Sage Pay Server v1.2

There have been reports of the Sage Pay Server payment module not working and failing with the following error message:

Unable to redirect to Vendor's web site. The Vendor failed to provide a RedirectionURL

The problem was introduced with v2.3.0 where tep_href_link() returns HTML formated URLs and the RedirectionURL value containing & instead of & in the URL.

This has been fixed in v1.2 of the payment module and can be downloaded here:

http://addons.oscommerce.com/info/6984

This will also be included in osCommerce Online Merchant v2.3.4.

"extras" Directory Vulnerability Reminder

If you're using an earlier version of osCommerce Online Merchant before v2.2 Release Candidate 1 (July 2007), please make sure the "extras" directory is not publicly accessible on the server if it has been copied over. This directory is not part of the installation and had to be separately copied over if upgrades were being performed from even earlier releases.

A list of affected servers has recently been published that unfortunately still have the "extras" directory publicly accessible.

If left on the server, the scripts in the directory may allow any file on the server to be read due to an insecure directory listing implementation.

More information at:

http://www.oscommerce.com/about/news,141

OSCOM v2.3.2 and Upcoming Releases

osCommerce Online Merchant v2.3.2 has just been released which improves the customer password forgotten routine and generation of random strings.

Previously, when the customer requested a new password, their password was instantly updated to a random string and was e-mailed to the customer. The length of the random password was based on ENTRY_PASSWORD_MIN_LENGTH which by default is 5 characters long.

Although it is strongly recommended to use longer passwords, the real problem was that the random string generated for the new password was not random enough to use in a secure manner due to a weak seeding of the random number generator.

This has now been improved by using Phpass' get_random_bytes() method to generate cryptographically secure random strings based on /dev/urandom, openssl_random_pseudo_bytes(), and mcrypt_create_iv() where available. Phpass was introduced in osCommerce Online Merchant v2.3.0 to replace the older password hashing algorithm.

Also new to the customer password forgotten routine is that the customers password is no longer instantly updated with a random string, but a personal link is generated and e-mailed to the customer and gives them 24 hours to update their own password. Customers can ignore the e-mail if they did not request a new password themselves, and can continue to use their existing password if they have remembered it. New password requests are protected by an Action Recorder module to limit requests to once every 5 minutes (this is configurable).

Once the customer has updated their password via their personal link, they are redirected to the login page to login using their new password. There are advantages and disadvantages to automatically authenticate the customer as soon as they've updated their password or to make them login again. We chose a manual login due to technical issues:

We did not want to duplicate the core login code as it would have missed on Add-On or custom changes made to the login routine.

We did not want to have an automatic redirect page pointing to login.php with the customers e-mail address and password in plain-text within hidden fields in a form.

The advantage to a manual login is it gives the customer an opportunity to save their new credentials in their browsers password management feature.

We wanted to make updating to these improvements as easy as possible and have placed these improvements in v2.3.2 only. Additional bug fixes will soon arrive in v2.3.3, and a PHP 5.4 compatible release will arrive shortly after in v2.4.

A new discussion channel has been added to the forum to discuss upgrades from earlier versions.

During the Week..

Lots has happened during the week! Here is a summary of some of the events:

UTF-8 issues: Laurent discovered that PHP does not report errors in UTF-8 and brings problems to our custom ErrorHandler class which logs errors in an SQLite3 database and is retrieved via JSON. Both SQLite3 and JSON require valid UTF-8 sequences. This problem can arise if PHP reports errors in a foreign language. The bug report is #259. A solution is still being looked into.

Some reports of MYSQL_ATTR_INIT_COMMAND being undefined have been submitted. This is a PHP v5.3.0 bug that only affects Windows. No work around will be provided so the solution is to upgrade the WAMP solution being used to a version using PHP v5.3.1 or later.

Our Bug Reporter now has separate categories for OSCOM v2.x and v3.x.

SessionAbstract now checks if the supplied session ID in GET/POST/COOKIE exists. If it does not exist, it ignores the supplied value and generates a new session ID to use.

Support for Site Domains will be introduced in v3.0.2, which allows each Site to have its own http server and cookie domain settings. For example, this allows Shop and Admin to be called as: http://shop.oscommerce.com/index.php, and http://admin.oscommerce.com/index.php (?Admin is not needed) Sites that require cookies to be shared must have proper cookie domain settings (eg, ".oscommerce.com"). OSCOM::getDefaultSite() now checks against $_SERVER['SERVER_NAME'] to load the appropriate Site and default Site Application. OSCOM::getLink() automatically generates correctly formed URLs to Sites with different domains.

Some reports of OSCOM v3.0 not working with PHP v6.0-dev have been submitted. This is due to an old version of PHP v6.0-dev being used that does not support namespaces. According to this LWN article from March 2010, work on PHP v6.0-dev has been pushed to a separate branch and is no longer part of the main PHP development path. I downloaded the latest trunk version of PHP from their subversion development repository, compiled it, installed it, ran OSCOM v3.0.1 on it, and can happily report that it works superbly without any errors being reported! The version PHP reported is PHP v5.3.99-dev / Zend v2.4.0 and will be PHP v5.4 once released. This version finally removes deprecated functions and settings that still exist in PHP v5.3.

Work on a Phing build script has been started to build, test (PHPUnit), and package (ZIP) OSCOM download releases. Ultimately this will automatically build full download release packages, manual upgrade packages, and CoreUpdate Phar update packages.

The list of files and source code changes from v3.0.1 leading up to v3.0.2 can be viewed here.

Improving CoreUpdate

One of the great new features of our framework is the ability to perform upgrades via the Admin Dashboard, where update packages are listed, modified files can be seen, and upgrades can be performed at the click of a button.

Unfortunately not everyone will get to experience how great this can work with the v3.0.1 release as CoreUpdate in v3.0 can detect incorrect file permissions under certain server environments during an upgrade procedure, and reports back of a successful upgrade when no files were updated at all. This affects you if after the upgrade to v3.0.1, v3.0.1 is still listed as an available update package to upgrade to.

Those affected can download the manual v3.0-to-v3.0.1 upgrade package to extract and copy over to their installation via FTP. Although also an easy procedure, this is not the kind of experience we want to share with you when upgrading.

We've taken this opportunity to improve CoreUpdate in v3.0.1 and are extremely pleased with how it now handles upgrades.

CoreUpdate utilizes Phar to download signed phar update packages from our server, to list the contents of the update package to show which files are going to be modified, and to extract the files over the installation to perform the upgrade.

It sounds easy, but when file permissions become an issue, Phar panics and produces a fatal error that can stop further processing of PHP code.

We've improved CoreUpdate to better handle file permissions and situations where Phar can produce unexpected errors. Instead of just extracting files in an update package to the installation, CoreUpdate now tracks which files are going to be modified, backs those files up, extracts the updated files in place, and if all files have been successfully updated, goes back and deletes the older files no longer necessary. If an unexpected error occurs, CoreUpdate deletes the files that have been extracted and restores the original files automatically reverting to the original state.

There are a lot of server environments and file permissions CoreUpdate has to handle, and we're striving to make it "just work" to provide the best user experience as possible.

CoreUpdate is still in its infancy. We imagine that update packages can first be tried before an actual upgrade is performed, to test and make sure customizations continue to function as normal in a live environment. Phar allows this and we look forward to taking advantage of its full feature set to make this possible.

We know that feeling of pushing an "Upgrade" button and want to turn that fear into a pleasurable moment. We enjoy the challenges working with the strictest levels of error reporting to richen our creativity and produce even better code.

And we can't wait to bring CoreUpdate to Add-Ons!

The New Framework Architecture (Part One: Site! Application! Action!)

This is the first of a multi-part series documenting the new framework architecture of osCommerce Online Merchant v3.0.

Those that have not been following the development of the new framework will receive quite a shock when they download the osCommerce Online Merchant v3.0 release package and start inspecting its source code. The new OO/MVC design approach will be completey foreign to those accustomed to the procedural style design v2.2 was based on. This is a new ballpark to play in, and it’s open for everyone to participate!

The first difference that will be seen is the new file and directory structure of the framework, specifically how clean it is. What’s provided is:

index.php

public/

osCommerce/

That’s it! The index.php file initiates the framework and the public directory holds site and template related images, stylesheets, javascript, and other assets that must be publicly available. The osCommerce directory is where the source code of the framework resides and is recommended to move to a PHP include directory that is outside of the public html directory serving the website.

The framework is initialized by the main OSCOM controller located at osCommerce/OM/Core/OSCOM.php. It’s main responsibility is to automatically load Sites, Applications, and Actions depending on the request URL.

Sites? Applications? Actions?

These are new modular sections of the framework that build the website. Correction, that build websites. The basis of the framework is flexible to support different kinds of websites, for example, a website content management system, a blog, a forum, etc., and with your help, will be improved on in future releases to support the building of such sites even easier. Our primary focus will remain on e-commerce - we can’t wait to see what the community builds in addition!

osCommerce Online Merchant v3.0 is built with the following four Sites:

Shop

Admin

RPC

Setup

The Shop Site is the frontend of the shop, the Admin Site is the administrative backend to the shop, the RPC Site manages JSON requests, and the Setup Site installs and configures new installations.

The first part of the request URL loads the specific Site. For example, the Shop Site would be loaded with the following URL:

http://demo.oscommerce.com/index.php?Shop

Sites are formed by areas packaged as Applications. The Shop Site includes the Account, Checkout, and Products Applications, and are loaded by the second part of the request URL:

http://demo.oscommerce.com/index.php?Shop&Account

Applications define the default page content to load and can be fine-tuned with Actions. Actions override the default loading page and can execute certain functionality that is loaded by the third part of the request URL. The log in page, which is part of the Account Application, can be loaded with the following URL:

http://demo.oscommerce.com/index.php?Shop&Account&LogIn

Actions are recursive - the processing of the log in page is performed by the following URL:

http://demo.oscommerce.com/index.php?Shop&Account&LogIn&Process

This allows new Sites, Applications, and Actions to be copied to the framework directory which work immediately without the need to edit core source code files.

The controllers loaded for the above examples are defined in the following file and directory structure:

osCommerce/OM/Core/Site/Shop/Controller.php osCommerce/OM/Core/Site/Shop/Application/Account/Controller.php osCommerce/OM/Core/Site/Shop/Application/Account/Action/LogIn.php osCommerce/OM/Core/Site/Shop/Application/Account/Action/LogIn/Process.php

Sites and Applications are self contained. Its required classes are located in its Site and Application directories, and are accessible by other Sites and Applications.

A default Site is defined in the configuration to load for requested Sites that do not exist, and to shorten the URLs used within the default Site. The default Site for new installations is Shop allowing for the following shortened URL:

http://demo.oscommerce.com/index.php?Account&LogIn

This works only for Sites and Applications that do not share the same names. For example, the above URL would load the Account Application and LogIn Action from the Shop Site if no Account Site exists. If an Account Site exists, it would be loaded instead with its LogIn Application.

Custom modifications to the framework must be performed in the following directory:

osCommerce/OM/Custom/

This directory is empty for new installations and follows the same file and directory structure as the osCommerce/OM/Core/ directory. Before files are loaded from the Core directory, a check is performed to see if a matching named file exists in the Custom directory to load instead. This allows for any part of the core framework to be overridden and for the core framework to be easily updated to newer releases without losing custom modifications.

Stay tuned for The New Framework Architecture (Part Two: Namespaces)

Open Source Rocks!

We are fortunate to have a unique relationship with our community that is based on trust. This was built on and earned naturally from the very beginning when we first announced ourselves to the world in March 2000. Our user base has grown from a few people to millions worldwide, attracted through curiosity and interest - not by hype or marketing campaigns. Attracting such a large amount of interest was possible by releasing our products under the Open Source GNU General Public License and allowing people not only to work with the source code of our products, but to actively participate in discussions and development, and be involved in the direction we were taking. We were first called "The Exchange Project" to reflect the relationship between sellers and buyers exchanging goods, and to also reflect people participating and exchanging ideas in our community. Our first slogan was "Community Made Shopping". We introduced a lot of our community members to PHP and Open Source. Store Owners that had enough of the limitations of point-and-click solutions now had the power to dive into the actual source code of our products and to perform the modifications they required. They shared the same beliefs in exchanging ideas and Open Source, and started to contribute additional features to share with the community. There are now over 6,400 Add-Ons that have been contributed by our community members, available for free as Open Source for others to use, modify, and help improve on. That’s over 27,000 uploaded archives with over 48,000,000 lines of code! Our Community Rocks! Not only has Open Source helped us establish a thriving worldwide community of store owners, developers, and enthusiasts, it has also created opportunities outside our community by spawning many project forks, commercial solutions, and commercial services, and have also inspired and influenced many Open Source and commercial solutions available today. The GNU General Public License has served us well for 11 years and with the launch of osCommerce Online Merchant v3.0, is now time to move on and target higher goals. We want to take our success with Open Source even further and continue sharing it with you. We want to create even more business possibilities and opportunities for store owners, developers, and our community. We want to spawn even more project forks, commercial solutions, and commercial services that anyone and everyone can profit from. We want to be at the core of e-commerce! To make this possible, osCommerce Online Merchant v3.0 will be released under the BSD license, completely. All source code including the core framework and modules will be published under the BSD license. Sharing all of our hard work, for free, under the BSD license. We are giving you total freedom! This will drive innovation and competition further in our eco-system. Community members now have the choice to release their Add-Ons under a BSD compatible license or to continue using the GNU General Public License. Commercial Add-Ons will be accepted later this year through an integrated market place providing the best user experience we can offer. We are one of the first general solutions to move to PHP 5.3, and are now also one of the first general solutions to move completely to the BSD license and give you total freedom. Open Source Rocks!

So what is this stuff called Open Source about anyway? Mark Webbink, Deputy General Counsel for Red Hat, delivers a broad overview of the software licenses around Open Source.

Minimum Requirements Check

A script is available to check the minimum requirements and settings for osCommerce Online Merchant v3.0 on a PHP enabled webserver.

To check your server, download the following package from Github, unpack it, copy oscom_check.php to a public html directory on your server, and call it with your browser.

https://gist.github.com/gists/881326/download

An example output of the results can be seen at:

http://countdown.oscommerce.com/oscom_check.php

osCommerce Online Merchant v3.0 will successfully run on your server when all required conditions have been met and are shown as green.

Roadmap for 2011

The biggest milestone in our history will be reached on March 31 2011 with the release of osCommerce Online Merchant v3.0. This is the result of years of hard work, community feedback, and patience! We thank the community and our partners tremendously for their support during this long development phase and look forward to working with you in achieving our goals for 2011.

Each piece of the puzzle we've blogged about previously has now come together and formed the framework as v3.0. The focus on this release is to provide a solid and flexible base that can be built on with exciting new core framework and user features, and to be easily extended on with Add-Ons.

Our vision is not to provide one or more full feature packed "enterprise-ready" solutions but to provide a solid core framework that can be easily customized and extended on to meet specific requirements.

The framework has finally reached the stage of being production-ready. The release date of March 31 was set to freeze and clean the API to provide a solid-as-possible framework to start building on. Most of the new exciting user features we had wished for v3.0 will not arrive with the initial release as it would have otherwise delayed the release even longer. We strived for perfection and are now delivering as fantastic.

Our release strategy is now changing from delaying releases until a set number of new features are ready for production use, to pushing out new features as soon as they are ready. Features and bug fixes belong in products, not in development repositories!

The flexibility of the framework allows us to release early, release often without conflicting with customizations. Updates are safely applied through the Administration Dashboard after displaying which core files are to be modified. Customizations are performed in a separate namespace that override core framework functionality.

The level of hard work does not stop on March 31 but will continue strongly throughout April and coming months to push out regular update releases that fix bug reports and introduce user features that did not make it for the v3.0 release.

April will be an extremely busy and exciting month we can't wait for!

Our versioning scheme is now improving from no longer publishing Preview, Milestone, Release Candidate, Alpha, or Beta releases but fully supported production-ready releases. Each version number will be in the form of X.Y.Z (eg, 3.0.0) where X is increased for major incompatible releases, Y for minor API changes, and Z for bug fixes and new features that don't break compatibility to earlier versions.

Each API change will be documented for developers to review.

From April we are going to:

Be active in the community to help developers understand the framework and store owners its user features

Update remaining Applications and Modules that were not finalized for the v3.0 release

Provide a database import tool for existing v2.2RC2, v2.3.1 and v3.0A5 users

Start a localization site for translators to use and build language translation packages

Document v3.0 framework and user features

Finalize MS SQL Server database abstraction queries

Extend the CoreUpdate Application to also support installed Add-Ons

Allow Phar packaged Add-Ons to be tested without the need to install them first

Continually improve existing features and introduce exciting new features

In addition we are looking for new talent to help us:

Improve overall UI design

Support database servers with our abstracted queries

Continue to improve the core framework

We are looking forward to expanding our team and to improve our products and services. Contact us if we don't find you and you're passionate about Open Source and E-Commerce!

Countdown to v3.0

We are extremely proud to countdown to March 31 for the release of osCommerce Online Merchant v3.0 and to cause a disruption in the Open Source and e-commerce community. Our future goals are based on this new foundation that will continually be improved on to meet the demands of tomorrows store owners and developers. We are one of the first general Open Source solutions to move to PHP 5.3 and now stand tall at the front in utilizing todays standards and technologies. This is the result of a lot of hard work based on community feedback; not to try and achieve the best feature-packed e-commerce solution in the market but to remain focused on a solid core framework that can be extended by store owners and developers to meet unique requirements. This was a huge success with over 6,400 Add-Ons being provided by the community for the v2 series which we aim to take even further with the next v3 series. v3.0 has evolved in multiple phases starting with v2.2 Milestone 3 to v3.0 Alpha 5 resulting with a new solid and flexible core framework. Its long development path ends March 31 2011 reaching a major milestone for osCommerce. Stay tuned for exciting articles regarding v3.0 and our future plans that will be published leading up to the release. We thank our community members and partners for their continued support over the past 11 years, and are anxious to keep rocking for the next 11 years and more to come! Countdown with us at: http://countdown.oscommerce.com

Announcing the release date for osCommerce Online Merchant v3.0

Brian Swan, PHP Developer Advocate at Microsoft, showcases PHP Manager 1.1 for IIS 7.

Music to listen to during the development cycle. Release (by Patti Labelle) courtesy of Matthijs. Know a song that fits in the playlist? Share it! :-)

Thanks to all the birthday wishes! Two self baked cakes that didn't survive the family party :-)

One expensive accessory! via Walyou

OSCOM v2.3 Pre-Release Notes

[Updated on 8th November 2010]

We stated earlier that the next osCommerce Online Merchant releases would be v2.2 and v3.0 and that we wouldn’t be publishing any more alpha, beta, or release candidate labelled versions. The next v2.2 release was declared as “v2.2final” to finalize the versioning cycle it went through, from “Milestone 1” to “Release Candidate 2a”.

To better distinguish the final v2.2 release from its earlier versions, the version number will jump to and be released as v2.3.

The upgrade guide to v2.3 (from “v2.2 Release Candidate 2a”) will be split into the following sections:

Bugfixes

PHP 5.3 Compatibility Changes

New Features

This makes it easier for store owners and developers to apply the bugfixes to their existing installations, and to choose which new core features they’d like to apply.

Some of the new features include:

Tokenize forms to customer sessions

Automatic Administration Tool logins through Basic HTTP Authentication (htpasswd)

New currencies can be added through a pre-populated list of common currencies

Modular Action Recorder implementation to limit and log certain functions, including:

Administration Tool login attempts

Tell A Friend e-mails

Contact Us e-mails

Security Directory Permissions for the Administration Tool shows which directories are writable

Version Checker for the Administration Tool to check for new versions

Store Logo for the Administration Tool to easily upload a new store logo

Modular Social Bookmarks implementation to share products on social sites, including:

Digg

Facebook and Facebook Like

Google Buzz

Twitter and Twitter Button

Export Server Information for the Administration Tool to help with bug reports

Allow guest orders through PayPal Express Checkout

Modular Header Tags implementation, including:

Google Analytics and E-Commerce Tracking

MailChimp E-Commerce 360

OpenSearch

Categories (SEO)

Manufacturers (SEO)

Products (SEO)

HTML layout separated and moved to new template_top.php and template_bottom.php files, including:

jQuery UI design

960 Grid System CSS Framework

Password hashing algorithm changed to Portable PHP hashing for customer and administrator passwords

Security Check modules for add-ons to check on server requirements

Administration Tool Dashboard widgets, including new charts

Modular Boxes to inject content anywhere in the HTML layout

Multiple Product Images with large images and HTML content for Flash videos

The online demonstration site has been updated to showcase the new features of osCommerce Online Merchant v2.3 at:

http://demo.oscommerce.com

osCommerce Online Merchant v2.3 will be released on the 12th November 2010.

Interested in the latest developments of osCommerce Online Merchant v3.0? Find out at:

http://www.oscommerce.info/confluence/display/OSCOM30