Miva Merchant Empresa/Mia/Script Compiler v5.18 Release Notes ------------------------------------------------------------- Bugs Fixed ---------- 10177: Builtins: string: gettoken() fails to retrieve tokens after an ASCII NULL when NULLs are contained in the "string" parameter 10281: Builtins: system: miva_array_next/previous return incorrect values when asked for the next/previous element of a non-existent array element 10323: Builtins: system: miva_variable_value returns fatal error when variable name contains "[]" 10415: Builtins: system: miva_array_search does not provide any information when an invalid filter expression is provided 10065: Builtins: template: mvt:if with empty expr results in a stack underflow at runtime 10414: Compiler: Nested MvFOREACH that reuses an index from a previous version results in incorrect looping 10503: Compiler: Nested MvFOR that reuses an index from a previous version results in incorrect looping 10151: Diagnostic Application: Directories are not properly identified during the Script Directory Contents test if diag6.mvc is in a subdirectory 10327: Miva Mia: s.remote_host does not behave like other variables 9701: MivaSQL: MvOPEN errors cause the internal connection context to be leaked 9708: MivaSQL: Invalid read of size 1 when DATABASE is an empty string 9694: MySQL Connector: Frequent crashes at address 0x0001fbf3 in MVDMYSQL.DLL when connecting to a MySQL server 9700: MySQL Connector: MvOPEN errors cause the internal connection context to be leaked 10351: MySQL Connector: Connection string does not properly handle IPv6 addresses 10222: Profiling Tool: Segmentation fault when processing log with mismatched call/return 6414: Virtual Machine: MvSMTP reports server errors missing the first character 9704: Virtual Machine: External database API does not provide a mechanism to clean up mvDatabase data after MvOPEN or MvCLOSE errors 9729: Virtual Machine: Empresa should support IPv6 9993: Virtual Machine: dBase MvOPEN with empty DATABASE attribute reads past end of buffer by 1 byte 10005: Virtual Machine: Non-fatal MvDO_Errors sometimes cause a fatal "illegal instruction" error 10006: Virtual Machine: MvEXIT is not properly handled when an MvDOne file MvDOs into itself 10120: Virtual Machine: When accessing a URL with an IPV6 address, s.documenturl does not include square brackets. 10187: Virtual Machine: http opcodes do not properly validate PUT and POST method restriction when the FILES attribute is present 10271: Virtual Machine: MvDO (inline or tag) of a file/directory that exists but is not a valid compiled MivaScript file leads to a crash 10288: Virtual Machine: Special system variables are not properly protected against all array and reference operations 10325: Virtual Machine: Special system variables incorrectly report IsNULL and IsTrue 10326: Virtual Machine: MvEXPORT_Error is not cleared after a successful operation 10344: Virtual Machine: CGI VM: Cannot run any scripts using a ~user URL when absolute paths are allowed for the script directory New Features ------------ - IPv6 is now supported for all network operations. Within MySQL connection strings and URLs, IPv6 addresses must be enclosed in square brackets. Note: IPv6 addresses are not supported in MySQL connection strings on Windows. - The MvSMTP tag now supports transport encryption, alternate port numbers and authentication. The new functionality is accessed via new attributes to the MvSMTP tag. Below is an example of MvSMTP with all supported attributes: <MvSMTP FROM = "from@email.com" TO = "to@email.com" CC = "cc@email.com" SUBJECT = "Subject" FLAGS = "comma,separated,list" MAILHOST = "mail.host.com" PORT = "25" USERNAME = "username" PASSWORD = "password"> The FLAGS attribute contains a comma separated list of one or more of the following flags: tls Specifies that implicit TLS/SSL should be used for transport encryption starttls Specifies that the SMTP STARTTLS command should be used for transport encryption noheaders Prevents the default headers (Date, From, To, CC, X-Mailer and Subject) from being included in the message body. MvSMTP users that supply this flag must manually generate those headers. If PORT is not specified, 25 is used by default. Otherwise the connection is made on the specified port. If USERNAME and PASSWORD are specified, SMTP authentication will be used. MvSMTP supports the following authentication schemes. The scheme used will be the first scheme from this list which is supported by the mail server. DIGEST-MD5 CRAM-MD5 PLAIN LOGIN When the new attributes are used, if the -C flag is not specified with a version of 5.17 or older, the compiler will tag the resulting .mvc file as incompatible with engine versions older than 5.18. If -C 5.17 (or older) is specified, the compiler will output code that allows the MvSMTP block to be executed by older engines with the new attributes ignored. The engine version determination is made at runtime. Therefore, the new attributes will have effect when running on 5.18 or newer, and the MvSMTP tag will behave as if those attributes were not specified when running on 5.17 and older. - Debug logging of network traffic caused by MvSMTP is now possible by including MvCONFIG_LOG_MvSMTP (2097152) in the configured log level. - Debug logging may now be restricted by cookie. New configuration directive MvCONFIG_LOG_COOKIE (environment based configuration) or "logcookie" (3.x configuration) controls this setting. When a value is configured, only requests from browsers with a "mivalogcookie" cookie containing the specified value will be logged. - diag6.mvc has been expanded to include tools for setting and clearing the mivalogcookie cookie and decoding logged network traffic. The new tool is named diagtool.mvc. - POST content types other than application/x-www-form-urlencoded and multipart/form-data are now supported. This allows XML and other non-form based data to be POSTed directly to a MivaScript application. To prevent DOS attacks, the maximum length of unknown content types may be controlled by the MvCONFIG_MAX_UNKNOWN_CONTENT_LENGTH (environment based configuration) or "maxunknowncontentlength" (3.x configuration) directive, which limits the maximum number of bytes of content that may be submitted. The default value is 1MB. A value of 0 allows an unlimited amount of content (still subject to the POST timeout) and a value of -1 disables acceptance of unknown content altogether. The POST content is not parsed in any way and is made available to the script in system variable "s.content_data". - New tag <MvASSEMBLY> allows MivaScript assembly code to be interleaved with tradititional MivaScript. Example: <MvEVAL EXPR = "Before assembly"> <MvASSEMBLY> ... assembly code here ... </MvASSEMBLY> <MvEVAL EXPR = "After assembly"> The content of the MvASSEMBLY tag is passed unmodified to the MivaScript assembler. - New compiler options allow the default STANDARDOUTPUTLEVEL to be overridden for functions that do not have an explicit STANDARDOUTPUTLEVEL attribute: -f Enable whitespace compression by default for functions -F Disable text and html output by default for functions StoreMorph Changes ------------------ - All builtin functions registered in the underlying VM may now be called within expressions. - New tag mvt:assign allows variables to be created or modified directly within templates: <mvt:assign name="variable_name" value="value_expr" /> The name attribute is always a literal string containing a variable name. Normal MivaScript scoping rules apply. The value attribute is always an expression. To assign a static string value to a variable, single quotes must be included: <mvt:assign name="g.variable" value="'Hello, world!'" /> Local variables may be created outside of l.settings, but they will only be present within the scope of the current compiled template and will not propagate to sub or parent templates. - New tag mvt:while allows non-array loops to be constructed: <mvt:while expr="g.variable LT 100"> <mvt:assign name="g.variable" value="g.variable + 1" /> </mvt:while> - New tag mvt:miva allows templates to control whitespace compression and disable all non-explicit output: <mvt:miva output="on|off" compresswhitespace="on|off" /> If output is disabled, only StoreMorph tokens and explicit <mvt:eval> tags will generate output. - New tag mvt:eval allows expressions to be directly output: <mvt:eval expr="value_expr" /> The expr attribute behaves as the value attribute of mvt:assign, in that it is always an expression. New Builtin Functions --------------------- - crypto_hmac_md5( buffer var, key, format, result var ) Performs an HMAC-MD5 on "buffer" using key "key", storing the result in "result". "format" is one of "hex" or "binary". Returns 1 on success, 0 on error. This function is available even if OpenSSL is not configured. - miva_array_clear( array var, start, count ) Removes "count" elements from "array", starting at position "start". The elements are removed from the array, but the array is not collapsed. Returns the number of elements remaining in the array. - miva_array_delete( array var, start, count ) Removes "count" elements from "array", starting at position "start". The array is collapsed after the elements are removed. Returns the number of elements remaining in the array. - miva_array_merge( source var, sstart, scount, dest var, dpos ) - miva_array_merge_ref( source var, sstart, scount, dest var, dpos ) Copies "scount" elements from "source" into "dest", starting with "sstart" and inserting the elements at "dpos". Existing elements in "dest" past "dpos" are pushed forward by "scount" elements. miva_array_merge_ref inserts references to the source elements into the destination array. miva_array_merge copies the elements. If "dpos" is -1, the elements are appended to the end of "dest". Returns the number of elements in the "dest" array after the merge. - miva_array_copy( source var, sstart, scount, dest var, dpos ) - miva_array_copy_ref( source var, sstart, scount, dest var, dpos ) Copies "scount" elements from "source" into "dest", starting with "sstart" and placing the elements at "dpos". Existing elements in "dest" are overwritten. miva_array_copy_ref inserts references to the source elements into the destination array. miva_array_copy copies the elements. If "dpos" is -1, the elements are appended to the end of "dest". Returns the number of elements in the "dest" array after the copy. - miva_array_insert( array var, element, pos ) - miva_array_insert_var( array var, element var, pos ) - miva_array_insert_ref( array var, element var, pos ) Inserts single element "element" into "array" at position "pos". miva_array_insert_ref inserts a reference to "element" into "array". The other variations copy "element". If "pos" is -1, the element is inserted at the end of "array". Returns the number of elements in "array" after the insertion. - miva_array_pop( array var ) Removes and returns the last element of "array". - miva_array_pop_ref( array var, element var ) Makes "element" a reference to the last element of "array", then removes it from the array. Returns the number of elements remaining in "array". - miva_array_shift( array var ) Removes and returns the first element of "array". - miva_array_shift_ref( array var, element var ) Makes "element" a reference to the first element of "array", then removes it from the array. Returns the number of elements remaining in "array". - miva_array_find( needle, haystack var, offset ) Performs an exhaustive search for "needle" in array "haystack", starting at "offset". Comparison is equivalent to the EQ operator. Returns the index of "needle" in "haystack" or 0 if the element was not found. - miva_array_search( array var, offset, element var, filter_expr ) Performs an exhaustive search in array "array", starting at "offset". Comparison is made by evaluating "filter_expr" for each element. "filter_expr" is an expression similar to the EXPR attribute to MvFILTER. The expression is executed in the same state as the caller of miva_array_search. All local variables within that context are available, and function calls are permitted. Returns the index of the first element in "array" for which filter_expr evaluated as true, or 0 if no elements met this condition. - miva_array_binarysearch( key, array var, callback, data var ) Performs a binary search for "key" in "array". "array" must have been previously sorted. "callback" is the name of a callback function with the following parameters: CallbackFunc( key var, element var, data var ) The callback function should return the following: -1 key is less than element 0 key is equal to element 1 key is greater than element Parameter "data" to miva_array_binarysearch is passed unmodified to each execution of the callback function. Returns the index of "key" in "array" or 0 if no match was found. API Changes ----------- - MV_EL_DATABASE_VERSION has been incremented to 6 and new function db_cleanup has been added to the database library API. void ( *db_cleanup )( mvDatabase db ) This function is called to allow a library to free any memory associated with a mvDatabase handle. This allows memory allocated in db_open to be freed when db_open returns non-success. - const MV_EL_Function *mvProgram_Lookup_ExternalFunction( mvProgram program, const char *function, int function_len ) Searches the list of registered builtin functions for "function" returning the associated MV_EL_Function record or NULL. - int mvProgram_FatalError( mvProgram program, const char *error, int error_length ) Triggers a Fatal Error which will terminate script execution. - mvVariable mvVariable_Allocate_Copy( mvVariable variable ) Allocates and returns a new variable which is a copy of "variable". - mvVariable mvVariable_NextIdentity( mvVariable variable ) If "variable" is a reference, returns its immediate reference value. - mvVariable mvVariable_RealIdentity( mvVariable variable ) Follows a reference chain starting with "variable" and returns the final non-reference end of the chain. - void mvVariableHash_ReplaceVariable( mvVariableHash hash, mvVariable variable ) Inserts "variable" into "hash", replacing any existing variable with the same name. - void mvVariable_Make_Reference( mvVariable variable, mvVariable value ) Makes "variable" a reference to "value". - int mvProgram_Compare( mvProgram program, mvVariable left, mvVariable right ) Compares two variables using semantics equivalent to the EQ operator and returns one of the following: -1 left is less than right 0 left is equal to right 1 left is greater than right - void mvVariable_Array_Copy( mvVariable source, int spos, int scount, mvVariable dest, int dpos, int copy ) Copies "scount" elements from "source" into "dest", starting with "sstart" and placing the elements at "dpos". Existing elements in "dest" are overwritten. If "dpos" is -1, the elements are appended to the end of "dest". If "copy" is true, copies of the source elements are placed into "dest". Otherwise, references are made to the original elements. - void mvVariable_Array_Merge( mvVariable source, int spos, int scount, mvVariable dest, int dpos, int copy ) Copies "scount" elements from "source" into "dest", starting with "sstart" and inserting the elements at "dpos". Existing elements in "dest" past "dpos" are pushed forward by "scount" elements. If "dpos" is -1, the elements are appended to the end of "dest". If "copy" is true, copies of the source elements are placed into "dest". Otherwise, references are made to the original elements. - void mvVariable_Delete_Array_Elements( int start, int count, int collapse, mvVariable agg ) Removes "count" elements from "array", starting at position "start". If "collapse" is true, the array is collapsed after the elements are removed. - void mvVariable_Insert_Array_Element( int index, mvVariable value, mvVariable agg ) Inserts "value" into array "agg" at position "index". Existing elements at "index" and beyond are moved forward one position. - mvDynamicExpression mvProgram_Compile_Dynamic_Expression( mvProgram program, const char *expr, int expr_length, char **error, int *error_length ) Compiles expression "expr", returning a handle that may be passed to one of the execution functions below. If a compilation error occurs and non-NULL values are passed for "error" and "error_length", a textual description of the compilation error is provided. Dynamic expression handles are tied to the mvProgram in which they were compiled and may not be executed with any other mvProgram. Returns a dynamic expression handle or NULL on error. - int mvProgram_Execute_Dynamic_Expression_Boolean( mvProgram program, mvDynamicExpression expr, mvVariableHash localvar_hash, int *result ) Executes dynamic expression "expr", storing a boolean result in "result". If "localvar_hash" is NULL, the expression is executed with access to the local variables of the calling context. Otherwise, "localvar_hash" is a VariableHash containing the local variables that will be made available to the expression. Returns 1 on success or 0 on error. Most error returns will result in the VM terminating execution when control is returned to the VM. - int mvProgram_Execute_Dynamic_Expression( mvProgram program, mvDynamicExpression expr, mvVariableHash localvar_hash, mvVariable result ) Executes dynamic expression "expr", storing the result in "result". If "localvar_hash" is NULL, the expression is executed with access to the local variables of the calling context. Otherwise, "localvar_hash" is a VariableHash containing the local variables that will be made available to the expression. Returns 1 on success or 0 on error. Most error returns will result in the VM terminating execution when control is returned to the VM. Miva Merchant Empresa/Mia/Script Compiler v5.17 Release Notes ------------------------------------------------------------- Bugs Fixed ---------- 8677: Builtins: crypto: crypto_rand_bytes( -1 ) causes a crash 8694: Builtins: crypto: When OpenSSL is not available, calling the same crypto function twice causes a segmentation fault 8732: Builtins: crypto: Functions that depend on RSA_up_ref double free RSA pointers on OpenSSL pre 0.9.7 6820: Builtins: math: acos() is internally mapped to cos() and returns incorrect values 6426: Compiler: Unscoped variables with -p all causes incorrect code generation and does not generate warnings in MvCAPTURE, MvREFERENCE, MvFOR and MvFOREACH 6935: Compiler: Compiler generates invalid assembly code for MvREFERENCEARRAY without NAME or VARIABLE attribute 7795: Compiler: MvFOREACH should give unique names to its anonymous variables 8592: Compiler: Global MvFOR/MvFOREACH in an MvDO target loops until timeout 8673: Compiler: Compiler crashes if you attempt to compile a directory 9212: Compiler: Compiler generates invalid assembly code for -.88 9285: Compiler: Grammatical error: Too many open parenthesis should be Too many open parentheses 8707: Configuration: 3.x: Using two equals (==) in mivavm.conf generates an unhelpful error message at runtime 9071: MivaSQL: "Not enough values" error when an INSERT with sub-select does not insert all columns 9291: MySQL Connector: Queries that execute for longer than 15 seconds result in "Lost connection to MySQL server during query" errors 4623: Virtual Machine: Expressions in MvDO parsed differently than other expressions 6406: Virtual Machine: Configuration variables cannot be passed as non-reference parameters or assigned to other variables 6797: Virtual Machine: MivaApplication::EncodeAttribute does not encode low-ASCII non-printable characters 8121: Virtual Machine: s.miva_config does not contain a log_filter variable 9041: Virtual Machine: CGI mivavm should explicitly validate that configured paths are absolute rather than relative 9186: Virtual Machine: dup instruction causes segfault when SP = 0 9213: Virtual Machine: Negative constants as parameters to a function call in a dynamic expression generate errors when any previous parameter has operators 9355: Virtual Machine: VariableHash::Scope does not properly handle short or empty variable names 9453: Virtual Machine: Buffer overflow in MivaApplication::MakeSessionID when OpenSSL is not available 9313: Virtual Machine Installation: vm-README.txt contains incorrect instructions for suexec/env.so configuration Platform Support Changes ------------------------ - FreeBSD 6.2 is no longer supported. Starting with this release, FreeBSD binaries are built on FreeBSD 8.3, and support FreeBSD 7.4-9.0. The compat6x package is no longer required on any of these platforms. - amd64 builds for FreeBSD 7.4-9.0 are now provided. API Changes ----------- - New API function mvProgram_Sleep( mvProgram program, int msecs ) delays the running application for msecs milliseconds or until the global timeout expires, whichever is shorter. New Builtin Functions --------------------- - miva_sleep( msecs ) Delays the running application for msecs milliseconds or until the global timeout expires, whichever is shorter. - miva_hex_encode( data ) - miva_hex_decode( data ) Convert "data" to or from hexidecimal notation, returning the resulting encoded or decoded data. - crypto_cipher_block_size( ciphername ) - crypto_cipher_key_length( ciphername ) - crypto_cipher_iv_length( ciphername ) These functions allow you to programatically determine the attributes of the cipher specified by "ciphername". "ciphername" is an OpenSSL cipher identifier, such as "aes-128-cbc" or "rc2-ofb". All of the preceding functions return the numeric size, in bytes, or -1 if an invalid "ciphername" is specified. - crypto_cipher_mode( ciphername ) Returns the block mode of operation of the cipher specified by "ciphername." The output is one of the following strings: stream Stream ciphers, such as RC4 ecb Electronic Code Book cbc Cipher Block Chaining cfb Cipher Feedback ofb Output Feedback unknown An invalid ciphername was specified - crypto_evp_encrypt( ciphername, key, iv, plaintext, encrypted var ) Encrypts "plaintext" using the block cipher specified by "ciphername", placing the encrypted data into "encrypted". Parameters: ciphername The OpenSSL identifier of the cipher, such as "bf-cbc" or "des-ede3-cbc". key The encryption key. Must be exactly the number of bytes required by the cipher, as returned by crypto_cipher_key_length. iv An initialization vector, if required by the cipher. Must be exactly the number of bytes required by the cipher, as returned by crypto_cipher_iv_length. plaintext The text to be encrypted encrypted [output] Receives the cipher text Return value: 1 on success, 0 on failure - crypto_evp_decrypt( ciphername, key, iv, encrypted, plaintext var ) Decrypts "plaintext" using the block cipher specified by "ciphername", placing the decrypted data into "plaintext". Parameters: ciphername The OpenSSL identifier of the cipher, such as "bf-cbc" or "des-ede3-cbc". key The key used for encryption. iv The initialization vector used for encryption. returned by crypto_cipher_iv_length. encrypted The ciphertext to be decrypted plaintext [output] Receives the plaintext Return value: 1 on success, 0 on failure - crypto_digest_block_size( digestname ) - crypto_digest_size( digestname ) These functions allow you to programatically determine the attributes of the digest algorithm specified by "digestname". "digestname" is an OpenSSL digest identifier, such as "sha256" or "md5". Each of the preceding functions return the numeric size, in bytes, or -1 if an invalid "digestname" is specified. - crypto_evp_digest( digestname, buffer var, digest var ) Calculates the digest of "buffer" using digest algorithm "digestname", placing the calculated digest in "digest". The digest output is always in raw binary format, use miva_hex_encode() or crypto_base64_encode() if other output formats are desired. Returns 1 on success or 0 if an invalid or unsupported "digestname" is specified. - crypto_evp_hmac( digestname, key, buffer var, digest var ) Calculates the HMAC of "buffer" using digest algorithm "digestname" and key "key", placing the HMAC in "digest". The HMAC output is always in raw binary format, use miva_hex_encode() or crypto_base64_encode() if other output formats are desired. Returns 1 on success or 0 if an invalid or unsupported "digestname" is specified. - crypto_xor( buffer var, dest var ) Efficiently performs a byte-by-byte XOR of buffer and dest, storing the resulting data in "dest". If "buffer" is longer than "dest", any extra bytes are ignored. - crypto_pbkdf1( digestname, password, salt, iterations, dklen, dk var ) Derives a key of "dklen" bytes using PBKDF1 from PKCS #5. Parameters: digestname The digest algorithm to use. Must be one of "md2", "md5" or "sha1". password The password from which a key is to be derived. salt Exactly 8 bytes of random data that are used as a salt. iterations The number of iterations to perform. dklen The desired output length of the derived key. May not be longer than the output digest size of the specified digest algorithm. dk [output] Receives the derived key. The output is in raw binary. Returns 1 on success or 0 on error. - crypto_pbkdf2( digestname, password, salt, iterations, dklen, dk var ) Derives a key of "dklen" bytes using PBKDF2 from PKCS #5. Parameters: digestname The digest algorithm to use. May be any of the digests supported by the installed OpenSSL version. password The password from which a key is to be derived. salt Random data of any length that is used to salt the derivation. RFC 2898 recommends a minimum salt length of 8 bytes. iterations The number of iterations to perform. RFC 2898 recommends at least 1000 iterations. dklen The desired output length of the derived key. May be any positive value. dk [output] Receives the derived key. The output is in raw binary. Returns 1 on success or 0 on error. - rsa_generate_keypair_mem_cipher( pubkey var, privkey var, bits, e, passphrase, ciphername ) - rsa_save_privatekey_mem_cipher( privkey var, rsa var, passphrase, ciphername ) These functions behave identically to their legacy counterparts rsa_generate_keypair_mem and rsa_save_privatekey_mem_cipher, except that they allow the caller to specify the cipher used to encrypt the private key (the legacy functions always use des-ede3-cbc). "ciphername" is an OpenSSL cipher identifier that specifies the cipher to be used. Note that OpenSSL only permits a subset of its supported ciphers to be used for RSA key encryption. For example, only CBC mode ciphers are permitted. New Features ------------ - On UNIX, the 3.x compatible configuration library now reports verbose syntax errors with line numbers when a parsing error occurs in either the configuration or authorization files. - Debug logging filter values may now be preceded by "!" to indicate a logging exclusion. If only exclusion filters are present, then all lines not matching the exclusion are logged. For example, "!example.mv:100-200" would log all lines except those between line number 100 and 200 of example.mv. If used in combination with one or more traditional include filters, then exclusions only apply where they overlap with one of the inclusions. - Increment (++) and decrement (--) operators are now supported inside MivaScript expressions. Both pre and post increment/decrement are allowed. Example: <MvEVAL EXPR = "{ l.var++ }"> <MvASSIGN NAME = "l.array" INDEX = "{ ++l.pos }" VALUE = "{ l.var }"> Note: When used within a dynamic expression (MvDO EXPR, MvFILTER EXPRESSION, etc..), the generated MivaScript file will be incompatible with Empresa versions prior to 5.17. When compilation includes a compatibility flag, for example "-C 5.16", a compiler warning will be generated when an increment or decrement operator is detected inside a dynamic expression. Miva Merchant Empresa/Mia/Script Compiler v5.16 Release Notes ------------------------------------------------------------- Bugs Fixed ---------- 6950: DigiNotar certificate was compromised and should be removed from the certs/ directory 6958: BLOB data over 4096 bytes is truncated when a subsequent query forces mysql_stmt_store_results 6981: diag6 does not include licensemgr.thelicensemanager.com in its license tests 6987: Reference variables created by poprg do not propagate to parent global variable hashes 6990: MivaSQL: Duplicate records in output result set when a range query uses an index 7047: Non-numeric trailing characters are no longer ignored by the int() function 7072: Compiler does not detect/throw an error for duplicate simple text attributes in a tag 7197: mvc: EINTR returns from wait() are not properly handled New Features ------------ - A new compiler tool "mvcov" provides code coverage measurement by analyzing an engine debug log containing trace data. The output format is similar to the GNU tool gcov. Full usage instructions may be obtained by running "mvcov --help". - A new compiler tool "mvprof" measures and graphs the amount of time spent in various functions by analyzing an engine debug log containing function call and return data. The output format is similar to the GNU tool gprof. Full usage instructions may be obtained by running "mvprof --help". Certificate Updates ------------------- - The following certificate has been removed: C060ED44CBD881BD0EF86C0BA287DDCF8167478C.pem DigiNotar Root CA Miva Merchant Empresa/Mia/Script Compiler v5.15 Release Notes ------------------------------------------------------------- Bugs Fixed ---------- 6857: mysql: mysql_stmt_store_results errors when opening and closing multiple views simultaneously Miva Merchant Empresa/Mia/Script Compiler v5.14 Release Notes ------------------------------------------------------------- Bugs Fixed ---------- 6411: 5.07 and newer assemblers generate MvLOCALIZED code that crashes 5.06 or older engines 6441: sha256 with openssl < 0.9.8 6449: Win32: file_read and [fs]time() create non-existent files 6454: 3.x Configuration causes segmentation fault when one or more required tag attributes are missing 6455: Floating point to string conversions occasionally include a NULL byte in the string 6456: MvSMTP: Write Error: Connection closed by remote host (windows server only) 6469: ISAPIApplication has no s.process_id 6482: ISNULL of a reference to a structure is always 1 6498: Free of uninitialized memory in Dictionary::Read when TaggedFile has no TF_DICT_ID section 6505: MvFOR without /MvFOR not caught by compiler 6519: Embedded bracket } causes compiler error [g.file].fn('}') 6546: Passing a database variable to a function by reference leads to a crash 6576: MvCALL does not verify server identity 6679: xml_parse when an xml_parse_section is present returns the section's content in root 6712: External function calls in MvDO expressions behave strangely when they reference functions that are not used in the MvDO'd file 6734: Hash-table collision based DOS with POSTed form data 6762: miva_array_deserialize outputs an array with a single empty element when passed an empty string 6799: Strings that contain ASCII NULL but begin with numbers are considered numbers MySQL Connector Changes ----------------------- - Only a single connection to the database server is used per VM instance, regardless of whether a script opens multiple views simultaneously or executes an MvQUERY when a view is open. - The connector now supports caching of prepared statements for better performance. The cache is disabled by default and may be enabled using the "statement_cache_size" db command. Example: <MvDBCOMMAND NAME = "Merchant" COMMAND = "statement_cache_size" PARAMETER = "5"> The value of PARAMETER controls the number of prepared statements that are cached. The N most recently used prepared statements are retained. - A new DBCOMMAND "autostorelimitqueries" causes the connector to automatically call mysql_stmt_store_results() whenever it sees the LIMIT keyword in an SQL statement used to open a view. Other Changes ------------- - Additional bits in MvCONFIG_FLAGS_SECURITY (securityoptions in the 3.x configuration) allow an administrator to control SSL certificate validation. MvCONFIG_SEC_SSL_NOVERIFY_CHAIN 0x00001000 4096 Disables chain of trust verification MvCONFIG_SEC_SSL_NOVERIFY_HOSTNAME 0x00002000 8192 Disables certificate commonName/subjectAltName checking when a connection is made using a hostname MvCONFIG_SEC_SSL_VERIFY_IP 0x00004000 16384 Enables IP Address based subjectAltName checking when a connection is made using an IP address - A new configuration setting MvCONFIG_TIMEOUT_POST (posttimeout in the 3.x configuration) allows an administrator to configure the maximum number of seconds that are permitted to receive and parse POST input from a client. The default value is 30 seconds, and this timeout does not apply to file uploads that have been accepted by a script. - A new configuration setting MvCONFIG_MAX_POST_VARS (maxpostvars in the 3.x configuration) controls the maximum number of variables that may be present in a single POST request. The default value is 2000. - On Windows systems a new Options dialog is present to control the new configuration settings. The Use Cookies setting has also been moved to this dialog. Certificate Updates ------------------- - The following new certificates have been added: 7C4656C3061F7F4C0D67B319A855F60EBC11FC44.pem Go Daddy Secure Certification Authority 188590E94878478E33B6194E59FBBB28FF0888D5.pem VeriSign Class 3 Secure Server CA D559A586669B08F46A30A133F8A9ED3D038E2EA8.pem VeriSign International Server CA - Class 3 Miva Merchant Empresa/Mia/Script Compiler v5.13 Release Notes ------------------------------------------------------------- Bugs Fixed ---------- 5880: All ExternalDatabaseVariables ISNULL until they have been read 5926: 64-bit engine libraries are dynamically linked against system libraries 5987: miva_array_sort() Crashes Mia 5988: miva_array_sort() does not properly handle timeouts in the callback 6002: Logging mechanism should have a way to log application timed out errors 6003: Only the first open view for a database is closed on VM exit 6042: "Application timed outApplication timed out" when a file upload takes longer than globaltimeout seconds 6102: MySQL connector does not close connections when an MvOPENVIEW encounters an error 6135: diag6.mvc does not read the libgd system library configuration from them mivavm.conf 6136: When a SYSTEMLIB is configured it does not make an entry in s.miva_config like COMMERCE and DATABASE libraries do 6170: MvFOR: Cannot use a FIRST of "0" 6197: MivaSQL: LIKE operator does not properly handle wildcard comparisons at the end of a string 6199: Win32: MvLOCKFILE fails with "Access Denied" or "The handle is invalid." 6200: Win32: MvLOCKFILE fails to use MvCONFIG_DELAY_FILE and consumes 100% of the CPU when waiting for a lock 6201: 1-byte buffer overrun in MivaApplication::DecodeEntities 6202: Buffer overrun of static buffer when processing MvCONFIG_CAPTURE_FILE 6203: Buffer overrun of static buffer when replaying a capture file 6227: MivaSQL: UPDATE or DELETE statements with OR expressions fail to delete/update all matching records 6232: MvFOREACH, miva_array_max(), miva_array_min(), miva_array_elements(), miva_array_next() and miva_array_previous() crash when used on s.miva_config:(database|commerce|systemlib)_list 6353: MvCALL makes multiple writes for the HTTP request, adding overhead and multiplying the effective timeout 6354: MvCALL: GET with parameters and ACTION in the form "http://hostname:port" does not work New Functions ------------- - srandom( seed ) - Allows a script to reseed the random number generator used by random() Other Changes ------------- - Registered system libraries are now available through s.miva_config:systemlib_list and s.miva_config:systemlib_lookup - diag6.mvc now displays a list of registered system libraries - The request capture/replay mechanism (MvCONFIG_CAPTURE_FILE, MvCONFIG_CAPTURE_TRIGGER_FILE, etc...) has been removed - The build process for the Linux x64 distribution has been altered to ensure compatibility with more x64 Linux distributions - Application Timed Out errors may now be logged using the debug logging mechanism, by including MvCONFIG_LOG_APPLICATION_TIMEOUT (134217728) in the configured log level. - MvCALL now supports a CERTPASS attribute, which allows PEM-format certificates and/or private keys to be stored encrypted on disk. If specified, the value of CERTPASS is used to decrypt the certificate and/or private key in the file specified by CERTFILE. - Debug logging output may now be filtered by setting MvCONFIG_LOG_FILTER for the environment based configuration or logfilter=<filter> for the 3.x configuration. The filter is in the format sourcefile[:[start_line][-[end_line]],... If a filter is provided, only messages from the specified files and line number ranges will be logged. - Restrictions on the length of string data and number of array elements have been removed from debug logging output - MvCALL input and output may now be logged using the debug logging mechanism by including MvCONFIG_LOG_MvCALL (1048576) in the configured log level. All data sent and received during an MvCALL is logged in base64 format to preserve the delimited nature of the log file. When filtering MvCALL logging, only the line containing the start MvCALL tag is considered. Certificate Updates ------------------- - All distribution certificate files now include a textual description - The following new certificates have been added: B8236B002F1D16865301556C11A437CAEBFFC3BB.pem AffirmTrust Premium ECC 925A8F8D2C6D04E0665F596AFF22D863E8256F3F.pem Starfield Services Root Certificate Authority - G2 D018B62DC518907247DF50925BB09ACF4A5CB3AD.pem UTN-USERFirst-Hardware: login.yahoo.com 80962AE4D6C5B442894E95A13E4A699E07D694CF.pem UTN-USERFirst-Hardware: login.yahoo.com B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E.pem Starfield Root Certificate Authority - G2 47BEABC922EAE80E78783462A79F45C254FDE68B.pem Go Daddy Root Certificate Authority - G2 CEA586B2CE593EC7D939898337C57814708AB2BE.pem UTN-USERFirst-Hardware: login.live.com 293621028B20ED02F566C532D1D6ED909F45002F.pem AffirmTrust Networking F9B5B632455F9CBEEC575F80DCE96E2CC7B278B7.pem AffirmTrust Commercial 6431723036FD26DEA502792FA595922493030F97.pem UTN-USERFirst-Hardware: mail.google.com C039A3269EE4B8E82D00C53FA797B5A19E836F47.pem GeoTrust Global CA: RapidSSL CA 471C949A8143DB5AD5CDF1C972864A2504FA23C9.pem UTN-USERFirst-Hardware: login.skype.com 63FEAE960BAA91E343CE2BD8B71798C76BDB77D0.pem UTN-USERFIRST-Hardware: login.yahoo.com 63FEAE960BAA91E343CE2BD8B71798C76BDB77D0.pem UTN-USERFirst-Hardware: addons.mozilla.org 07E032E020B72C3F192F0628A2593A19A70F069E.pem Certum Trusted Network CA 1916A2AF346D399F50313C393200F14140456616.pem UTN-USERFirst-Hardware: www.google.com D8A6332CE0036FB185F6634F7D6A066526322827.pem AffirmTrust Premium 61793FCBFA4F9008309BBA5FF12D2CB29CD4151A.pem UTN-USERFirst-Hardware: global trustee - The following expired certificates have been removed: 67EB337B684CEB0EC2B0760AB488278CDD9597DD.pem DST RootCA X2 F88015D3F98479E1DA553D24FD42BA3F43886AEF.pem C&W HKT SecureNet CA SGC Root 720FC15DDC27D456D098FABF3CDD78D31EF5A8DA.pem TC TrustCenter Class 1 CA 687EC17E0602E3CD3F7DFBD7E28D57A0199A3F44.pem SecureNet CA SGC Root 5BCDCDCC66F6DCE4441FE37D5CC3134C46F47038.pem beTRUSTed Root CA B72FFF92D2CE43DE0A8D4C548C503726A81E2B93.pem DST RootCA X1 24BA6D6C8A5B5837A48DB5FAE919EA675C94D217.pem IPS SERVIDORES 6423137E5C53D64AA66485ED3654F5AB055A8B8A.pem Equifax Secure Global eBusiness CA-1 4463C531D7CCC1006794612BB656D3BF8257846F.pem RSA Secure Server Certification Authority 9BACF3B664EAC5A17BED08437C72E4ACDA12F7E7.pem C&W HKT SecureNet CA Class A 90DEDE9E4C4E9F6FD88617579DD391BC65A68964.pem GTE CyberTrust Root 47AFB915CDA26D82467B97FA42914468726138DD.pem C&W HKT SecureNet CA Class B A60F34C8626C81F68BF77DA9F667588A903F7D36.pem VeriSign Time Stamping Authority CA 7CA04FD8064C1CAA32A37AA94375038E8DF8DDC0.pem SecureNet CA Root E0925E18C7765E22DABD9427529DA6AF4E066428.pem Hongkong Post Root CA 7AC5FFF8DCBC5583176877073BF751735E9BD358.pem SecureNet CA Class B A399F76F0CBF4C9DA55E4AC24E8960984B2905B6.pem TC TrustCenter Time Stamping CA 9FC796E8F8524F863AE1496D381242105F1B78F5.pem TC TrustCenter Class 3 CA 8B1A1106B8E26B232980FD652E6181376441FD11.pem Certificado Empresarial Clase-A 4EF2E6670AC9B5091FE06BE0E5483EAAD6BA32D9.pem Belgacom E-Trust Primary CA D29F6C98BEFC6D986521543EE8BE56CEBC288CF3.pem TC TrustCenter Class 4 CA BC7B3C6FEF26B9F7AB10D7A1F6B67C5ED2A12D3D.pem Post.Trust Root CA 5E997CA5945AAB75FFD14804A974BF2AE1DFE7E1.pem SecureNet CA Class A 7A74410FB0CD5C972A364B71BF031D88A6510E9E.pem ABA.ECOM Root CA 4BA7B9DDD68788E12FF852E1A024204BF286A8F6.pem C&W HKT SecureNet CA Root 838E30F77FDD14AA385ED145009C0E2236494FAA.pem TC TrustCenter Class 2 CA Miva Merchant Empresa/Mia/Script Compiler v5.12 Release Notes ------------------------------------------------------------- Bugs Fixed ---------- 5916: rsa_load_privatekey() and rsa_load_privatekey_mem() do not properly handle passphrases with embedded ASCII NULs Miva Merchant Empresa/Mia/Script Compiler v5.11 Release Notes ------------------------------------------------------------- Bugs Fixed ---------- 5891: certs directory is not compatible with OpenSSL 1.0 5901: rsa_sign(), rsa_verify(), bf_encrypt() and bf_decrypt() statically allocate OpenSSL opaque structures 5902: libgd_initialize_context() errors are not properly reported Other Changes ------------- - This release introduces support for x86_64 RedHat Enterprise and CentOS 5.x systems - The packaged "certs" directory now contains two separate sets of certificates. One hashed for compatibility with OpenSSL 0.9.x, and another for OpenSSL 1.0. - On Windows systems, the installer sets the default "certs" path to point to the OpenSSL 1.0 compatible directory. We strongly recommend that all Windows users upgrade to OpenSSL 1.0 Miva Merchant Empresa/Mia/Script Compiler v5.10 Release Notes ------------------------------------------------------------- Bugs Fixed ---------- 5804: http_host incorrect if domain is setup to use custom port number 5810: MivaSQL: Sub-queries in LEFT OUTER JOINS are not executed if part of the join can be indexed 5811: Functions called via MvDO do not immediately have a valid sourcefile directive 5812: Function calls inside a tag's expression do not reset lineno on return 5817: Parameter type mismatches in MvDO expressions are not properly handled 5818: MvDO function calls are logged with incorrect sourcefile and lineno 5822: Crash in MultipartFormParser 5826: Buffer overrun of static buffer in bi_tokenize() 5857: MvCALLSTOP outputs an additional (unreachable) dbclose instruction 5858: MvMEMBER or MvDIMENSION outside MvASSIGNARRAY or MvREFERENCEARRAY causes a crash 5860: MultipartFormParser requires the initial boundary to be complete in the first buffer 5862: MultipartFormParser cannot handle any but the most basic Content-Type HTTP header 5865: MultipartFormParser calls ValidateFileUpload repeatedly after the file has been rejected 5866: MultipartFormParser will not correctly upload a zero length file. 5872: s.stm_zone always reports daylight savings timezone on Linux 5874: Variable::Convert_Integer() converts floating point string values to integer 0 5875: Miva_ProcessFileUpload() is expected to return exactly -1 to skip a file, which differs from 3.x 5876: If Miva_ValidateFileUpload() does not exist, multipart/form-data parsing aborts whenever a file is present 5877: If Miva_ProcessFileUpload() returns a value, it stays on the internal stack forever New Builtin Functions --------------------- substring_var( string var, position, length ) This function is identical to substring() but its first parameter is passed by reference, improving performance when dealing with large strings. len_var( string var ) This function is identical to len() but its parameter is passed by reference, improving performance when dealing with large strings. indexof( needle, haystack var, offset ) indexofi( needle, haystack var, offset ) These functions search for needle in haystack, starting at "offset". If found, the functions return the starting offset of needle in haystack. If not found, the functions return 0. indexof() performs a case-sensitive search, and indexofi() performs a case-insensitive search. The offset parameter and returned string offset are 1-based. file_read_bytes( path, location, offset, length, data ) This function reads a portion of the file specified by "path" and "location" into "data". path The name or filepath of the file to open relative to the directory specified by "location" location One of "script" or "data" offset The zero-based offset at which to begin reading length The number of bytes to read. If < 0, the entire file after "offset" is read. data The variable in which to store the file data The function returns the number of bytes read, which may be less than "length" if an attempt was made to read past the end of the file, or -1 on error. Other Changes ------------- - Minor performance improvement for the sourcefile instruction - Corrected line numbers when a tag spans multiple lines (subversion 25013) - Mia now properly handles empty string registry values in its configuration - The packaged set of certificates has been updated New Features ------------ - A new debug logging facility has been added, which logs various information about script execution. In Miva Empresa for IIS and Miva Mia, this facility is configured through a new "Debug Log" button in the GUI configuration. On UNIX systems using the environment based configuration, the facility is configured using two environment variables: MvCONFIG_LOG_FILE specifies the name of the logfile MvCONFIG_LOG_LEVEL a bitfield which controls which operations are logged On UNIX systems using the 3.x configuration, the facility is configured using the following configuration settings: logfile=<logfile name> loglevel=<numeric log level> For security purposes, on UNIX the configured logfile is relative to the MivaScript data directory, and the logfile is opened after dropping root privileges if the binary is setuid root. The log level is constructed by adding the values of the desired output items from this list: MvCONFIG_LOG_FUNC_CALL 16 Calls to native (MivaScript) functions MvCONFIG_LOG_FUNC_PARAM 32 Parameters to native (MivaScript) functions MvCONFIG_LOG_FUNC_RETVAL 64 Return values from native (MivaScript) functions MvCONFIG_LOG_FUNC_RETURN 128 Return from native (MivaScript) functions MvCONFIG_LOG_EXTERNAL_FUNC_CALL 256 Calls to builtin or other external functions MvCONFIG_LOG_EXTERNAL_FUNC_PARAM 512 Parameters to builtin or other external functions MvCONFIG_LOG_EXTERNAL_FUNC_RETVAL 1024 Return values from builtin or other external functions MvCONFIG_LOG_EXTERNAL_FUNC_RETURN 2048 Return from builtin or other external functions MvCONFIG_LOG_MvDO_FILE_ENTER 4096 MvDO of an entire file has begun MvCONFIG_LOG_MvDO_FILE_EXIT 8192 MvDO of an entire file has ended MvCONFIG_LOG_RUNTIME_ERROR 268435456 All runtime errors MvCONFIG_LOG_FATAL_ERROR 536870912 All fatal errors MvCONFIG_LOG_TRACE 1073741824 Logs each line of source code executed - New tags MvIMPORTCONTINUE, MvPOPCONTINUE, MvWHILECONTINUE, MvCALLCONTINUE and MvCOMMERCECONTINUE return program flow to the top of their associated loop, doing whatever operations would normally occur at the bottom of the loop (moving to the next record in MvIMPORT, the next email in MvPOP, etc...) - A new looping construct, MvFOREACH, has been added to make dealing with arrays of items more convenient. <MvFOREACH ITERATOR = "l.item" ARRAY = "l.array" INDEX = "l.pos"> </MvFOREACH> <MvFOREACH ITERATOR = "l.item" ARRAY = "l.array" INDEX = "l.pos" FIRST = "{ 1 }" NEXT = "{ l.pos + 1 }" LAST = "{ 100 }"> </MvFOREACH> <MvFOREACH ITERATOR = "l.item" ARRAY = "l.array" INDEX = "l.pos" COUNT = "{ 100 }"> </MvFOREACH> Only the ITERATOR and ARRAY elements are required. When COUNT is specified, FIRST, NEXT, and LAST may not be, but when COUNT is not present, FIRST, NEXT, and LAST may be used in any combination with each other. ITERATOR is the name of a variable which will point to a specific element in the array. The mechanism used is the same as MvREFERENCE or MvREFERENCEARRAY. ARRAY is the array over which to iterate. INDEX describes the name of a variable that is used to track the iterations through the loop. It is optional, and if nothing is specified an internal anonymous variable is used. When specified, the variable can be used inside the expressions for the NEXT and LAST attributes, and is present inside the MvFOREACH loop. FIRST if specified, defines the index of the first element to iterate over. If not specified, the loop starts at the first element present in the array (more on this later). NEXT if specified, is called at the end of the loop to increment the INDEX variable. If not specified, the loop transitions to the next element present in the array (more on this later). LAST if specified, defines the upper bound of the loop. If not specified, the loop terminates after the last element in the array. COUNT is shorthand for dealing with known-dense arrays. It sets the loop up to iterate from 1 to COUNT, incrementing by 1 each time. It has some performance advantages when proper handling of sparse arrays is not a concern. To efficiently traverse sparse arrays, MvFOREACH outputs code that calls the miva_array_min() and miva_array_max() functions. When combined with the -C (compatibility) compiler flag, MvFOREACH generates code that will run on any engine version 5.00 or newer, using runtime engine version checks to either call these functions or emulate their behavior. Tags MvFOREACHCONTINUE and MvFOREACHSTOP exist and behave as other similarly named tags. - A new looping construct, MvFOR, has been added. <MvFOR INDEX = "l.pos" FIRST = "{ 1 }" NEXT = "{ l.pos + 1 }" LAST = "{ 100 }"> </MvFOR> <MvFOR INDEX = "l.pos" COUNT = "{ 100 }"> </MvFOR> <MvFOR INDEX = "l.pos" FIRST = "{ 1 }" EXPR = "{ l.pos LT 100 }" NEXT = "{ l.pos + 1 }"> </MvFOR> Exactly one of COUNT, LAST, or EXPR must be specified. All other attributes are optional. INDEX describes the name of a variable that is used to track the iterations through the loop. It is optional, and if nothing is specified an internal anonymous variable is used. When specified, the variable can be used inside the expressions for the EXPR, NEXT and LAST attributes, and is present inside the MvFOR loop. FIRST defines the low-end range of the loop. This expression is executed only once, at the beginning of the MvFOR block. NEXT if specified, is called at the end of each iteration to increment the INDEX variable. If you don't specify NEXT, the index variable is incremented by one for each pass through the loop. LAST defines the high-end of the loop (inclusive). This expression is executed at the beginning of the loop and also at every iteration through the loop, allowing you to perform interesting operations, such as calling a function. If you use a simple expression here with a static value or simple variable, there is no performance overhead by evaluating the expression after every iteration. COUNT is a shorthand for an extremely simple loop which iterates from 1 to the value of the COUNT expression, incrementing by 1 after each iteration. Unlike LAST, the expression in COUNT is executed only once, at the beginning of the loop. EXPR is a boolean expression that is evaluated each iteration through the loop. If it resolves to a true value, the loop continues. Otherwise, the loop terminates. Tags MvFORCONTINUE and MvFORSTOP exist and behave as other similarly named tags. Miva Merchant Empresa/Mia/Script Compiler v5.09 Release Notes ------------------------------------------------------------- Bugs Fixed ---------- 5659: POP3 handling of STAT response incorrectly allocates POP3Message array 5663: Mia: Logging into MM5 results in empty or error page (all POST forms broken) 5684: <MvASSIGN> with no VALUE attribute reports "MvASSIGN requires the NAME attribute" 5690: MvPACK on dBase table without memo fields uses uninitialized variable and can cause a crash 5691: UNIX VM: <f|s>exists() requires read access to the target, which is different than 5.06 and earlier 5696: Assigning a variable to itself results in an overlapped memcpy() 5709: Win32FileManager::Rename cannot replace files open in another process/thread 5710: MvPACK: Errors occurring while the original table is closed lead to crashes 5731: running mivavm-v5.08 .exe removes Synchro registration info 5758: Upgrade from Mia/Empresa 5.06 or earlier leaves the installation with broken commercelibs setting 5760: Empresa setup fails to remove script mapping on uninstall 5774: Miva Merchant Mia - Installation with Upgrade from Mia 5.06 doesn't install properly 5776: Miva Merchant Empresa 5.09 / Win03 - Miva Merchant Empresa tab is missing from IIS Default Web Site Properties when upgrading directly from 5.06 to 5.09 5781: Mia: Upgrade does not preserve errorsettings or maxdocache registry values 5782: Win32 Compiler Installer does not set MVC_LIB environment variable 5783: Win32 Compiler Installer does not remove msc_license.txt when upgrading from 5.06 Other Changes ------------- - When renaming a file on Windows, if the rename fails because the process does not have permissions to read an existing destination file, the engine no longer enters an infinite loop. New Builtin Functions --------------------- - crypto_sha256( buffer var, format, result var ) Calculates the SHA-256 hash of "buffer", storing the result in "result". Format may be one of "binary" or "hex". - crypto_hmac_sha256( buffer var, key, format, result var ) Calculates the SHA-256 HMAC of "buffer" using binary key "key", storing the result in "result". Format may be one of "binary" or "hex". - Note: The SHA-256 functions may not be available on platforms running older versions of OpenSSL. SHA-256 was introduced in OpenSSL v0.9.8. On platforms with a version of OpenSSL that does not support SHA-256, the functions will return 0. Miva Merchant Empresa/Mia/Script Compiler v5.08 Release Notes ------------------------------------------------------------- Bugs Fixed ---------- 5621: The level arguments to the -p option of mvc do not work as expected 5623: MIVAVM - Notification Server not working in store admin 5636: Non-SSL MvCALL callreturnheaderN values are missing their last character 5651: The -P option to mvc detects the errors and prints diagnostics but does not cause the compiler to exit with a failure code. 5652: 3.x Config: Relative paths to authfile are handled differently than 5.06 5655: Miva Merchant 5.5 PR5: core-16 patch installation fails on 5.07 engine 5656: miva_array_sort can cause an engine crash with numeric sort callback and non-numeric data (actually related to the number of items being sorted) 5657: MivaVM::cat does not NULL terminate the resulting string 5658: Inconsistent segfault in MvCREATE when DATABASE is the result of an expression 5663: Logging into MM5 results in empty or error page (all POST forms broken) Configuration Changes --------------------- - The UNIX 3.x configuration library now supports a new directive, "builtindir". When specified, the engine loads all builtin function libraries found in the configured directory path. This functionality is similar to the environment based configuration's MvCONFIG_DIR_BUILTIN directive. New Builtin Functions --------------------- - New GD library functions have been added allowing images to be created from data stored in a variable instead of a file: gdImageCreateFromPngMem( data var ) gdImageCreateFromGifMem( data var ) gdImageCreateFromWBMPMem( data var ) gdImageCreateFromJpegMem( data var ) gdImageCreateFromGdMem( data var ) gdImageCreateFromGd2Mem( data var ) - New GD library functions have been added allowing images to be written to a variable instead of a file: gdImagePngMem( im, output var ) gdImageGifMem( im, output var ) gdImageWBMPMem( im, fg, output var ) gdImageJpegMem( im, output var, quality ) gdImageGifAnimBeginMem( im, GlobalCM, Loops ) gdImageGifAnimAddMem( im, ctx, LocalCM, LeftOfs, TopOfs, Delay, Disposal, previm ) gdImageGifAnimEndMem( ctx, output var ) - New GD library functions have been added allowing images to be written directly to the output stream: gdImagePngOutput( im ) gdImageGifOutput( im ) gdImageWBMPOutput( im, fg ) gdImageJpegOutput( im, quality ) gdImageGifAnimBeginOutput( im, GlobalCM, Loops ) gdImageGifAnimAddOutput( im, LocalCM, LeftOfs, TopOfs, Delay, Disposal, previm ) gdImageGifAnimEndOutput() Miva Merchant Empresa/Mia/Script Compiler v5.07 Release Notes ------------------------------------------------------------- Bugs Fixed ---------- 903: Fatal error on Windows servers- mysql_init failure 909: securityoptions differences between 5.02 and 5.03 1003: fscopy on a directory doesn't act as expected 1015: Directories created by streaming updates have no access to others 1446: crypto_sha1 may return sha1 hash of undefined value 1565: EULAs in VM and compiler software need updating. 1659: Insufficient feedback for disk space errors. 1805: Packaged certificate files are out of date 1916: MySQL: unsupported buffer type error 1934: Does our ROUND operator employ banker's rounding? 2368: Add array sort function to the language 3739: Drop table fails to drop index 4199: Product sorting bug reported by partner hosts 4519: limitation on number of stores 4535: engine crashes when calling crypto_md5_file on certain files 4536: Query causing engine crash with MivaSQL db library 4622: Expressions in MvDO parsed differently than other expressions 4626: MvCAPTURE does not properly terminate its result. 4672: Scripts cannot capture/handle MvCALL timeouts 4673: tar_create output cannot be opened in WinRAR or 7-Zip 4678: URLs bleed through SMT mvt:comment tags 4679: Template Compiler generates debugging files in production version 4687: File upload corrupts data when a line begins with "--" 4701: Template compiler reports error when ampersand used in param 4783: decimal fields are bound as type "unknown" when connecting to 5.0 or 5.1 4785: Storemorph won't display global array variables. 4803: Crash when ALTER TABLE is used on a previously referenced table 4930: Template Compiler outputs incorrect lineno instructions 4933: CGI temporary directory uses data directory configuration settings 4934: UNIXFileManager::DirectoryListing leaks DIR handles 4945: Engine capture mechanism should not fail on setuid during restore 4947: UNIXFileManager::ModifiedTime uses lstat(), not stat() 4950: 3.x API supports "commerce" path, 5x API does not 4957: MvPOP uses MakeTemporary inefficiently 4959: MvLOCALIZED always outputs the first language encountered 4960: TaggedFile::Section_Read[_Start]() return values are improperly handled 4962: NetworkConnection SSL certificate handling needs to be revamped 4964: Encoded filenames in open errors leak memory 4965: Session IDs are not sufficiently random 4968: MvCALL TIMEOUT attribute leaks into subsequent MvCALLS 4969: Network reads should never have an infinite timeout 4970: Multiple CRYPT operations in the same expression get the same value 4972: Buffer overflow in MvPOP 4973: MvPOP gets stuck in an infinite loop when the server terminates the connection 4978: tar_create crashes when the source directory does not exist and compression is enabled 4980: Win32 packaging and branding requires update 4983: Template Compiler gets confused by mismatched quotes 4984: Template Compiler misbehaves when semicolon omitted from mvt entity 5006: CGI VM won't handle ";" in content type for posted form data 5009: Non-Miva files having their size reported incorrectly. 5010: Entering a slash after the filename outputs compiler code in the main window 5012: Order Management feature is intermittently not loading some order data in Mia 5036: Entities preceeded by empty/self closed tags are not interpreted 5073: Column reference validation errors are reported as blank in some cases 5075: GROUP BY is incorrectly applied when also using UNION 5078: File descriptor leak in MvOPENVIEW/MvCLOSEVIEW 5115: Alter table in MivaSQL can lose all data in the table 5203: MivaApplication::DecodeAttributes generates invalid characters when given invalid input 5221: Passing a non-array to the glosub_array "replace" parameter crashes 5281: mktime_t does not return -1 when given an invalid date 5325: time_t functions have no ability to properly account for daylight savings time 5532: Network::OpenURL() (MvCALL) does not handle network write errors 5542: Admin secure redirect does not work on IIS 5571: xml_parse terminates in-progress xml_parse_section 5576: xml_parse_section_[get|set]state cause segfault if used immediately after xml_parse_section_init() 5578: MivaApplication::itos with INT_MIN overwrites memory and crashes 5579: MivaApplication::dtos does not handle NaN or Infinity correctly 5580: Crash when making a variable a reference to one of its children 5581: Whitespace compression fails to suppress blank first line 5584: MvLOCALIZED uses primary language when attempting to fall back to default language 5592: MvCALL only supports HTTP GET, HEAD and POST methods New Builtin Functions --------------------- - xml_parse_var( var var, output var ) - xml_parse_set_colon_replacement( colon ) - miva_struct_members( aggregate var, members var ) - miva_array_sort( aggregate var, callback, data var ) - miva_array_min( aggregate var ) - miva_array_next( aggregate var, index ) - miva_array_previous( aggregate var, index ) - miva_template_compile_itemlist( signat, source var, sourceitems var, target, errors var ) - miva_template_compile_dump( source var, errors var ) - All builtin time functions which accept a "timezone" parameter (mktime_t(), time_t_year(), etc...) now accept the string value "local" for this parameter, which allows the underlying operating system to apply daylight savings time rules for the current timezone. - New system logging functions have been implemented for both Windows and UNIX hosts. On Windows, log messages are written to the event log. On UNIX, log messages are sent to the syslog facility: miva_openlog( ident, logopt, facility ) miva_closelog() miva_setlogmask( maskpri ) miva_writelog( priority, message ) - All libgd 2.x functions are now supported. The builtin functions are also compatible with GD 1.x installations, in which case 2.x specific functions will fail gracefully: gdImageCreate( sx, sy ) gdImageCreateTrueColor( sx, sy ) gdImageCreateFromPng( filename, location ) gdImageCreateFromGif( filename, location ) gdImageCreateFromWBMP( filename, location ) gdImageCreateFromJpeg( filename, location ) gdImageCreateFromGd( filename, location ) gdImageCreateFromGd2( filename, location ) gdImageCreateFromGd2Part( filename, location, srcx, srcy, w, h ) gdImageDestroy( im ) gdImageSetPixel( im, x, y, color ) gdImageGetPixel( im, x, y ) gdImageGetTrueColorPixel( im, x, y ) gdImageAABlend( im ) gdImageLine( im, x1, y1, x2, y2, color ) gdImageDashedLine( im, x1, y1, x2, y2, color ) gdImageRectangle( im, x1, y1, x2, y2, color ) gdImageFilledRectangle( im, x1, y1, x2, y2, color ) gdImageSetClip( im, x1, y1, x2, y2 ) gdImageGetClip( im, x1P var, y1P var, x2P var, y2P var ) gdImageBoundsSafe( im, x, y ) gdImageStringFT( im, brect var, fg, fontlist, ptsize, angle, x, y, string ) gdImagePolygon( im, points var, n, color ) gdImageOpenPolygon( im, points var, n, color ) gdImageFilledPolygon( im, points var, n, color ) gdImageColorAllocate( im, r, g, b ) gdImageColorAllocateAlpha( im, r, g, b, a ) gdImageColorClosest( im, r, g, b ) gdImageColorClosestAlpha( im, r, g, b, a ) gdImageColorClosestHWB( im, r, g, b ) gdImageColorExact( im, r, g, b ) gdImageColorExactAlpha( im, r, g, b, a ) gdImageColorResolve( im, r, g, b ) gdImageColorResolveAlpha( im, r, g, b, a ) gdImageColorDeallocate( im, color ) gdImageCreatePaletteFromTrueColor( im, ditherFlag, colorsWanted ) gdImageTrueColorToPalette( im, ditherFlag, colorsWanted ) gdImageColorTransparent( im, color ) gdImagePaletteCopy( dst, src ) gdImagePng( im, filename, location ) gdImageGif( im, filename, location ) gdImageWBMP( im, fg, filename, location ) gdImageJpeg( im, filename, location, quality ) gdImageGifAnimBegin( im, filename, location, GlobalCM, Loops ) gdImageGifAnimAdd( im, out, LocalCM, LeftOfs, TopOfs, Delay, Disposal, previm ) gdImageGifAnimEnd( out ) gdImageFilledArc( im, cx, cy, w, h, s, e, color, style ) gdImageArc( im, cx, cy, w, h, s, e, color ) gdImageEllipse( im, cx, cy, w, h, color ) gdImageFilledEllipse( im, cx, cy, w, h, color ) gdImageFillToBorder( im, x, y, border, color ) gdImageFill( im, x, y, color ) gdImageCopy( dst, src, dstX, dstY, srcX, srcY, w, h ) gdImageCopyMerge( dst, src, dstX, dstY, srcX, srcY, w, h, pct ) gdImageCopyMergeGray( dst, src, dstX, dstY, srcX, srcY, w, h, pct ) gdImageCopyResized( dst, src, dstX, dstY, srcX, srcY, dstW, dstH, srcW, srcH ) gdImageCopyResampled( dst, src, dstX, dstY, srcX, srcY, dstW, dstH, srcW, srcH ) gdImageCopyRotated( dst, src, dstX, dstY, srcX, srcY, srcWidth, srcHeight, angle ) gdImageSetBrush( im, brush ) gdImageSetTile( im, tile ) gdImageSetAntiAliased( im, c ) gdImageSetAntiAliasedDontBlend( im, color, dont_blend ) gdImageSetStyle( im, style var, n ) gdImageSetThickness( im, thickness ) gdImageInterlace( im, interlaceArg ) gdImageAlphaBlending( im, alphaBlendingArg ) gdImageSaveAlpha( im, saveAlphaArg ) gdImageCompare( im1, im2 ) gdTrueColor( r, g, b ) gdTrueColorAlpha( r, g, b, a ) gdImageTrueColor( im ) gdImageSX( im ) gdImageSY( im ) gdImageColorsTotal( im ) gdImageRed( im, c ) gdImageGreen( im, c ) gdImageBlue( im, c ) gdImageAlpha( im, c ) gdImageGetTransparent( im ) gdImageGetInterlaced( im ) gdImagePalettePixel( im, x, y ) gdImageTrueColorPixel( im, x, y ) gdImageSquareToCircle( im, radius ) gdImageStringFTCircle( im, cx, cy, radius, textRadius, fillPortion, font, points, top, bottom, fgcolor ) gdImageSharpen( im, pct ) gdClearLastError() gdLastError() API Changes ----------- - mvFile_Resolve has been deprecated as there is no secure way to resolve a path and then separately open it without introducing a race condition that could allow an application to break out of the sandbox. - New functions have been added to access the new system library registry: mvSystemLibrary mvProgram_SystemLibrary( mvProgram program, const char *code ); void *mvSystemLibrary_GetFunction( mvSystemLibrary library, const char *function_name ); const char *mvSystemLibrary_Error( mvProgram program, mvSystemLibrary library, int *error_length ); - The configuration API version has been changed (to 2), and a new function, load_script_config_v2( mvConfig, void **, const char *, mvFile ) now replaces load_script_config. Version 1 configuration libraries that provide load_script_config() will no longer function. Compiler Changes ---------------- - A new compiler option, -O <bytes>, performs basic obfuscation of string constants by splitting them into chunks <bytes> long. After splitting, duplicate chunks are "compressed" (not repeated) when written to the output .mvc file. - A new compiler option, -d, causes the compiler to output pseudo-C code suitable for use with Doxygen for generating automated documentation. - The compiler no longer requires license validation. Other Changes ------------- - Support for the ODBC database connector has been dropped. - MvREFERENCEARRAY now correctly applies its aggregate tags (MvDIMENSION, MvMEMBER) to the variable specified by the VARIABLE attribute, rather than the destination variable specified by NAME. - The MySQL connector library now automatically reestablishes connections that were lost while a long running SQL statement was in progress on a secondary connection. - The MySQL connector library now uses less memory when dealing with resultsets with multiple BLOB columns. - On UNIX, the engine may now be configured to capture and replay requests, for debugging purposes. Two configuration settings control this option: 3.x Configuration: capture_trigger_file=<path> capture_file=<path> Environment Based Configuration: MvCONFIG_CAPTURE_TRIGGER_FILE=<path> MvCONFIG_CAPTURE_FILE=<path> When configured, if the specified trigger file exists, the engine will dump its input state into a file created using the prefix specified by the capture file option. The capture files may then be replayed from the commandline by appending the "-c <file>" parameters. For example: $ /var/www/cgi-bin/mivavm -c /tmp/capture001 - The MySQL connector library now properly calls my_init(), which should resolve most multithreading issues that occured on Windows platforms. - Support for the Authorize.Net commerce library has been dropped. - The <MIVA> tag now supports attribute IDENT, which may be used to add rcs-style ident tags to compiled MivaScript files - Newly created MivaSQL databases now support table and index names up to 64 characters long. - The file management code that maintains the script and data directory sandbox has been completely rewritten to eliminate race conditions and restore proper functionality when handling symbolic links. The existing functionality was broken in v5.03. - Files created by the engine now properly apply umask. - MvLOCALIZED support in previous versions was completely broken. The new version restores the 3.x functionality. Scripts compiled with pre-5.07 compilers which make use of MvLOCALIZED will have to be recompiled using 5.07 in order to function properly. - Network operations which have their own configurable timeouts (MvCALL, MvSMTP, etc...) now use the global timeout if no operation-specific timeout is specified. - Implemented proper timeout handling for MvSMTP and MvCALL. - Network protocols that need to read a line of input at a time (SMTP, POP, HTTP, etc...) now do so much more efficiently. - MakeSessionID() now generates statistically more random session identifiers. - ROUND operations now truly use banker's rounding. In previous versions, a banker's rounding algorithm was applied, but would sometimes fail to produce the expected result due to inaccuracies inherent in floating point numbers. The new system applies correction code for these inaccuracies prior to performing the rounding. - The template compiler has been completely rewritten to fix a large number of parser related bugs. - A new system library registration mechanism has been added. Presently, this mechanism is only used to locate an installation of libgd for the GD builtin functions: Win32: The library registration dialog now supports a "System" library type. 3.x Configuration: <SYSTEM-LIB CODE="GD" LIBRARY="/usr/lib/libgd.so.2.0.35"> Environment Based Configuration: MvCONFIG_SYSTEMLIB_<code>=<path> - Builtin functions have been added implementing all libgd 2.x functionality. - When running under IIS, the engine now properly detects and manages mismatches between an IIS virtual directory path and the configured Miva root directory. - A new DWORD registry setting "maxdocache" allows configuration of the maximum number of MvDO'd files to be cached on Win32. This setting is not exposed through the user interface. - Handling of INFINITY, NaN, and values larger than INT_MAX or smaller than INT_MIN is now uniform between Windows and UNIX platforms. - MvCALL now supports additional METHOD values "OPTIONS", "PUT", "DELETE", "TRACE", and "CONNECT". Data handling for these action values is identical to "RAW".
|