[interchange-cvs] [SCM] Interchange branch, master, updated. c410ecf2695f588f5a6226af93696a3dfb0added

Jon Jensen interchange-cvs at icdevgroup.org
Thu Sep 17 22:07:13 UTC 2009


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Interchange".

The branch, master has been updated
       via  c410ecf2695f588f5a6226af93696a3dfb0added (commit)
       via  76d411db1b956aa1a76ccb4f90d6e15fa517bd8a (commit)
       via  34da8fd266ec82fc35dd95e3b8a267fab68ad522 (commit)
       via  235cdca9d91e21d5ab37577810b5ba704757fedc (commit)
       via  da4df25907acd9235849851fc0676b372f359a8a (commit)
       via  7b9a2b769f9b0359b8d1194c95b289567df4d436 (commit)
       via  8439009b222714c128d48b056f31ff5f878d815d (commit)
      from  335dc076ae43d5f5cffb79046fe3f81209095aca (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit c410ecf2695f588f5a6226af93696a3dfb0added
Author: Stefan Hornburg (Racke) <racke at linuxia.de>
Date:   Wed Sep 16 15:59:31 2009 +0200

    bumped up version number and date

commit 76d411db1b956aa1a76ccb4f90d6e15fa517bd8a
Author: Jon Jensen <jon at endpoint.com>
Date:   Wed Sep 16 07:13:47 2009 -0600

    Increment package version and stop using RCS Revision tag

commit 34da8fd266ec82fc35dd95e3b8a267fab68ad522
Author: Jon Jensen <jon at endpoint.com>
Date:   Wed Sep 16 07:13:30 2009 -0600

    Clean up crazy mix of tabs & spaces; whitespace-change only

commit 235cdca9d91e21d5ab37577810b5ba704757fedc
Author: Jon Jensen <jon at endpoint.com>
Date:   Wed Sep 16 07:08:19 2009 -0600

    Fix UTF-8 handling with implicit content type of text/html (RT #317)
    
    Found & fixed by Stefan Hornburg.

commit da4df25907acd9235849851fc0676b372f359a8a
Author: Jon Jensen <jon at endpoint.com>
Date:   Tue Sep 15 14:55:52 2009 -0600

    Bump version to 5.7.2 before release

commit 7b9a2b769f9b0359b8d1194c95b289567df4d436
Author: Jon Jensen <jon at endpoint.com>
Date:   Tue Sep 15 14:55:43 2009 -0600

    Sync manifest

commit 8439009b222714c128d48b056f31ff5f878d815d
Author: Mark Lipscombe <markl at gasupnow.com>
Date:   Wed Jul 8 08:33:28 2009 +0000

    Fix remote disclosure security vulnerability
    
    Add new configuration option AllowRemoteSearch to selectively re-enable
    remote searches on "safe" tables. Defaults to products, variants and
    options.
    
    Please see UPGRADE for important information on upgrading your catalogs
    to prevent any problems.

-----------------------------------------------------------------------

Summary of changes and diff:
 MANIFEST                                           |    1 +
 Makefile.PL                                        |    2 +-
 README                                             |    6 +-
 README.rpm-dist                                    |   12 +-
 UPGRADE                                            |  163 ++++++++++++++++++++
 WHATSNEW-5.7                                       |   10 +-
 .../html2text.filter => SystemTag/search.coretag}  |   15 +--
 configure                                          |    2 -
 debian/changelog                                   |    6 +-
 dist/standard/catalog.cfg                          |   32 ++---
 dist/standard/pages/lost_password.html             |  160 +++++++++++++------
 dist/standard/products/mv_metadata.asc             |    2 +-
 lib/Vend/Config.pm                                 |    1 +
 lib/Vend/Interpolate.pm                            |    2 +-
 lib/Vend/Page.pm                                   |   27 +++-
 lib/Vend/Scan.pm                                   |    5 +-
 lib/Vend/Server.pm                                 |   64 ++++----
 scripts/interchange.PL                             |    6 +-
 18 files changed, 376 insertions(+), 140 deletions(-)
 copy code/{Filter/html2text.filter => SystemTag/search.coretag} (57%)
 mode change 100644 => 100755 debian/changelog

diff --git a/MANIFEST b/MANIFEST
index 0f0fa4c..1ec345d 100644
--- a/MANIFEST
+++ b/MANIFEST
@@ -179,6 +179,7 @@ code/SystemTag/row.coretag
 code/SystemTag/salestax.coretag
 code/SystemTag/scratch.coretag
 code/SystemTag/scratchd.coretag
+code/SystemTag/search.coretag
 code/SystemTag/search_region.coretag
 code/SystemTag/selected.coretag
 code/SystemTag/set.coretag
diff --git a/Makefile.PL b/Makefile.PL
index b26c529..0b84ec6 100644
--- a/Makefile.PL
+++ b/Makefile.PL
@@ -28,7 +28,7 @@ my @mods_to_get;
 my @remove_old;
 my $Lock_troubles;
 
-$VERSION = '5.7.1';
+$VERSION = '5.7.2';
 
 my @os_hints;
 eval {
diff --git a/README b/README
index 10f96d2..20f805d 100644
--- a/README
+++ b/README
@@ -2,7 +2,7 @@
 
                            I N T E R C H A N G E
 
-Interchange 5.7.1
+Interchange 5.7.2
 
 Copyright (C) 2002-2009 Interchange Development Group
 Copyright (C) 1996-2002 Red Hat, Inc.
@@ -105,8 +105,8 @@ as an unprivileged user who will be the only one modifying Interchange files.
 
 Here is the quick installation summary:
 
-    tar xvzf interchange-5.7.1.tar.gz
-    cd interchange-5.7.1
+    tar xvzf interchange-5.7.2.tar.gz
+    cd interchange-5.7.2
     perl Makefile.PL
     make
     make test
diff --git a/README.rpm-dist b/README.rpm-dist
index 28c35a9..ade34a4 100644
--- a/README.rpm-dist
+++ b/README.rpm-dist
@@ -31,7 +31,7 @@ the Interchange user ID to write/create files.
 
 Sessions and temporary files: /var/cache/interchange.
 
-Documentation: /usr/share/doc/interchange-5.7.1.
+Documentation: /usr/share/doc/interchange-5.7.2.
 
 On a dedicated production server, it is wise to segregate as many of these
 directories as possible onto their own partitions, to prevent problems if
@@ -45,7 +45,7 @@ usually come supplied with your operating system, so you will need to
 install them yourself. It's best to locate RPMs for each of the needed
 Perl modules and install them. To get a complete list of dependencies, do:
 
-rpm -qp --requires interchange-5.7.1-1.*.rpm
+rpm -qp --requires interchange-5.7.2-1.*.rpm
 
 Unfortunately, there's not currently a reliable, steady source of the latest
 CPAN modules in RPM format for most operating systems. Thus the easiest way
@@ -66,14 +66,14 @@ perl -MCPAN -e'install Bundle::InterchangeKitchenSink'
 
 INSTALL
 
-rpm -Uvh interchange-5.7.1-1.*.rpm
-rpm -Uvh interchange-standard-5.7.1-1.*.rpm
+rpm -Uvh interchange-5.7.2-1.*.rpm
+rpm -Uvh interchange-standard-5.7.2-1.*.rpm
 
 If you have installed CPAN modules from source, rather than RPM, you'll need
 to install the main interchange package without dependency checking because
 RPM doesn't know about those modules you installed:
 
-rpm -Uvh --nodeps interchange-5.7.1-1.*.rpm
+rpm -Uvh --nodeps interchange-5.7.2-1.*.rpm
 
 
 STARTING/RESTARTING INTERCHANGE
@@ -133,7 +133,7 @@ installation:
 
 INSTALL
 
-rpm -Uvh interchange-standard-demo-5.7.1-1.*.rpm
+rpm -Uvh interchange-standard-demo-5.7.2-1.*.rpm
 
 
 USING THE DEMO
diff --git a/UPGRADE b/UPGRADE
index 20f1806..44d0a36 100644
--- a/UPGRADE
+++ b/UPGRADE
@@ -30,6 +30,12 @@ following versions:
           facing side should be fairly straightforward to port. See
           "UPGRADING FROM 4.6.x" below.
 
+ ALL VERSIONS -- A security vulnerability has been found that allows
+          remote searching of any table in your database configured in
+          Interchange.  To fix this vulnerability, you may need to 
+          make some adjustments to your catalog.  See "REMOTE SEARCHING"
+          below.
+
 INSTALLING INTERCHANGE IN THE SAME LOCATION
 --------------------------------------------
 
@@ -494,3 +500,160 @@ Interchange:
     UserTags, UI_Tag etc.)  The message is only a warning as your local UserTag
     will override the global one.  If you didn't mean to override the global
     tag of the same name then simply rename your tag and restart Interchange.
+
+
+REMOTE SEARCHING
+----------------
+
+A security vulnerability was recently discovered where any table configured
+in your Interchange installation could be viewed remotely by an unauthenticated
+user via a specially crafted search request.
+
+This is a serious vulnerability, and all previous versions of Interchange are
+affected. Even if you do not use the default search structure, your catalog
+is likely to still be vulnerable.
+
+To resolve this, a new configuration option, AllowRemoteSearch has been
+introduced. It should be specified in each catalog configuration, and defaults
+to:
+
+     AllowRemoteSearch products variants options
+
+Any table specified in this option will be remotely searchable, and you should
+not permit any table with sensitive information to be searched in this way. You
+should carefully consider the implications of adding any further tables to this
+configuration option.
+
+Remote searches may be used by your existing catalog. These should continue
+working without any changes as long as they only search tables that are permitted
+by the AllowRemoteSearch configuration. You should carefully examine your
+catalog for uses of the "search" form action, or pages which submit a form to
+a page called "search" or "scan". If they specify a search file other than
+products, variants or options, you should consider rewriting that page to just
+accept the search terms via CGI parameters, and not the entire search. Please
+consult the documentation on in page searches at:
+
+     http://www.icdevgroup.org/doc/icdatabase.html#In-Page%20Searches
+
+If your catalog makes use of ActionMaps that perform searches, these should
+continue to work as intended as long as they search a table allowed by 
+AllowRemoteSearch. However, you should consider updating them to use the 
+new "search" tag.  For example, an existing ActionMap that performs a search
+like this:
+
+   ActionMap old_cat <<EOR
+   sub {
+        my ($action, $class) = split('/', shift);
+
+        $class =~ s/_/ /g;
+
+        # Originally, search parameters were placed in the CGI hash.
+        $CGI->{co} = 1;
+        $CGI->{fi} = 'products';
+        $CGI->{st} = 'db';
+        $CGI->{sf} = 'category';
+        $CGI->{se} = "$class";
+        $CGI->{sp} = 'results';
+        $CGI->{tf} = 'category,description:f';
+        $CGI->{op} = 'eq';
+
+        $CGI->{mv_todo} = 'search';
+        $CGI->{mv_nextpage} = 'results';
+        # And the "update" tag was called to re-evaluate the page with
+        # the provided search parameters.
+        $Tag->update('process');
+        return 1;
+   }
+   EOR
+
+Would be updated to instead look like this:
+
+   ActionMap new_cat <<EOR
+   sub {
+        my ($action, $class) = split('/', shift);
+
+        $class =~ s/_/ /g;
+
+        # Now, you must create a hash to hold the search
+        # parameters.
+        my $search;
+        $search->{co} = 1;
+        $search->{fi} = 'products';
+        $search->{st} = 'db';
+        $search->{sf} = 'category';
+        $search->{se} = "$class";
+        $search->{sp} = 'results';
+        $search->{tf} = 'category,description:f';
+        $search->{op} = "eq";
+
+        $CGI->{mv_nextpage} = 'results';
+        # And call the new search tag, which isn't subject to the
+        # AllowRemoteSearch restrictions.
+        $Tag->search({ search => $search });
+
+        return 1;
+   }
+   EOR
+
+If you are using a modern version of the standard catalog as the basis
+for your catalog, there is a special subroutine that provides friendly
+URLs for product categories, but is not a traditional ActionMap.  Similar
+to the example above, you will need to alter your catalog.cfg, replacing
+the entire Sub ncheck_category with:
+
+Sub ncheck_category <<EOS
+sub {
+    my ($name) = @_;
+    return unless $name =~ m{^[A-Z]};
+    $name =~ s,_, ,g;
+    my ($prod_group, $category) = split m{/}, $name;
+
+    my $search;
+    $search->{co} = 1;
+    $search->{fi} = 'products';
+    $search->{st} = 'db';
+    $search->{sf} = join "\0", 'prod_group', 'category';
+    $search->{op} = join "\0", 'eq', 'eq';
+    $search->{se} = join "\0", $prod_group, $category;
+    $search->{sp} = 'results';
+    $search->{mv_todo} = 'search';
+    $Tag->search({ search => $search });
+    if (($o = $Search->{''}) && @{$o->{mv_results}}) {
+        return (1,  $Config->{Special}->{results});
+    }
+
+    return;
+}
+EOS
+
+In the standard and foundation catalogs, the "lost password" feature makes use
+of the remote search feature to be able to retrieve lost passwords. We recommend
+that you remove catalog/pages/query/get_password.html from your catalog, and
+replace catalog/pages/lost_password.html with an updated version from this
+distribution. As an alternative, you may apply the following patch to your
+existing catalog/pages/query/get_password.html:
+
+diff --git a/dist/standard/pages/query/get_password.html
+b/dist/standard/pages/query/get_password.html
+index 2d70c84..5aa51f1 100644
+--- a/dist/standard/pages/query/get_password.html
++++ b/dist/standard/pages/query/get_password.html
+@@ -32,8 +32,10 @@ ui_template_name: leftonly
+        if( $Scratch->{tried_pw_retrieve}++ > 10 ) {
+                return "No way, Jos&eacute;. Too many times.";
+        }
+     $CGI->{mv_todo} = 'search';
+        $Config->{NoSearch} = '';
++       push(@{$Config->{AllowRemoteSearch}},'userdb');
++       return;
+ [/perl]
+ [update process]
+ [search-region]
+
+This is not a recommended solution, and is only a workaround until you can
+consider the changes in the updated lost password page.
+
+If you do not wish to upgrade your Interchange installation to fix this
+vulnerability, patches for all currently supported Interchange versions are
+also available from http://www.icdevgroup.org/. You will still need to
+follow the upgrade advice contained here.
diff --git a/WHATSNEW-5.7 b/WHATSNEW-5.7
index 0d8cdc8..37286fd 100644
--- a/WHATSNEW-5.7
+++ b/WHATSNEW-5.7
@@ -8,11 +8,19 @@
 See UPGRADE document for a list of incompatible changes.
 
 
-Interchange 5.7.2 not yet released.
+Interchange 5.7.2 released 2009-09-17.
+
 
 Core
 ----
 
+* Close remote disclosure security vulnerability, and added new configuration
+  option AllowRemoteSearch to selectively re-enable remote searches on "safe"
+  tables. Defaults to products, variants and options.
+
+  Please see UPGRADE for important information on upgrading your
+  catalogs to prevent any problems.
+
 * Fix validate_charset to return mime charset names only.
 
 * Enable catalog usertags within dispatch routines.
diff --git a/code/Filter/html2text.filter b/code/SystemTag/search.coretag
similarity index 57%
copy from code/Filter/html2text.filter
copy to code/SystemTag/search.coretag
index 954500b..0b0413b 100644
--- a/code/Filter/html2text.filter
+++ b/code/SystemTag/search.coretag
@@ -1,18 +1,11 @@
 # Copyright 2002-2009 Interchange Development Group and others
-# Copyright 1996-2002 Red Hat, Inc.
 # 
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation; either version 2 of the License, or
 # (at your option) any later version.  See the LICENSE file for details.
 
-CodeDef html2text Filter
-CodeDef html2text Description Simple html2text
-CodeDef html2text Routine <<EOR
-sub {
-	my $val = shift;
-	$val =~ s%\s*<(?:br\s*/?|/?p[^>]*)>\s*%\n%gi;
-	$val =~ s%<[/!a-zA-Z].*?>%%gs;
-	return $val;
-}
-EOR
+UserTag search              Order        search
+UserTag search              addAttr
+UserTag search              Version      $Revision: 1.5 $
+UserTag search              MapRoutine   Vend::Page::do_search
diff --git a/configure b/configure
index 8b10661..acdccfd 100755
--- a/configure
+++ b/configure
@@ -1,7 +1,5 @@
 #!/bin/sh
 
-# $Id: configure,v 2.23 2008-05-17 14:39:48 jon Exp $
-
 cat <<EOF
 
  Interchange
diff --git a/debian/changelog b/debian/changelog
old mode 100644
new mode 100755
index d397cd8..576fa98
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,11 +1,11 @@
-interchange (5.7.1-2) unstable; urgency=low
+interchange (5.7.2-1) unstable; urgency=low
 
-  * new upstream release (in preparation)
+  * new upstream release
     - keeps ui_new_item present in the table editor (Closes: #340077)
   * pragma dml=strict appended to catalog_before.cfg avoids data loss
     in table editor (Closes: #340576)
   
- -- Stefan Hornburg (Racke) <racke at linuxia.de>  Fri, 04 Sep 2009 16:34:53 +0200
+ -- Stefan Hornburg (Racke) <racke at linuxia.de>  Wed, 16 Sep 2009 15:57:35 +0200
 
 interchange (5.7.1-1) unstable; urgency=low
 
diff --git a/dist/standard/catalog.cfg b/dist/standard/catalog.cfg
index 4d5c907..63ed904 100644
--- a/dist/standard/catalog.cfg
+++ b/dist/standard/catalog.cfg
@@ -486,17 +486,6 @@ sub {
 }
 EOR
 
-# Allow customers to have their passwords emailed to them.
-ActionMap  get_password   <<EOR
-sub {
-	$Config->{NoSearch} = '';
-	$CGI->{mv_nextpage} = $CGI->{mv_search_page} = 'action/get_password';
-	$CGI->{mv_todo} = 'search';
-	$Tag->update('process');
-	return 1;
-}
-EOR
-
 # Pricing setup
 #
 # If the user is logged in and is marked as a "dealer" (1 in the dealer
@@ -691,16 +680,17 @@ sub {
     $name =~ s,_, ,g;
     my ($prod_group, $category) = split m{/}, $name; 
 
-    $CGI->{co} = 1;
-    $CGI->{fi} = 'products';
-    $CGI->{st} = 'db';
-    $CGI->{sf} = join "\0", 'prod_group', 'category';
-    $CGI->{op} = join "\0", 'eq', 'eq';
-    $CGI->{se} = join "\0", $prod_group, $category;
-    $CGI->{sp} = 'results';
-    $CGI->{mv_todo} = 'search';
-    $Tag->update('process');
-    if ($Search->{''} && @{$Search->{''}->{mv_results}}) {
+    my $search;
+    $search->{co} = 1;
+    $search->{fi} = 'products';
+    $search->{st} = 'db';
+    $search->{sf} = join "\0", 'prod_group', 'category';
+    $search->{op} = join "\0", 'eq', 'eq';
+    $search->{se} = join "\0", $prod_group, $category;
+    $search->{sp} = 'results';
+    $search->{mv_todo} = 'search';
+    $Tag->search({ search => $search });
+    if (($o = $Search->{''}) && @{$o->{mv_results}}) {
         return (1,  $Config->{Special}->{results});
     }
 
diff --git a/dist/standard/pages/lost_password.html b/dist/standard/pages/lost_password.html
index c3335ca..6809d13 100644
--- a/dist/standard/pages/lost_password.html
+++ b/dist/standard/pages/lost_password.html
@@ -3,7 +3,7 @@ ui_template: Yes
 ui_template_name: leftonly
 [/comment]
 
-[tmp page_title]__COMPANY__ -- [L]Lost your password?[/L][/tmp]
+[tmp page_title]__COMPANY__ -- [L LOST_PASSWORD_TITLE]Lost your username or password?[/L][/tmp]
 
 [control reset=1]
 
@@ -22,86 +22,142 @@ ui_template_name: leftonly
 <!-- BEGIN CONTENT -->
 
 <br>
-
+<table width="80%">
+<tr><td __HEADERBG__>
+    <font size="+1" color="__HEADERTEXT__">[L LOST_PASSWORD_TITLE]Lost your username or password?[/L]</font>
+    </td>
+</tr></table>
+<br/>
+
+[if cgi lost_email]
+[or cgi lost_username]
+[perl]
+	if( $Scratch->{tried_pw_retrieve}++ > 10 ) {
+		$Tmp->{not_ok} = 1;
+		return '<font color="red">' . errmsg("Too many failed attempts.") . '</font>';
+	}
+	$Config->{NoSearch} = '';
+	return;
+[/perl]
+
+[loop search="
+	co=yes
+	st=db
+	fi=userdb
+	rf=username,password,email
+	sf=email
+	se=[cgi lost_email]
+	op=em
+	sf=username
+	se=[cgi lost_username]
+	op=em
+	os=yes" 
+]
+[tmp get_id_matches][loop-param username][/tmp]
+[/loop]
+
+[if value mv_search_match_count > 1]
+[msg arg.0='<a href="[area contact]">' arg.1='</a>']Please %scontact us%s to assist you with the retrieval of your account details.[/msg]
+[tmp get_id_matches][/tmp]
+[/if]
+[if value mv_search_match_count == 0]
 <table width="95%" align="center">
 <tr>
   <td>
+   <table width="80%">
+    <tr>
+     <td>
+<font color="red">[msg arg.0='<a href="[area contact]">' arg.1='</a>']Sorry, we did not find a match for the provided details. Please try again, or %scontact us%s for assistance.[/msg]</font>
+     </td>
+    </tr>
+   </table>
+  </td>
+ </tr>
+</table>
+[tmp not_ok]1[/tmp]
+<br/>
+[/if]
+
+[if scratch get_id_matches]
+[tmp name=id_ok][/tmp]
+[tmp name=id_ok interpolate=1][loop arg="[scratch get_id_matches]"][email
+                 to="[loop-data userdb email]"
+		 subject="[L]Your login information[/L]"
+		 from="__COMPANY__ [L]password minder[/L] <__EMAIL_SERVICE__>"
+		 reply="__EMAIL_SERVICE__"] 
+
+[L GET_PASSWORD_MSG1]Hello! You requested that your ID and password be sent to your email address of record. The information is[/L]:
+  
+[L]Username[/L]:  [loop-code]
+[L]Password[/L]:  [data table=userdb col=password key="[loop-code]" safe-data=1]
+
+[L]You can log in at[/L]:
+[area login]
+
+[L GET_PASSWORD_MSG2]Please contact us if we can be of service, and thank you for doing business with us.[/L]
+[/email][/loop][/tmp]
+
+[if !scratch id_ok]
+[msg arg.0='<a href="[area contact]">' arg.1='</a>']Please %scontact us%s to assist you with the retrieval or your account details.[/msg]
+[else]
+[L]An e-mail with your credentials has been sent.[/L]
+<br/><br/>
+[L LOST_PASSWORD_SHORTNOTE]If you do not receive an email within the next 24 hours after submission, please <a href="[area contact]">contact us</a> for further assistance.[/L]
+<br/><br/>
+[L LOST_PASSWORD_NOTE_AOL]<b>Note:</b> If you are using email filter options that help reduce spam, please make sure you allow e-mail to be sent to you from __EMAIL_SERVICE__[/L]
+[/else] 
+[/if] 
+[/if]
+[/if]
+
+[if scratch not_ok]
+[or cgi lost_email eq '']
+[and cgi lost_username eq '']
 
-	[if session failure]
-
-      <br><br>
-      <B>[calc] delete $Session->{failure}[/calc]</b>
-      <br>
-    [/if]
-
-
-<form method="post" action="[area query/get_password]">
+<table width="95%" align="center">
+<tr>
+  <td>
+<form method="post" action="@@MV_PAGE@@">
 [form-session-id]
-<input type="hidden" name="mv_coordinate" value="yes">
-<input type="hidden" name="mv_searchtype" value="db">
-<input type="hidden" name="mv_search_file" value="userdb">
-
-<input type="hidden" name="mv_search_field" value="fname">
-<input type="hidden" name="mv_search_field" value="lname">
-<input type="hidden" name="mv_search_field" value="email">
-<input type="hidden" name="mv_search_field" value="zip">
-<input type="hidden" name="mv_substring_match" value="no">
-<input type="hidden" name="mv_substring_match" value="no">
-<input type="hidden" name="mv_substring_match" value="no">
-<input type="hidden" name="mv_substring_match" value="yes">
-<input type="hidden" name="mv_column_op" value="rm">
-<input type="hidden" name="mv_column_op" value="rm">
-<input type="hidden" name="mv_column_op" value="rm">
-<input type="hidden" name="mv_column_op" value="rm">
 
-<table width="80%">
-<tr><td __HEADERBG__>
-    <font size="+1" color="__HEADERTEXT__">[L]Lost your customer ID?[/L]</font>
-    </td>
-</tr></table>
-
-<blockquote>
- [L]Just complete enough to ensure one match.[/L]
-</blockquote>
+[L LOST_PASSWORD_INTRO]Please enter your username or email address to get your credentials emailed to you:[/L]
+<br/><br/>
 
 <table width="80%">
 <tr>
 	<td align="right">
-	[L]First Name[/L]
+	[L]Username[/L]
 	</td>
- 	<td><input name="mv_searchspec" type="text" size="24"></td>
+ 	<td><input name="lost_username" type="text" size="24"></td>
 </tr>
 <tr>
-	<td align="right">
-	[L]Last Name[/L]
-	</td>
-	<td><input name="mv_searchspec" type="text" size="24"></td>
+        <td></td>
+	<td align="left"><b>[L]or[/L]</b></td>
 </tr>
 <tr>
 	<td align="right">
 	[L]Email[/L]
 	</td>
-	<td><input name="mv_searchspec" type="text" size="24"></td>
-</tr>
-<tr>
-	<td align="right">
-	[L]Zip Code[/L]
-	</td>
-	<td><input name="mv_searchspec" type="text" size="24"></td>
-
+	<td><input name="lost_email" type="text" size="24"></td>
 </tr>
 <tr>
 	<td align="right">&nbsp;</td>
 	
-	<td><input type="submit" value="[L]Submit[/L]"><input type="reset"></td>
+	<td><br/><input type="submit" value="[L]Submit[/L]"><input type="reset"></td>
 </tr>
 </table>
 </form>
+[L LOST_PASSWORD_NOTE]If you do not remember neither your username nor your email address you used upon registration, or if you do not receive an email within the next 24 hours after submission, please <a href="[area contact]">contact us</a> for further assistance.[/L]
+<br/><br/>
+[L LOST_PASSWORD_NOTE_AOL]<b>Note:</b> If you are using email filter options that help reduce spam, please make sure you allow e-mail to be sent to you from __EMAIL_SERVICE__[/L]
 
   </td>
 </tr>
 </table>
+[/if]
+<br/><br/>
+<br/><br/>
 
 <!-- END CONTENT -->
-
 @_LEFTONLY_BOTTOM_@
+
diff --git a/dist/standard/products/mv_metadata.asc b/dist/standard/products/mv_metadata.asc
index 60dab60..1cad60f 100644
--- a/dist/standard/products/mv_metadata.asc
+++ b/dist/standard/products/mv_metadata.asc
@@ -281,7 +281,7 @@ transactions::auth_code	text	16								Authorization
 transactions::deleted	yesno									Deleted
 transactions::order_id	text	32								Order ID
 transactions::status	select							pending=Pending, shipped=Shipped, partial=Partially shipped, backorder=Back ordered, waiting=Waiting for payment, credit=Waiting for credit check, canceled=Canceled					nullselect
-ui-version										5.7.1
+ui-version										5.7.2
 ui_component::mv_metadata	table								ui_component			mv_metadata								{'ui_data_fields' => "=Main

code
label
default
type
width
height
options
filter

=Database lookup

lookup
field
db

=Help and misc

help
help_url
prepend
append
pre_filter",'table_width' => "80%",'left_width' => "30%",}
 ui_component::mv_metadata::append	textarea	60	5							Append HTML	<SMALL>HTML to be appended to the widget.
Will substitute in the macros _UI_TABLE_, _UI_COLUMN_,
_UI_KEY, and _UI_VALUE_, and will resolve relative links
with absolute links.</SMALL>
 ui_component::mv_metadata::attribute	text	20								Column name	Do not set this.
diff --git a/lib/Vend/Config.pm b/lib/Vend/Config.pm
index e385f06..1468211 100644
--- a/lib/Vend/Config.pm
+++ b/lib/Vend/Config.pm
@@ -613,6 +613,7 @@ sub catalog_directives {
 	['DirConfig',         'dirconfig',        ''],
 	['FileDatabase',	 undef,				 ''],
 	['NoSearch',         'wildcard',         'userdb'],
+	['AllowRemoteSearch',    'array_complete',     'products variants options'],
 	['OrderCounter',	 undef,     	     ''],
 	['MimeType',         'hash',             ''],
 	['AliasTable',	 	 undef,     	     ''],
diff --git a/lib/Vend/Interpolate.pm b/lib/Vend/Interpolate.pm
index ae07ba6..d099bf9 100644
--- a/lib/Vend/Interpolate.pm
+++ b/lib/Vend/Interpolate.pm
@@ -4659,7 +4659,7 @@ sub region {
 		if($CGI::values{mv_more_matches} || $CGI::values{MM}) {
 
 			### It is a more function, we need to get the parameters
-			find_search_params();
+			find_search_params(\%CGI::values);
 			delete $CGI::values{mv_more_matches};
 		}
 		elsif ($opt->{search}) {
diff --git a/lib/Vend/Page.pm b/lib/Vend/Page.pm
index db4ae6f..3986f53 100644
--- a/lib/Vend/Page.pm
+++ b/lib/Vend/Page.pm
@@ -164,11 +164,34 @@ sub do_page {
 	display_page();
 }
 
+sub _check_search_file {
+	my ($c) = @_;
+	my $f;
+
+	if ($c->{mv_search_file}) {
+		my(@files) = grep /\S/, split /\s*[,\0]\s*/, $c->{mv_search_file}, -1;
+		for $f (@files) {
+			unless (grep { $f eq $_ } @{$Vend::Cfg->{AllowRemoteSearch}}) {
+				::logGlobal("Security violation, trying to remote search '%s', doesn't match '%s'",
+					$_, $Vend::Cfg->{AllowRemoteSearch});
+				die "Security violation";
+			}
+		}
+	}
+}
+
 ## DO SEARCH
 sub do_search {
-	my($c) = \%CGI::values;
+	my($c) = @_;
 	::update_user();
 
+	# If search parameters not passed in via function, then safely pull them from
+	# the CGI values.
+	if (!is_hash($c)) {
+		$c = find_search_params(\%CGI::values);
+		_check_search_file($c);
+	}
+
 	if ($c->{mv_more_matches}) {
 		$Vend::Session->{last_search} = "scan/MM=$c->{mv_more_matches}";
 		$c->{mv_more_matches} =~ m/([a-zA-Z0-9])+/;
@@ -202,6 +225,8 @@ sub do_scan {
 	$Vend::ScanPassed = "scan/$path";
 	find_search_params($c,$path);
 
+	_check_search_file($c);
+
 	if ($c->{mv_more_matches}) {
 		$Vend::Session->{last_search} = "scan/MM=$c->{mv_more_matches}";
 		$Vend::More_in_progress = 1;
diff --git a/lib/Vend/Scan.pm b/lib/Vend/Scan.pm
index 45ffd8f..7cfc372 100644
--- a/lib/Vend/Scan.pm
+++ b/lib/Vend/Scan.pm
@@ -278,10 +278,7 @@ sub create_last_search {
 sub find_search_params {
 	my($c,$param) = @_;
 	my(@args);
-	if(! $param) {
-		$c = \%CGI::values;
-	}
-	else {
+	if($param) {
 		$param =~ s/-_NULL_-/\0/g;
 		@args = split m:/:, $param;
 	}
diff --git a/lib/Vend/Server.pm b/lib/Vend/Server.pm
index 2ffa592..2de3daf 100644
--- a/lib/Vend/Server.pm
+++ b/lib/Vend/Server.pm
@@ -24,7 +24,7 @@
 package Vend::Server;
 
 use vars qw($VERSION);
-$VERSION = substr(q$Revision: 2.104 $, 10);
+$VERSION = '2.105';
 
 use Cwd;
 use POSIX qw(setsid strftime);
@@ -552,7 +552,7 @@ sub canon_status {
 
 sub respond {
 	# $body is now a reference
-    my ($s, $body) = @_;
+	my ($s, $body) = @_;
 #show_times("begin response send") if $Global::ShowTimes;
 
 	# Safe kludge: duplicate Vend::CharSet::default_charset method here
@@ -578,35 +578,40 @@ sub respond {
 
 	$Vend::StatusLine =~ s/\s*$/\r\n/ if $Vend::StatusLine;
 
-    # NOTE: if we're supporting arbitrary encodings here in the
-    # response_charset, we should really be setting the binmode to
-    # :encoding($response_charset);  if we're considering the case of
-    # UTF-8 vs undeclared, we should set the response charset to UTF-8
-    # iff MV_UTF8 is set, otherwise omit the charset declaration
-    # entirely.
+	# NOTE: if we're supporting arbitrary encodings here in the
+	# response_charset, we should really be setting the binmode to
+	# :encoding($response_charset);  if we're considering the case of
+	# UTF-8 vs undeclared, we should set the response charset to UTF-8
+	# iff MV_UTF8 is set, otherwise omit the charset declaration
+	# entirely.
 
-    # also we're only setting the binmode when the output data is
-    # already declared to be text of some sort.
-
-    binmode(MESSAGE, ':utf8') if ($response_charset =~ /^utf-?8$/i and $Vend::StatusLine =~ /^Content-Type: text\//);
+	if (
+		$response_charset =~ /^utf-?8$/i
+		and (
+			! $Vend::StatusLine
+			or $Vend::StatusLine =~ m{^Content-Type: text/}i
+		)
+	) {
+		binmode(MESSAGE, ':utf8');
+	}
 
 	if(! $s and $Vend::StatusLine) {
-	    if ($Vend::StatusLine !~ /^Content-Type:/im) {
+		if ($Vend::StatusLine !~ /^Content-Type:/im) {
 		$Vend::StatusLine .= "\r\nContent-Type: text/html";
 		if ($response_charset) {
-		     $Vend::StatusLine .= "; charset=$response_charset\r\n";
+			$Vend::StatusLine .= "; charset=$response_charset\r\n";
 		}
 
 		else {
-		     $Vend::StatusLine .= "\r\n";
+			$Vend::StatusLine .= "\r\n";
 		}
-	    }
+	}
 
 # TRACK
-        $Vend::StatusLine .= "X-Track: " . $Vend::Track->header() . "\r\n"
+		$Vend::StatusLine .= "X-Track: " . $Vend::Track->header() . "\r\n"
 			if $Vend::Track and $Vend::Cfg->{UserTrack};
-# END TRACK        
-        $Vend::StatusLine .= "Pragma: no-cache\r\n"
+# END TRACK
+		$Vend::StatusLine .= "Pragma: no-cache\r\n"
 			if delete $::Scratch->{mv_no_cache};
 		print MESSAGE canon_status($Vend::StatusLine);
 		print MESSAGE "\r\n";
@@ -617,7 +622,7 @@ sub respond {
 		return;
 	}
 
-    my $fh = $s->{fh};
+	my $fh = $s->{fh};
 
 # SUNOSDIGITAL
 #	 Fix for SunOS, Ultrix, Digital UNIX
@@ -653,10 +658,10 @@ sub respond {
 		my $save = select $fh;
 		$| = 1;
 		select $save;
-        $Vend::StatusLine .= "\r\nX-Track: " . $Vend::Track->header() . "\r\n"
+		$Vend::StatusLine .= "\r\nX-Track: " . $Vend::Track->header() . "\r\n"
 			if $Vend::Track and $Vend::Cfg->{UserTrack};
 # END TRACK                            
-        $Vend::StatusLine .= "Pragma: no-cache\r\n"
+		$Vend::StatusLine .= "Pragma: no-cache\r\n"
 			if delete $::Scratch->{mv_no_cache};
 		$status = '200 OK' if ! $status;
 		if(defined $Vend::StatusLine) {
@@ -678,7 +683,6 @@ sub respond {
 			and $Vend::Cfg->{Cookies}
 		)
 	{
-
 		my @domains;
 		@domains = ('');
 		my @paths;
@@ -709,26 +713,26 @@ sub respond {
 			}
 		}
 		$::Instance->{CookiesSet} = delete $::Instance->{Cookies};
-    }
+	}
 
-    if (defined $Vend::StatusLine) {
+	if (defined $Vend::StatusLine) {
 		print $fh canon_status($Vend::StatusLine);
 	}
 	elsif(! $Vend::ResponseMade) {        
 		print $fh canon_status("Content-Type: text/html; charset=$response_charset");
-# TRACK        
-        print $fh canon_status("X-Track: " . $Vend::Track->header())
+# TRACK
+		print $fh canon_status("X-Track: " . $Vend::Track->header())
 			if $Vend::Track and $Vend::Cfg->{UserTrack};
 # END TRACK
 	}
 	print $fh canon_status("Pragma: no-cache")
 		if delete $::Scratch->{mv_no_cache};
 
-    print $fh "\r\n";
-    print $fh $$body;
+	print $fh "\r\n";
+	print $fh $$body;
 	print $rfh $$body if $rfh;
 #show_times("end response send") if $Global::ShowTimes;
-    $Vend::ResponseMade = 1;
+	$Vend::ResponseMade = 1;
 }
 
 sub _read {
diff --git a/scripts/interchange.PL b/scripts/interchange.PL
index 9edbccf..6555389 100644
--- a/scripts/interchange.PL
+++ b/scripts/interchange.PL
@@ -1,7 +1,7 @@
 #!/usr/bin/perl -w
 ##!~_~perlpath~_~
 #
-# Interchange version 5.7.1
+# Interchange version 5.7.2
 #
 # Copyright (C) 2002-2009 Interchange Development Group
 # Copyright (C) 1996-2002 Red Hat, Inc.
@@ -154,7 +154,7 @@ use vars qw($VERSION);
 require Exporter;
 
 BEGIN {
-	$VERSION = '5.7.1';
+	$VERSION = '5.7.2';
 }
 
 use Fcntl;
@@ -360,7 +360,7 @@ interchange [--options] [file]
 
 =head1 VERSION
 
-5.7.1
+5.7.2
 
 =head1 DESCRIPTION
 


hooks/post-receive
-- 
Interchange



More information about the interchange-cvs mailing list