Guest Posted December 31, 2005 Share Posted December 31, 2005 Hi, Sir William, I've updated my install to 3.07 (even though admin is still flashing that there is an update available for my 3.06, don't know why that is). As my store isn't live yet I've no idea about the 403 and PayPal orders errors others are reporting. What I'd like to know is, should I go back to 3.06 and manually change the security holes or leave 3.07 and patch it up? (I changed the 'ugger is not a word' thing already.) General concensus seems mixed across forum veterans. cheers TC My (obviously unofficial) suggestion would be not to bother going back to 3.0.6 unless you experience the 403 error issues that others had. The two fixes are completely separate and do not affect each other in any way. However if you do have 403 error problems then you probably do need to undo the 3.0.7 fix. Quote Link to comment Share on other sites More sharing options...
Guest theorbo Posted December 31, 2005 Share Posted December 31, 2005 Thanks, ZAP, that's what I needed to know. I'm not having any of the problems others are reporting.... so, if it ain't broke, don't fix it.... Quote Link to comment Share on other sites More sharing options...
Guest mashurst Posted December 31, 2005 Share Posted December 31, 2005 (edited) For the masses I think todays fix is spot on Other than all the 403 errors we are getting as a result of the fix - can't view orders, print order form, etc. however I'll have a think and see if we can find a more universally amaicable solution. I trust this will be put out tomorrow, to fix all the 403 errors? Otherwise orders may be piling up with no way to access them in admin. I had an order end up being processed by paypal, and half of the information ended up in the sql database but it was unaccessible from admin>orders. Could be related to the recent patches / changes? I too also had the flashing upgrade available after the upgrade, which I understand is a function of the /includes/ini.inc.php but I can't figure out why it seems that this file didn't take even though all of the files uploaded. -M :errm: Edited December 31, 2005 by mashurst Quote Link to comment Share on other sites More sharing options...
Guest mashurst Posted December 31, 2005 Share Posted December 31, 2005 Hi, Sir William, I've updated my install to 3.07 (even though admin is still flashing that there is an update available for my 3.06, don't know why that is). As my store isn't live yet I've no idea about the 403 and PayPal orders errors others are reporting. What I'd like to know is, should I go back to 3.06 and manually change the security holes or leave 3.07 and patch it up? (I changed the 'ugger is not a word' thing already.) General concensus seems mixed across forum veterans. cheers TC I would like to know also. I did the first patch right away, at the moment I am not sure if there was a second patch released or just the 3.07 (looks like 3.07 release was second fix). I have goober's coupon mod and some othere mods to my store that it appears 3.07 upgrade wipes out. 403 errors show up in my stats but I cannot duplicate them by beta testing my store. -M :errm: Quote Link to comment Share on other sites More sharing options...
Guest Posted December 31, 2005 Share Posted December 31, 2005 The 3.0.7 install includes both security fixes released separately by brooky. It does not include the fix that Sir William created after 3.0.7 was released, which seems to me to be much closer to a permanant and stable resolution. From the looks of things brooky is traveling now and unavailable to chime in on this discussion, so we don't know his thoughts on the matter yet. I would say that if you have a backup of your 3.0.6 install then you could patch them with Sir William's fix (and also don't forget the previous security patch that was less severe but also essential) and upload those instead of the 3.0.7 files. That should take care of the security issues and also keep your mods functioning properly. There will probably be another (definitve) resolution to this in the next few days, so I wouldn't go too far down any particular dark alley just yet. If you are seeing 403 errors then you might be experiencing the issues that many report with the security fix included in 3.0.7 (and should consider rolling back those changes). Additionally, there have been reports of PayPal problems since 3.0.7 that may have nothing to do with the security fix code. So my advice would be that if it worked before this upgrade and you're having problems now, go back to your 3.0.6 files for now but make sure you apply the two security patches (here and here). Quote Link to comment Share on other sites More sharing options...
Guest timecrisis Posted December 31, 2005 Share Posted December 31, 2005 timecrisis, this very issue is being dealt with right now. I believe there will soon be a small core group of us who will "test drive" the new releases before the general public gets them. This team of qualified people should be able to squash 90%+ of the sniggly little things that have plagued previous releases. This will help EVERYBODY out in the long run. Hi Sir William, Great, I think that is whats needed, This is a commercial product so it should be possible. I guess coders like you love this sort of challenge but for me as a designer it is a nightmare. That said I have learnt a lot on these forums about databases and PHP...I prefer to do it without the hanging menance or mutating porn spam tho...I spent all of last night backing up my sites and databases... Glad to heard you maybe on usch a team of testers... Happy New year too all :D Quote Link to comment Share on other sites More sharing options...
Guest Posted January 3, 2006 Share Posted January 3, 2006 Win Merge is your best friend, check it out it will tell you what you need to change... I agree that diffing code is a good plan. I disaggree that every user should do it though. I think ONE developer should diff the new release against the last version and the last major release, and then release a small patch zzip that contains ONLY files that have changed. Then each admin only has to compare this small set of files vs the ones they have changed themselves. Quote Link to comment Share on other sites More sharing options...
Guest Posted January 3, 2006 Share Posted January 3, 2006 I agree that diffing code is a good plan. I disaggree that every user should do it though. I think ONE developer should diff the new release against the last version and the last major release, and then release a small patch zzip that contains ONLY files that have changed. Then each admin only has to compare this small set of files vs the ones they have changed themselves. Dingfelder is right. If we know which files have been changed in the release we can use WinMerge or whatever just to compare our modified files and those files. If we don't know which files were changed we need to compare every file and distinguish the mods we've made from the ones in the new release. Quote Link to comment Share on other sites More sharing options...
Guest theorbo Posted January 3, 2006 Share Posted January 3, 2006 Yes. There's always going to be a need for those who have modified (heavily or otherwise) files to use some sort of diff'ing process. Even in the case of someone taking responsibility for a "changed-files release", those with modified installs will be on their own. Best practices if you mod ANYTHING: comment your code - surround the modded section with comment tags and an explanation; AND keep a text file of what you modded, what date you modded it, where you got the mod you used, contact info, AND A COPY OF THE ORIGINAL BEFORE YOU MADE THE CHANGES. Quote Link to comment Share on other sites More sharing options...
Guest Posted January 3, 2006 Share Posted January 3, 2006 Uhhhhh guys....WinMerge will process the entire directory tree and show you the changed files. No biggie. What you do is a global search/replace to put the new header in all your existing files. Then run WinMerge on your current directory and the new release directory. Look at the differences and update where necessary. Takes me about 1.5 to 2 hours even with all the changes I've made. :w00t: Quote Link to comment Share on other sites More sharing options...
Guest Posted January 3, 2006 Share Posted January 3, 2006 Better yet, use CVS. Instead of keeping different directories for old versions so you can use a diff tool, a version control system such as CVS keeps only 1 dir of the files and keeps all the changes in a database. How does it work? 1. Import the base install as a module into CVS 2. Label/TAG the codebase using it's official version number (i.e 3_0_6_offical) 3. Check in your changes. 4. Label/TAG the codebase using your own version number (i.e 3_0_6_with_my_patches) 5. Drop in the new release on top of your changed code 6. Merge in the changes 7. Label/TAG the codebase using your own version number (i.e 3_0_7p1_with_my_patches) Why is this a good thing to do? If you follow this process, you can instantly diff files between any of these tags after the fact, and you can revert to older versions easily if needed. Additionally if you use CVS to check in every manual change you make, you can later on refer to the comments of WHY you made the change. I have to say that after I started using version control for configuration management (a decade ago) I now find it impossible to go without. Quote Link to comment Share on other sites More sharing options...
Guest estelle Posted January 3, 2006 Share Posted January 3, 2006 Uhhhhh guys....WinMerge will process the entire directory tree and show you the changed files. No biggie. True, but whenever Brooky releases a new version he updates the date & version number in every single PHP file, so they're practically all changed. But perhaps there's a way to ignore those lines when comparing directories... dingfelder, source control is the best way. Personally I use tortoiseSVN. However I don't think its suited to hardly any people here :w00t: Quote Link to comment Share on other sites More sharing options...
Guest Posted January 3, 2006 Share Posted January 3, 2006 Yuck. I guess Brooky doesn't use a version control system. If he does, he can not diff code because everything always changes. IMHO, artifically adding stuff to files like that is a BIG NO-NO from a configuration management point of view. If he wants people to know the version of the entire system, it belongs in the readme. Some developers like to add a revision history to *changed* files, so you know what version they were created or changed in, but for sure I would say that putting the latest version in every file even when there were no changes is a major hassle. Brooky - no hard feelings intended here... we all have our good and bad points, and I'm sure we can all agree that your php coding rocks and you have made a great product but, I think the release process could use some improvement. If you would like some help in controling the codebase for easier packaging of patches etc, I would be glad to lend a hand and help you improve the process. Quote Link to comment Share on other sites More sharing options...
Guest Posted January 3, 2006 Share Posted January 3, 2006 Estelle, that's why I do a global search/replace across the entire directory/subdirectory first. I put the new header comments in my old files. Then the only thing that's flagged as changed are files that either I've changed or that have changes from Brooky. But yeah a good CVS is great. Too bad it's over the heads of most non-programmers. :w00t: Quote Link to comment Share on other sites More sharing options...
Guest estelle Posted January 3, 2006 Share Posted January 3, 2006 Cool. Well, although using a diff program isn't too hard, we definitely can't expect many people to be able to do a global find/replace. As dingfelder said, it would be much better if the date and version number weren't updated in the unchanged files. Quote Link to comment Share on other sites More sharing options...
Guest Posted January 3, 2006 Share Posted January 3, 2006 But if you don't specify a version in each file, one would quickly lose track of what each file is. What it gets down to is you either KNOW the files and how they fit together, or you don't. ??? Oh well. :w00t: Quote Link to comment Share on other sites More sharing options...
Guest theorbo Posted January 3, 2006 Share Posted January 3, 2006 Ah..... well, I prefer to see files listed as the version they "belong" to from day one of that file. For instance, if within each version number increase, brooky goes through and changes the version number on EVERY FILE, but some of those files haven't changed since the FIRST version of the program, that's misleading and - um - well, not how it's done generally.... Quote Link to comment Share on other sites More sharing options...
Guest Posted January 3, 2006 Share Posted January 3, 2006 Uhhhhh guys....WinMerge will process the entire directory tree and show you the changed files. No biggie. What you do is a global search/replace to put the new header in all your existing files. Then run WinMerge on your current directory and the new release directory. Look at the differences and update where necessary. Takes me about 1.5 to 2 hours even with all the changes I've made. Hi Sir William This post shows exactly what I said when put the first post up. If it takes you between 1.5 to 2 hours as a programmer , what chance have us mere mortal store owners got?? As I said initially, I monitored CubeCart for a long time and never used it because of the frequency of the upgrades and things haven't changed much now. The more posts I read,the more confused I get because of different opinions. Just what is the best thing to do right now. Run 3.06 or 3.07 and when will the cart become a stable one without any security issues. As good as CC is you have to admit that it is a store owners nightmare and a developers meal ticket. No offence intended but that is it in a nutshell. Quote Link to comment Share on other sites More sharing options...
Guest aikdo Posted January 3, 2006 Share Posted January 3, 2006 v3 is still in development 3.0.7pl1 is now secure and the imediate vunrability has been beten... if you want a 100% stable release of cubecart then again i say go get v2 as v3 is still under production and gladly will be for a long time... Just to clarify i run stores and you dont have to upgrade every time... There is clear instructions on the forums how to upgrade from 3.0.6 to 3.0.7pl1 manualy... But there are a lot of edits still and that is only one edit if you truthfuly think you can make the edits from one file to another in less that an hour then you dont understand the work brooky puts into this script... If you really want a script where you never have to update Great go grab osCommerse they havent had updates in about a year/2... But it still isn't stable and if a security flaw comes out with it i wouldn't expect the developer to give you a patch in under 24 hours if i was you... Quote Link to comment Share on other sites More sharing options...
Guest Posted January 3, 2006 Share Posted January 3, 2006 v3 is still in development 3.0.7pl1 is now secure and the imediate vunrability has been beten... if you want a 100% stable release of cubecart then again i say go get v2 as v3 is still under production and gladly will be for a long time... Just to clarify i run stores and you dont have to upgrade every time... There is clear instructions on the forums how to upgrade from 3.0.6 to 3.0.7pl1 manualy... But there are a lot of edits still and that is only one edit if you truthfuly think you can make the edits from one file to another in less that an hour then you dont understand the work brooky puts into this script... If you really want a script where you never have to update Great go grab osCommerse they havent had updates in about a year/2... But it still isn't stable and if a security flaw comes out with it i wouldn't expect the developer to give you a patch in under 24 hours if i was you... Well part I agree with but a lot I don't. OS Commerce is free and so the two cannot be compared as CC isn't if you purchase a license. All I am saying is that I don't know whether to run 3.05, 3.06 or go to 3.07 and could someone tell me which of these is secure. Are 3.05 or 3.06 secure and if not how do I make them so and where do I find the info for the upgrade instructions from 3.06 to 3.07p|1 manually. I have no doubt that Brooky puts a lot of work into CC because it is a very good cart but it is a commercial product and therefore should be ready to use. I do understand that bugs will always be found but that is what beta testing is all about. My point seems to be missed here so I will try and say it again. All I, as a storeowner ask for, is a stable version without any security issues (to late to go back to V2 as all of my purchased mods are v3) of CC whether it is 3.05, 3.06 or 3.07p|1. Quote Link to comment Share on other sites More sharing options...
Guest aikdo Posted January 3, 2006 Share Posted January 3, 2006 (edited) 3.0.0 - 3.0.6 are not secure unless you patch them... 3.0.7 is secure but its buggy... 3.0.7pl1 is secure and has the bugs removed... you have the opertunity however to add the security patch from 3.0.7pl1 onto a 3.0.0 - 3.0.6 cart by following the instuructions HERE Edited January 3, 2006 by aikdo Quote Link to comment Share on other sites More sharing options...
Guest Posted January 3, 2006 Share Posted January 3, 2006 3.0.0 - 3.0.6 are not secure unless you patch them... 3.0.7 is secure but its buggy... 3.0.7pl1 is secure and has the bugs removed... you have the opertunity however to add the security patch from 3.0.7pl1 onto a 3.0.0 - 3.0.6 cart by following the instuructions HERE Thanks for that Aikdo Just a note - Brooky says that if the server has register globals off then 3.06 is secure. Have I got that right? Quote Link to comment Share on other sites More sharing options...
Guest aikdo Posted January 3, 2006 Share Posted January 3, 2006 Correct... Register Globals is the danger and 3.0.7pl1 has been made to be secure with or without register globals on... Quote Link to comment Share on other sites More sharing options...
Guest Posted January 3, 2006 Share Posted January 3, 2006 Correct... Register Globals is the danger and 3.0.7pl1 has been made to be secure with or without register globals on... Thanks for the info Quote Link to comment Share on other sites More sharing options...
Guest kickass Posted January 3, 2006 Share Posted January 3, 2006 3.0.7pl1 is secure and has the bugs removed... Then why doesn't my client's cart work? thread here, and PLEASE suggest a fix! Apache/1.3.33 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.4.2RC2-dev FrontPage/5.0.2.2634a mod_ssl/2.8.21 OpenSSL/0.9.7a Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.