Jump to content

3.07 so when 3.08??


Guest

Recommended Posts

Hi, Sir William, I've updated my install to 3.07 (even though admin is still flashing that there is an update available for my 3.06, don't know why that is). As my store isn't live yet I've no idea about the 403 and PayPal orders errors others are reporting.

What I'd like to know is, should I go back to 3.06 and manually change the security holes or leave 3.07 and patch it up? (I changed the 'ugger is not a word' thing already.) General concensus seems mixed across forum veterans.

cheers TC

My (obviously unofficial) suggestion would be not to bother going back to 3.0.6 unless you experience the 403 error issues that others had. The two fixes are completely separate and do not affect each other in any way. However if you do have 403 error problems then you probably do need to undo the 3.0.7 fix.

Link to comment
Share on other sites

Guest mashurst

For the masses I think todays fix is spot on

Other than all the 403 errors we are getting as a result of the fix - can't view orders, print order form, etc.

however I'll have a think and see if we can find a more universally amaicable solution.

I trust this will be put out tomorrow, to fix all the 403 errors? Otherwise orders may be piling up with no way to access them in admin.

I had an order end up being processed by paypal, and half of the information ended up in the sql database but it was unaccessible from admin>orders. Could be related to the recent patches / changes?

I too also had the flashing upgrade available after the upgrade, which I understand is a function of the /includes/ini.inc.php but I can't figure out why it seems that this file didn't take even though all of the files uploaded.

-M :errm:

Edited by mashurst
Link to comment
Share on other sites

Guest mashurst

Hi, Sir William, I've updated my install to 3.07 (even though admin is still flashing that there is an update available for my 3.06, don't know why that is). As my store isn't live yet I've no idea about the 403 and PayPal orders errors others are reporting.

What I'd like to know is, should I go back to 3.06 and manually change the security holes or leave 3.07 and patch it up? (I changed the 'ugger is not a word' thing already.) General concensus seems mixed across forum veterans.

cheers TC

I would like to know also. I did the first patch right away, at the moment I am not sure if there was a second patch released or just the 3.07 (looks like 3.07 release was second fix). I have goober's coupon mod and some othere mods to my store that it appears 3.07 upgrade wipes out.

403 errors show up in my stats but I cannot duplicate them by beta testing my store.

-M :errm:

Link to comment
Share on other sites

The 3.0.7 install includes both security fixes released separately by brooky. It does not include the fix that Sir William created after 3.0.7 was released, which seems to me to be much closer to a permanant and stable resolution. From the looks of things brooky is traveling now and unavailable to chime in on this discussion, so we don't know his thoughts on the matter yet.

I would say that if you have a backup of your 3.0.6 install then you could patch them with Sir William's fix (and also don't forget the previous security patch that was less severe but also essential) and upload those instead of the 3.0.7 files. That should take care of the security issues and also keep your mods functioning properly. There will probably be another (definitve) resolution to this in the next few days, so I wouldn't go too far down any particular dark alley just yet.

If you are seeing 403 errors then you might be experiencing the issues that many report with the security fix included in 3.0.7 (and should consider rolling back those changes). Additionally, there have been reports of PayPal problems since 3.0.7 that may have nothing to do with the security fix code. So my advice would be that if it worked before this upgrade and you're having problems now, go back to your 3.0.6 files for now but make sure you apply the two security patches (here and here).

Link to comment
Share on other sites

Guest timecrisis

timecrisis, this very issue is being dealt with right now. I believe there will soon be a small core group of us who will "test drive" the new releases before the general public gets them. This team of qualified people should be able to squash 90%+ of the sniggly little things that have plagued previous releases. This will help EVERYBODY out in the long run.

:w00t:

Hi Sir William,

Great, I think that is whats needed, This is a commercial product so it should be possible. I guess coders like you love this sort of challenge but for me as a designer it is a nightmare.

That said I have learnt a lot on these forums about databases and PHP...I prefer to do it without the hanging menance or mutating porn spam tho...I spent all of last night backing up my sites and databases...

Glad to heard you maybe on usch a team of testers... :)

Happy New year too all

:D

Link to comment
Share on other sites

Win Merge is your best friend, check it out it will tell you what you need to change...

I agree that diffing code is a good plan.

I disaggree that every user should do it though.

I think ONE developer should diff the new release against the last version and the last major release, and then release a small patch zzip that contains ONLY files that have changed.

Then each admin only has to compare this small set of files vs the ones they have changed themselves.

Link to comment
Share on other sites

I agree that diffing code is a good plan.

I disaggree that every user should do it though.

I think ONE developer should diff the new release against the last version and the last major release, and then release a small patch zzip that contains ONLY files that have changed.

Then each admin only has to compare this small set of files vs the ones they have changed themselves.

Dingfelder is right. If we know which files have been changed in the release we can use WinMerge or whatever just to compare our modified files and those files. If we don't know which files were changed we need to compare every file and distinguish the mods we've made from the ones in the new release.

Link to comment
Share on other sites

Guest theorbo

Yes. There's always going to be a need for those who have modified (heavily or otherwise) files to use some sort of diff'ing process. Even in the case of someone taking responsibility for a "changed-files release", those with modified installs will be on their own.

Best practices if you mod ANYTHING: comment your code - surround the modded section with comment tags and an explanation; AND keep a text file of what you modded, what date you modded it, where you got the mod you used, contact info, AND A COPY OF THE ORIGINAL BEFORE YOU MADE THE CHANGES.

Link to comment
Share on other sites

Uhhhhh guys....WinMerge will process the entire directory tree and show you the changed files. No biggie.

What you do is a global search/replace to put the new header in all your existing files. Then run WinMerge on your current directory and the new release directory. Look at the differences and update where necessary. Takes me about 1.5 to 2 hours even with all the changes I've made.

:w00t:

Link to comment
Share on other sites

Better yet, use CVS.

Instead of keeping different directories for old versions so you can use a diff tool, a version control system such as CVS keeps only 1 dir of the files and keeps all the changes in a database.

How does it work?

1. Import the base install as a module into CVS

2. Label/TAG the codebase using it's official version number (i.e 3_0_6_offical)

3. Check in your changes.

4. Label/TAG the codebase using your own version number (i.e 3_0_6_with_my_patches)

5. Drop in the new release on top of your changed code

6. Merge in the changes

7. Label/TAG the codebase using your own version number (i.e 3_0_7p1_with_my_patches)

Why is this a good thing to do?

If you follow this process, you can instantly diff files between any of these tags after the fact, and you can revert to older versions easily if needed.

Additionally if you use CVS to check in every manual change you make, you can later on refer to the comments of WHY you made the change.

I have to say that after I started using version control for configuration management (a decade ago) I now find it impossible to go without.

Link to comment
Share on other sites

Guest estelle

Uhhhhh guys....WinMerge will process the entire directory tree and show you the changed files. No biggie.

True, but whenever Brooky releases a new version he updates the date & version number in every single PHP file, so they're practically all changed. But perhaps there's a way to ignore those lines when comparing directories...

dingfelder, source control is the best way. Personally I use tortoiseSVN. However I don't think its suited to hardly any people here :w00t:

Link to comment
Share on other sites

Yuck. I guess Brooky doesn't use a version control system. If he does, he can not diff code because everything always changes.

IMHO, artifically adding stuff to files like that is a BIG NO-NO from a configuration management point of view.

If he wants people to know the version of the entire system, it belongs in the readme. Some developers like to add a revision history to *changed* files, so you know what version they were created or changed in, but for sure I would say that putting the latest version in every file even when there were no changes is a major hassle.

Brooky - no hard feelings intended here... we all have our good and bad points, and I'm sure we can all agree that your php coding rocks and you have made a great product but, I think the release process could use some improvement.

If you would like some help in controling the codebase for easier packaging of patches etc, I would be glad to lend a hand and help you improve the process.

Link to comment
Share on other sites

Estelle, that's why I do a global search/replace across the entire directory/subdirectory first. I put the new header comments in my old files. Then the only thing that's flagged as changed are files that either I've changed or that have changes from Brooky.

But yeah a good CVS is great. Too bad it's over the heads of most non-programmers.

:w00t:

Link to comment
Share on other sites

Guest estelle

Cool. Well, although using a diff program isn't too hard, we definitely can't expect many people to be able to do a global find/replace. As dingfelder said, it would be much better if the date and version number weren't updated in the unchanged files.

Link to comment
Share on other sites

But if you don't specify a version in each file, one would quickly lose track of what each file is.

What it gets down to is you either KNOW the files and how they fit together, or you don't. ??? Oh well.

:w00t:

Link to comment
Share on other sites

Guest theorbo

Ah..... well, I prefer to see files listed as the version they "belong" to from day one of that file.

For instance, if within each version number increase, brooky goes through and changes the version number on EVERY FILE, but some of those files haven't changed since the FIRST version of the program, that's misleading and - um - well, not how it's done generally....

Link to comment
Share on other sites

Uhhhhh guys....WinMerge will process the entire directory tree and show you the changed files. No biggie.

What you do is a global search/replace to put the new header in all your existing files. Then run WinMerge on your current directory and the new release directory. Look at the differences and update where necessary. Takes me about 1.5 to 2 hours even with all the changes I've made.

:w00t:

Hi Sir William

This post shows exactly what I said when put the first post up. If it takes you between 1.5 to 2 hours as a programmer , what chance have us mere mortal store owners got??

As I said initially, I monitored CubeCart for a long time and never used it because of the frequency of the upgrades and things haven't changed much now.

The more posts I read,the more confused I get because of different opinions. Just what is the best thing to do right now. Run 3.06 or 3.07 and when will the cart become a stable one without any security issues. As good as CC is you have to admit that it is a store owners nightmare and a developers meal ticket.

No offence intended but that is it in a nutshell.

Link to comment
Share on other sites

v3 is still in development 3.0.7pl1 is now secure and the imediate vunrability has been beten...

if you want a 100% stable release of cubecart then again i say go get v2 as v3 is still under production and gladly will be for a long time...

Just to clarify i run stores and you dont have to upgrade every time...

There is clear instructions on the forums how to upgrade from 3.0.6 to 3.0.7pl1 manualy...

But there are a lot of edits still and that is only one edit if you truthfuly think you can make the edits from one file to another in less that an hour then you dont understand the work brooky puts into this script...

If you really want a script where you never have to update Great go grab osCommerse they havent had updates in about a year/2... But it still isn't stable and if a security flaw comes out with it i wouldn't expect the developer to give you a patch in under 24 hours if i was you...

Link to comment
Share on other sites

v3 is still in development 3.0.7pl1 is now secure and the imediate vunrability has been beten...

if you want a 100% stable release of cubecart then again i say go get v2 as v3 is still under production and gladly will be for a long time...

Just to clarify i run stores and you dont have to upgrade every time...

There is clear instructions on the forums how to upgrade from 3.0.6 to 3.0.7pl1 manualy...

But there are a lot of edits still and that is only one edit if you truthfuly think you can make the edits from one file to another in less that an hour then you dont understand the work brooky puts into this script...

If you really want a script where you never have to update Great go grab osCommerse they havent had updates in about a year/2... But it still isn't stable and if a security flaw comes out with it i wouldn't expect the developer to give you a patch in under 24 hours if i was you...

Well part I agree with but a lot I don't. OS Commerce is free and so the two cannot be compared as CC isn't if you purchase a license. All I am saying is that I don't know whether to run 3.05, 3.06 or go to 3.07 and could someone tell me which of these is secure. Are 3.05 or 3.06 secure and if not how do I make them so and where do I find the info for the upgrade instructions from 3.06 to 3.07p|1 manually.

I have no doubt that Brooky puts a lot of work into CC because it is a very good cart but it is a commercial product and therefore should be ready to use. I do understand that bugs will always be found but that is what beta testing is all about.

My point seems to be missed here so I will try and say it again.

All I, as a storeowner ask for, is a stable version without any security issues (to late to go back to V2 as all of my purchased mods are v3) of CC whether it is 3.05, 3.06 or 3.07p|1.

Link to comment
Share on other sites

3.0.0 - 3.0.6 are not secure unless you patch them...

3.0.7 is secure but its buggy...

3.0.7pl1 is secure and has the bugs removed...

you have the opertunity however to add the security patch from 3.0.7pl1 onto a 3.0.0 - 3.0.6 cart by following the instuructions HERE

Edited by aikdo
Link to comment
Share on other sites

3.0.0 - 3.0.6 are not secure unless you patch them...

3.0.7 is secure but its buggy...

3.0.7pl1 is secure and has the bugs removed...

you have the opertunity however to add the security patch from 3.0.7pl1 onto a 3.0.0 - 3.0.6 cart by following the instuructions HERE

Thanks for that Aikdo

Just a note - Brooky says that if the server has register globals off then 3.06 is secure. Have I got that right?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.




×
×
  • Create New...