ubercart 6.x-2.8

Security advisory: SA-CONTRIB-2012-064 - Ubercart - Multiple vulnerabilities.

Upgrade notes:

Ensure that only trusted users have roles that have been granted the "administer conditional actions" permission.

Changes since 6.x-2.7:

• Add missing check_plain().
• Rework storage of user supplied passwords during checkout.
• Record unknown status codes returned by PayPal.
• #1503816: PayPal sends inconsistent status codes for 'multi-currency'.
• #1538920: Allow per-line-item tax adjustments.
• #1411148: Reword PayPal Express Checkout landing page options.
• #1460166: Avoid undefined variable in _uc_attribute_alter_form().
• #1465912: Backport credit card data storage rules from D7.
• #1513902: Unused $user parameter in uc_quote_action_get_quote().
• #1512482: Google Checkout taxes only apply to US states.
• Fix formatting on country import page.
• #794412: Allow 'view own orders' permission in uc_order_actions().
• #1511892: Shipping quote jQuery selector for hidden UID form input field should be more specific.
• Fix use of watchdog() and t().
• Bulk attribute tests and associated cleanup.
• Add confirmation page to product attribute reset button.
• Rename uc_attribute_reset() to uc_attribute_node_reset().
• Add bulk attribute update test.
• Clean up bulk attribute code.
• #298395: Let admin push class attribute/option changes out to existing nodes.
• #1483430: Remove dead code from uc_product_form_alter().
• #1376724: Refactor _uc_attribute_alter_form() and add theme function for displaying attribute options with price adjustments/totals.
• #1505276: Notice: Undefined variable: rows in theme_uc_stock_edit_form().
• Backport documentation fixes from D7.
• Fix @see references in documentation.
• #1466658: Undefined index: small_package in uc_shipping_new_package().
• Notice: Undefined variable: output in uc_order_admin().
• Notice: Undefined property: stdClass::$uid in uc_order_admin().
• Notice: Undefined variable: where in uc_order_usearch().
• Some Coder review fixes.
• Backport of patch in issue #1170792 to D6.
• Backport patch from issue #1063722 to D6.
• Just documentation comments.
• #1476930: "Only variables should be passed by reference" on viewing orders with PHP 5.4.
• Code cleanup.
• Minor cleanup to start to bring uc_reports_products() and uc_reports_products_custom() closer together.
• #1459328 by pfournier: uc_roles_revoke() not passing the $silent parameter to uc_roles_delete().
• #1410302: Fix PHP Notice when creating a shipment for an order with no shipping quotes.
• #1235594: Partial fix for Enter key in cart removes product rather than updating quantity in IE.
• #1460782: PHP Notice when no payment modules are enabled.
• Backport PHP notice fix from D7.
• #1430118 by davidarthur: Improve shipping UI by removing unneeded steps.
• Coder review.
• Missed fixing a D7-ism in my backport of issue #556458 to D6.
• #556458: Backport patch in comment #17 to D6.
• #556458: Backport patch in comment #19 to D6.
• #556458: Backport patch in comment #18 to D6.
• #556458: Backport patch in comment #15 to D6.
• Make link to default pickup address more specific.
• #1312954 by sittard, longwave: Add print icon to order actions.
• #556458: Remove 'nowrap' attributes in uc_reports.
• #1404486: Export the field definitions for product classes. Fixes regression when using Features 6.x-1.2.
• #1440700 by jlscott, longwave: Custom checkout messages on order completion not working.
• #1065058 by TR: Fix numerous PHP notices like 'Notice: Undefined variable: conversion in uc_ups_shipping_quote()' when getting UPS shipping quotes. Moved length and weight conversions out of loop and renamed variables so both conversions didn't share the $conversion variable. Changed indenting of the code in section that builds XML so that the left-hand edge of each line of code conforms to standards - but indented the right-hand side of the assignments so the XML tags remain visually nested.
• #1430840 by jerry: Fix PHP notice when parsing UPS response errors.
• Fix some PHP notices in uc_ups
• Use theme_image instead of outputting raw HTML for UPS logo.
• Use theme_image instead of outputting raw HTML for USPS logo.
• #1407246 by sah62: Name change for USPS service.
• #1420116 by jonathan_hunt: Typo in description field for uc_roles_products table schema.
• Fix PHP notices.
• #1399206 by TR: Add pager to custom product reports.
• Merge branch '6.x-2.x' of git.drupal.org:project/ubercart into 6.x-2.x
• Refactor uc_tax_report module to move reporting functions into .admin.inc so they don't get loaded on every page view.
• #1405650: uc_cart_update_6202() fails on PostgreSQL.
• Rename hook_update() for 6.x-2.x version.
• #1345162 by TR: Updated URL for UPS production quotes.
• Avoid cart rebuild for every product in kit.
• #902824: 2Checkout logo is out of date.
• #902824: Visa logo is out of date.
• #815482: Remove outdated PayPal single line item help text.
• #1393970: Unify help text for 'default quantity' field.
• #1393970: Correct help text for 'default quantity' field.
• #1393506: Do not send UTF-8 characters to PayPal.
• Fix update function name.
• #569754 by ryan.davis, longwave, TR: Allow more than 65535 products in cart/order.
• #588746: Add CA predicates (disabled by default) to increment stock when an order is deleted or cancelled.
• #588746: Add CA trigger for order deletion.
• Update some old CIF files to use ISO 3166-1 names. Update USPS mappings to ensure USPS can still get quotes with the ISO 3166-1 names.
• More CIF changes. Updated country names for Libya and Falkland Islands. Updated USPS mapping file to account for these changes.
• Documentation comments.
• Whoops, accidentally committed a work-in-progress. Reverting the change.
• Schema descriptions should not use t().
• #1139338: USPS International quotes don't need to check for presence of zone and postal code in delivery address.
• Correct country names in some CIF files.
• Add additional country mappings for USPS.
• #460644: Backported draggable table rows for payment methods form.
• #1366066: Add hook for altering payment methods.
• #$442190 by longwave, TR: Cart graphic not shown in IE7 or Chrome.
• Minor Coder problems flagged by the testbot.
• #440644: Backported draggable table rows for cart, checkout, and order panes.
• #440644: Backported draggable table rows for shipping quote methods form.
• Backport uc_store hook_requirements() from D7. This will add store status line items into site status report.
• Add uc_store_uc_store_status() to warn if store e-mail address hasn't been set and to notify admin of available country file updates (issue #679250).
• Added missing ISO 3166-2 zones to some old cif files didn't define zones.
• Remove excess newlines from address format.
• The only .cif files that should be using variable_set() instead of uc_set_address_format() are the two that are enabled in uc_store_install(). (USA and CAN).
• Most .cif files that have no zones have a "No zones" comment. Added comment to the few that don't already have it, so these countries with no zones can be easily searched for and identified.
• Coding standards for CSS now demand lowercase hex numbers when specifying colors, which is the exact opposite of what they used to say. Issue #1360790.
• #486242: CyberSource module is not compatible with discount line items.
• #288495: Improve hook_cart_display() documentation.
• #702366: Improve help text for attribute options.
• #1346208: Add missing dependency on uc_store.
• #1252216: 'Continue shopping' does not work if cart redirect is set to .
• #1253734: Sort product SKUs in CA condition.
• #1301216: Ensure UbercartTestHelper is available in cart links tests.
• #1176444: Data too long for column 'comment' in uc_payment_receipts table.
• #958264: Simplify uc_cart_login_update().
• #1137970: Google Checkout JS loaded from http on https sites.
• #1335506: Duplicate entries may be created in uc_product_adjustments.
• Followup to issue #704872: Improve detection of base64 encoded CC data, and add missing encoding calls.
• #1139476: Check correct permission for stock edit link from stock report.
• Remove trailing spaces.
• #1066264: Add option to include authorization only transactions in order balance CA condition.
• #1332130: Duplicate emails when using 2Checkout.
• Backport credit card tests to D6. But testing the credit card form on the checkout page in D6 is problematic because it is loaded via JavaScript, so SimpleTest doesn't see it. Therefore, I had to disable more than half the tests until I can figure out a workaround. The remaining tests are really just tests of the settings and admin pages.
• Minor cleanup of attribute tests.
• Backported the changes to credit card validation and submit handlers from issue #699558.
• Various documentation additions.
• #1328846: Rename 'Isle of Man' for USPS.
• #1127126 by hanoii: Pass $order and $stock variables into drupal_mail() in uc_stock.
• I committed the wrong files. Reverting to fix it.
• #853072: uc_product_get_models() causes memory exhaustion with large # of SKUs.
• #976318: uc_attribute_order_product_alter() may fail if other modules have already iterated over attribute data.
• #789516: Status update selectbox displayed on admin/store/orders/% is not sorted by status weight.
• #1170364: Checkout fails if button labels are altered.
• #976318: Keep attribute option IDs available after checkout.
• Re-add documentation link.
• Fix test gateway hook.
• Backport test_gateway.module changes from 43ca5705 to D6.
• #1318452 by mandreato: Wrong datatype for second argument in uc_store.module on line 2093.
• Add textfield description on Manage classes admin page.
• Rename $arg1 to $order.
• Fix PPH notice in CA admin.
• Another PHP notice fix for uc_usps backported from D7.
• Fix PHP notices in ca, uc_usps, and uc_ups. The latter two are just backports of fixes already in D7.
• Backport cc67f49c to D6 (changes to uc_encryption_class()).
• Spelling errors found with codespell.py
• #641430: Duplicate entry error when saving product kits with no changes.
• Fix E_ALL errors in ca_predicate_meta_form_submit().
• #747756 by Hendry Lee: uc_roles_user_submit adds unnecessary data to $user->data.
• Undefined index: new_role when editing user accounts.
• #449122: Explain why 'hide block if cart is empty' does not work for anonymous users with page caching enabled.
• #1314178: Duplicate entry error when updating stock.
• Fix PHP notice on checkout review if order has no shippable products.
• Fix PHP notice in checkout when credit card module is enabled but not chosen by customer.
• Fix PHP notice when going to checkout page with only non-shippable items in cart.
• Fix PHP notice seen after submitting an order from review page, with GC enabled but not used.
• #992904 by m.stenta, longwave: Attributes admin list page doesn't load with too many attributes.
• #885010 by togosPizza, longwave: Move form for administering a user's file downloads from user/%/edit to user/%/purchased-files.
• #321633 by Alexis Wilke, longwave: Add '#wysiwyg' => FALSE to form elements that should be excluded from WYSIWYG editors.
• There shouldn't be concatenated strings in t().
• Documentation standards fixes for docs/hooks.php
• #1247090 by TR: 'Create an order for this customer link' on admin/store/customers/orders/%uid doesn't do the right thing.