outfit remaining payment gateways

with their own gateway-logging hooks.

The format and fields of the gateway_log table as defined in the strap demo

should be used for maximal interoperability. The table name can be any name

you like, but because every payment module independently constructs the code

to populate the table, changing the field data types or names, and/or

adding/removing fields, will likely cause malfunction for the existing

modules' logging configurations.

There are 3 settings a catalog manager can control when enabling gateway

logging:

* Enabled (discussed above)

Boolean to indicate that actual logging should be performed. Default

is false; thus logging must be explicitly requested. Can be set with

Route param or [charge] options "gwl_enabled", or globally with

MV_PAYMENT_GWL_ENABLED in catalog.cfg.

* LogTable

Name of table to which logging should be directed. Default is

gateway_log. Can be set with Route param or [charge] option "gwl_table",

or globally with MV_PAYMENT_GWL_TABLE in catalog.cfg.

* Source

Maps to the request_source field in the log table. Value is most

meaningful in a distributed environment, where multiple servers

running the Interchange application may be handling requests behind a

load balancer. Default value obtained from `hostname -s`. Can be set

with Route param or [charge] option "gwl_source", or globally with

MV_PAYMENT_GWL_SOURCE in catalog.cfg.

3rd Party Tax Support

---------------------

Vend::Tax - alternative salestax framework to allow catalogs to leverage

3rd-party APIs for tax calculation, estimates, and reporting.

Vend::Tax defines 3 new tags to support each of the above identified

functions:

* [tax-lookup] - returns calculated tax amount determined by specific

3rd-party provider. Tax may be estimated or live lookup, depending on

settings. Data required to calculate tax will be provider dependent.

* [load-tax-averages] - requests and stores tax averages for running in

estimate mode, for providers that support it. Stores estimates by default in

"tax_averages" table. Further, allows for local tracking of jurisdictions

with nexus, which can be used by live lookups to determine if a particular

lookup can be skipped entirely. See load_tax_averages Job and "tax_averages"

table definition in strap demo.

* [send-tax-transaction] - report to provider the resulting tax transaction

for a given order, for providers that support it. By default, operates based

on transactions.tax_sent field. 0/empty indicates transaction not reported.

1 indicates transaction successfully reported. -1 indicates an error

attempting to report transaction, requiring manual intervention. See

send_tax_transactions Job in strap demo.

Conceptually, Vend::Tax is patterned off of Vend::Payment for payment

transactions. It provides the defined interface that Interchange will use,

via the 3 tags shown above, but must delegate to vendor-specific

implementations through tax gateway modules.

Currently, only Tax Jar is supported - see Vend::Tax::TaxJar. But Vend::Tax

was designed to facilitate and encourage the development of any 3rd-party

providers through the creation of new Vend::Tax::Service modules. A review of

Vend::Tax::TaxJar should be instructive for the expected interface with the 3

usertags.

Like the payment modules, in order to make a particular tax service available,

it must be "Required" from interchange.cfg. E.g.:

Require module Vend::Tax::TaxJar

See strap demo for example on integrating 3rd-party tax into your catalog via

the SalesTax configuration directive.

(end)