Miva Merchant Empresa/Mia/Script Compiler v5.09 Release Notes ------------------------------------------------------------- Bugs Fixed ---------- 5659: POP3 handling of STAT response incorrectly allocates POP3Message array 5663: Mia: Logging into MM5 results in empty or error page (all POST forms broken) 5684: with no VALUE attribute reports "MvASSIGN requires the NAME attribute" 5690: MvPACK on dBase table without memo fields uses uninitialized variable and can cause a crash 5691: UNIX VM: exists() requires read access to the target, which is different than 5.06 and earlier 5696: Assigning a variable to itself results in an overlapped memcpy() 5709: Win32FileManager::Rename cannot replace files open in another process/thread 5710: MvPACK: Errors occurring while the original table is closed lead to crashes 5731: running mivavm-v5.08 .exe removes Synchro registration info 5758: Upgrade from Mia/Empresa 5.06 or earlier leaves the installation with broken commercelibs setting 5760: Empresa setup fails to remove script mapping on uninstall 5774: Miva Merchant Mia - Installation with Upgrade from Mia 5.06 doesn't install properly 5776: Miva Merchant Empresa 5.09 / Win03 - Miva Merchant Empresa tab is missing from IIS Default Web Site Properties when upgrading directly from 5.06 to 5.09 5781: Mia: Upgrade does not preserve errorsettings or maxdocache registry values 5782: Win32 Compiler Installer does not set MVC_LIB environment variable 5783: Win32 Compiler Installer does not remove msc_license.txt when upgrading from 5.06 Other Changes ------------- - When renaming a file on Windows, if the rename fails because the process does not have permissions to read an existing destination file, the engine no longer enters an infinite loop. New Builtin Functions --------------------- - crypto_sha256( buffer var, format, result var ) Calculates the SHA-256 hash of "buffer", storing the result in "result". Format may be one of "binary" or "hex". - crypto_hmac_sha256( buffer var, key, format, result var ) Calculates the SHA-256 HMAC of "buffer" using binary key "key", storing the result in "result". Format may be one of "binary" or "hex". - Note: The SHA-256 functions may not be available on platforms running older versions of OpenSSL. SHA-256 was introduced in OpenSSL v0.9.8. On platforms with a version of OpenSSL that does not support SHA-256, the functions will return 0. Miva Merchant Empresa/Mia/Script Compiler v5.08 Release Notes ------------------------------------------------------------- Bugs Fixed ---------- 5621: The level arguments to the -p option of mvc do not work as expected 5623: MIVAVM - Notification Server not working in store admin 5636: Non-SSL MvCALL callreturnheaderN values are missing their last character 5651: The -P option to mvc detects the errors and prints diagnostics but does not cause the compiler to exit with a failure code. 5652: 3.x Config: Relative paths to authfile are handled differently than 5.06 5655: Miva Merchant 5.5 PR5: core-16 patch installation fails on 5.07 engine 5656: miva_array_sort can cause an engine crash with numeric sort callback and non-numeric data (actually related to the number of items being sorted) 5657: MivaVM::cat does not NULL terminate the resulting string 5658: Inconsistent segfault in MvCREATE when DATABASE is the result of an expression 5663: Logging into MM5 results in empty or error page (all POST forms broken) Configuration Changes --------------------- - The UNIX 3.x configuration library now supports a new directive, "builtindir". When specified, the engine loads all builtin function libraries found in the configured directory path. This functionality is similar to the environment based configuration's MvCONFIG_DIR_BUILTIN directive. New Builtin Functions --------------------- - New GD library functions have been added allowing images to be created from data stored in a variable instead of a file: gdImageCreateFromPngMem( data var ) gdImageCreateFromGifMem( data var ) gdImageCreateFromWBMPMem( data var ) gdImageCreateFromJpegMem( data var ) gdImageCreateFromGdMem( data var ) gdImageCreateFromGd2Mem( data var ) - New GD library functions have been added allowing images to be written to a variable instead of a file: gdImagePngMem( im, output var ) gdImageGifMem( im, output var ) gdImageWBMPMem( im, fg, output var ) gdImageJpegMem( im, output var, quality ) gdImageGifAnimBeginMem( im, GlobalCM, Loops ) gdImageGifAnimAddMem( im, ctx, LocalCM, LeftOfs, TopOfs, Delay, Disposal, previm ) gdImageGifAnimEndMem( ctx, output var ) - New GD library functions have been added allowing images to be written directly to the output stream: gdImagePngOutput( im ) gdImageGifOutput( im ) gdImageWBMPOutput( im, fg ) gdImageJpegOutput( im, quality ) gdImageGifAnimBeginOutput( im, GlobalCM, Loops ) gdImageGifAnimAddOutput( im, LocalCM, LeftOfs, TopOfs, Delay, Disposal, previm ) gdImageGifAnimEndOutput() Miva Merchant Empresa/Mia/Script Compiler v5.07 Release Notes ------------------------------------------------------------- Bugs Fixed ---------- 903: Fatal error on Windows servers- mysql_init failure 909: securityoptions differences between 5.02 and 5.03 1003: fscopy on a directory doesn't act as expected 1015: Directories created by streaming updates have no access to others 1446: crypto_sha1 may return sha1 hash of undefined value 1565: EULAs in VM and compiler software need updating. 1659: Insufficient feedback for disk space errors. 1805: Packaged certificate files are out of date 1916: MySQL: unsupported buffer type error 1934: Does our ROUND operator employ banker's rounding? 2368: Add array sort function to the language 3739: Drop table fails to drop index 4199: Product sorting bug reported by partner hosts 4519: limitation on number of stores 4535: engine crashes when calling crypto_md5_file on certain files 4536: Query causing engine crash with MivaSQL db library 4622: Expressions in MvDO parsed differently than other expressions 4626: MvCAPTURE does not properly terminate its result. 4672: Scripts cannot capture/handle MvCALL timeouts 4673: tar_create output cannot be opened in WinRAR or 7-Zip 4678: URLs bleed through SMT mvt:comment tags 4679: Template Compiler generates debugging files in production version 4687: File upload corrupts data when a line begins with "--" 4701: Template compiler reports error when ampersand used in param 4783: decimal fields are bound as type "unknown" when connecting to 5.0 or 5.1 4785: Storemorph won't display global array variables. 4803: Crash when ALTER TABLE is used on a previously referenced table 4930: Template Compiler outputs incorrect lineno instructions 4933: CGI temporary directory uses data directory configuration settings 4934: UNIXFileManager::DirectoryListing leaks DIR handles 4945: Engine capture mechanism should not fail on setuid during restore 4947: UNIXFileManager::ModifiedTime uses lstat(), not stat() 4950: 3.x API supports "commerce" path, 5x API does not 4957: MvPOP uses MakeTemporary inefficiently 4959: MvLOCALIZED always outputs the first language encountered 4960: TaggedFile::Section_Read[_Start]() return values are improperly handled 4962: NetworkConnection SSL certificate handling needs to be revamped 4964: Encoded filenames in open errors leak memory 4965: Session IDs are not sufficiently random 4968: MvCALL TIMEOUT attribute leaks into subsequent MvCALLS 4969: Network reads should never have an infinite timeout 4970: Multiple CRYPT operations in the same expression get the same value 4972: Buffer overflow in MvPOP 4973: MvPOP gets stuck in an infinite loop when the server terminates the connection 4978: tar_create crashes when the source directory does not exist and compression is enabled 4980: Win32 packaging and branding requires update 4983: Template Compiler gets confused by mismatched quotes 4984: Template Compiler misbehaves when semicolon omitted from mvt entity 5006: CGI VM won't handle ";" in content type for posted form data 5009: Non-Miva files having their size reported incorrectly. 5010: Entering a slash after the filename outputs compiler code in the main window 5012: Order Management feature is intermittently not loading some order data in Mia 5036: Entities preceeded by empty/self closed tags are not interpreted 5073: Column reference validation errors are reported as blank in some cases 5075: GROUP BY is incorrectly applied when also using UNION 5078: File descriptor leak in MvOPENVIEW/MvCLOSEVIEW 5115: Alter table in MivaSQL can lose all data in the table 5203: MivaApplication::DecodeAttributes generates invalid characters when given invalid input 5221: Passing a non-array to the glosub_array "replace" parameter crashes 5281: mktime_t does not return -1 when given an invalid date 5325: time_t functions have no ability to properly account for daylight savings time 5532: Network::OpenURL() (MvCALL) does not handle network write errors 5542: Admin secure redirect does not work on IIS 5571: xml_parse terminates in-progress xml_parse_section 5576: xml_parse_section_[get|set]state cause segfault if used immediately after xml_parse_section_init() 5578: MivaApplication::itos with INT_MIN overwrites memory and crashes 5579: MivaApplication::dtos does not handle NaN or Infinity correctly 5580: Crash when making a variable a reference to one of its children 5581: Whitespace compression fails to suppress blank first line 5584: MvLOCALIZED uses primary language when attempting to fall back to default language 5592: MvCALL only supports HTTP GET, HEAD and POST methods New Builtin Functions --------------------- - xml_parse_var( var var, output var ) - xml_parse_set_colon_replacement( colon ) - miva_struct_members( aggregate var, members var ) - miva_array_sort( aggregate var, callback, data var ) - miva_array_min( aggregate var ) - miva_array_next( aggregate var, index ) - miva_array_previous( aggregate var, index ) - miva_template_compile_itemlist( signat, source var, sourceitems var, target, errors var ) - miva_template_compile_dump( source var, errors var ) - All builtin time functions which accept a "timezone" parameter (mktime_t(), time_t_year(), etc...) now accept the string value "local" for this parameter, which allows the underlying operating system to apply daylight savings time rules for the current timezone. - New system logging functions have been implemented for both Windows and UNIX hosts. On Windows, log messages are written to the event log. On UNIX, log messages are sent to the syslog facility: miva_openlog( ident, logopt, facility ) miva_closelog() miva_setlogmask( maskpri ) miva_writelog( priority, message ) - All libgd 2.x functions are now supported. The builtin functions are also compatible with GD 1.x installations, in which case 2.x specific functions will fail gracefully: gdImageCreate( sx, sy ) gdImageCreateTrueColor( sx, sy ) gdImageCreateFromPng( filename, location ) gdImageCreateFromGif( filename, location ) gdImageCreateFromWBMP( filename, location ) gdImageCreateFromJpeg( filename, location ) gdImageCreateFromGd( filename, location ) gdImageCreateFromGd2( filename, location ) gdImageCreateFromGd2Part( filename, location, srcx, srcy, w, h ) gdImageDestroy( im ) gdImageSetPixel( im, x, y, color ) gdImageGetPixel( im, x, y ) gdImageGetTrueColorPixel( im, x, y ) gdImageAABlend( im ) gdImageLine( im, x1, y1, x2, y2, color ) gdImageDashedLine( im, x1, y1, x2, y2, color ) gdImageRectangle( im, x1, y1, x2, y2, color ) gdImageFilledRectangle( im, x1, y1, x2, y2, color ) gdImageSetClip( im, x1, y1, x2, y2 ) gdImageGetClip( im, x1P var, y1P var, x2P var, y2P var ) gdImageBoundsSafe( im, x, y ) gdImageStringFT( im, brect var, fg, fontlist, ptsize, angle, x, y, string ) gdImagePolygon( im, points var, n, color ) gdImageOpenPolygon( im, points var, n, color ) gdImageFilledPolygon( im, points var, n, color ) gdImageColorAllocate( im, r, g, b ) gdImageColorAllocateAlpha( im, r, g, b, a ) gdImageColorClosest( im, r, g, b ) gdImageColorClosestAlpha( im, r, g, b, a ) gdImageColorClosestHWB( im, r, g, b ) gdImageColorExact( im, r, g, b ) gdImageColorExactAlpha( im, r, g, b, a ) gdImageColorResolve( im, r, g, b ) gdImageColorResolveAlpha( im, r, g, b, a ) gdImageColorDeallocate( im, color ) gdImageCreatePaletteFromTrueColor( im, ditherFlag, colorsWanted ) gdImageTrueColorToPalette( im, ditherFlag, colorsWanted ) gdImageColorTransparent( im, color ) gdImagePaletteCopy( dst, src ) gdImagePng( im, filename, location ) gdImageGif( im, filename, location ) gdImageWBMP( im, fg, filename, location ) gdImageJpeg( im, filename, location, quality ) gdImageGifAnimBegin( im, filename, location, GlobalCM, Loops ) gdImageGifAnimAdd( im, out, LocalCM, LeftOfs, TopOfs, Delay, Disposal, previm ) gdImageGifAnimEnd( out ) gdImageFilledArc( im, cx, cy, w, h, s, e, color, style ) gdImageArc( im, cx, cy, w, h, s, e, color ) gdImageEllipse( im, cx, cy, w, h, color ) gdImageFilledEllipse( im, cx, cy, w, h, color ) gdImageFillToBorder( im, x, y, border, color ) gdImageFill( im, x, y, color ) gdImageCopy( dst, src, dstX, dstY, srcX, srcY, w, h ) gdImageCopyMerge( dst, src, dstX, dstY, srcX, srcY, w, h, pct ) gdImageCopyMergeGray( dst, src, dstX, dstY, srcX, srcY, w, h, pct ) gdImageCopyResized( dst, src, dstX, dstY, srcX, srcY, dstW, dstH, srcW, srcH ) gdImageCopyResampled( dst, src, dstX, dstY, srcX, srcY, dstW, dstH, srcW, srcH ) gdImageCopyRotated( dst, src, dstX, dstY, srcX, srcY, srcWidth, srcHeight, angle ) gdImageSetBrush( im, brush ) gdImageSetTile( im, tile ) gdImageSetAntiAliased( im, c ) gdImageSetAntiAliasedDontBlend( im, color, dont_blend ) gdImageSetStyle( im, style var, n ) gdImageSetThickness( im, thickness ) gdImageInterlace( im, interlaceArg ) gdImageAlphaBlending( im, alphaBlendingArg ) gdImageSaveAlpha( im, saveAlphaArg ) gdImageCompare( im1, im2 ) gdTrueColor( r, g, b ) gdTrueColorAlpha( r, g, b, a ) gdImageTrueColor( im ) gdImageSX( im ) gdImageSY( im ) gdImageColorsTotal( im ) gdImageRed( im, c ) gdImageGreen( im, c ) gdImageBlue( im, c ) gdImageAlpha( im, c ) gdImageGetTransparent( im ) gdImageGetInterlaced( im ) gdImagePalettePixel( im, x, y ) gdImageTrueColorPixel( im, x, y ) gdImageSquareToCircle( im, radius ) gdImageStringFTCircle( im, cx, cy, radius, textRadius, fillPortion, font, points, top, bottom, fgcolor ) gdImageSharpen( im, pct ) gdClearLastError() gdLastError() API Changes ----------- - mvFile_Resolve has been deprecated as there is no secure way to resolve a path and then separately open it without introducing a race condition that could allow an application to break out of the sandbox. - New functions have been added to access the new system library registry: mvSystemLibrary mvProgram_SystemLibrary( mvProgram program, const char *code ); void *mvSystemLibrary_GetFunction( mvSystemLibrary library, const char *function_name ); const char *mvSystemLibrary_Error( mvProgram program, mvSystemLibrary library, int *error_length ); - The configuration API version has been changed (to 2), and a new function, load_script_config_v2( mvConfig, void **, const char *, mvFile ) now replaces load_script_config. Version 1 configuration libraries that provide load_script_config() will no longer function. Compiler Changes ---------------- - A new compiler option, -O , performs basic obfuscation of string constants by splitting them into chunks long. After splitting, duplicate chunks are "compressed" (not repeated) when written to the output .mvc file. - A new compiler option, -d, causes the compiler to output pseudo-C code suitable for use with Doxygen for generating automated documentation. - The compiler no longer requires license validation. Other Changes ------------- - Support for the ODBC database connector has been dropped. - MvREFERENCEARRAY now correctly applies its aggregate tags (MvDIMENSION, MvMEMBER) to the variable specified by the VARIABLE attribute, rather than the destination variable specified by NAME. - The MySQL connector library now automatically reestablishes connections that were lost while a long running SQL statement was in progress on a secondary connection. - The MySQL connector library now uses less memory when dealing with resultsets with multiple BLOB columns. - On UNIX, the engine may now be configured to capture and replay requests, for debugging purposes. Two configuration settings control this option: 3.x Configuration: capture_trigger_file= capture_file= Environment Based Configuration: MvCONFIG_CAPTURE_TRIGGER_FILE= MvCONFIG_CAPTURE_FILE= When configured, if the specified trigger file exists, the engine will dump its input state into a file created using the prefix specified by the capture file option. The capture files may then be replayed from the commandline by appending the "-c " parameters. For example: $ /var/www/cgi-bin/mivavm -c /tmp/capture001 - The MySQL connector library now properly calls my_init(), which should resolve most multithreading issues that occured on Windows platforms. - Support for the Authorize.Net commerce library has been dropped. - The tag now supports attribute IDENT, which may be used to add rcs-style ident tags to compiled MivaScript files - Newly created MivaSQL databases now support table and index names up to 64 characters long. - The file management code that maintains the script and data directory sandbox has been completely rewritten to eliminate race conditions and restore proper functionality when handling symbolic links. The existing functionality was broken in v5.03. - Files created by the engine now properly apply umask. - MvLOCALIZED support in previous versions was completely broken. The new version restores the 3.x functionality. Scripts compiled with pre-5.07 compilers which make use of MvLOCALIZED will have to be recompiled using 5.07 in order to function properly. - Network operations which have their own configurable timeouts (MvCALL, MvSMTP, etc...) now use the global timeout if no operation-specific timeout is specified. - Implemented proper timeout handling for MvSMTP and MvCALL. - Network protocols that need to read a line of input at a time (SMTP, POP, HTTP, etc...) now do so much more efficiently. - MakeSessionID() now generates statistically more random session identifiers. - ROUND operations now truly use banker's rounding. In previous versions, a banker's rounding algorithm was applied, but would sometimes fail to produce the expected result due to inaccuracies inherent in floating point numbers. The new system applies correction code for these inaccuracies prior to performing the rounding. - The template compiler has been completely rewritten to fix a large number of parser related bugs. - A new system library registration mechanism has been added. Presently, this mechanism is only used to locate an installation of libgd for the GD builtin functions: Win32: The library registration dialog now supports a "System" library type. 3.x Configuration: Environment Based Configuration: MvCONFIG_SYSTEMLIB_= - Builtin functions have been added implementing all libgd 2.x functionality. - When running under IIS, the engine now properly detects and manages mismatches between an IIS virtual directory path and the configured Miva root directory. - A new DWORD registry setting "maxdocache" allows configuration of the maximum number of MvDO'd files to be cached on Win32. This setting is not exposed through the user interface. - Handling of INFINITY, NaN, and values larger than INT_MAX or smaller than INT_MIN is now uniform between Windows and UNIX platforms. - MvCALL now supports additional METHOD values "OPTIONS", "PUT", "DELETE", "TRACE", and "CONNECT". Data handling for these action values is identical to "RAW".