security-patch-2007-10-29.tgz

digiemp · #61 11-10-2007, 11:36 AM

So if I added everything for my version, since the email told me to add everything, is it going to slow my site down? I now see that some things like magnifyer and RMA were not needed if I didn't already have them installed. I probably should have came here first but I decided to back up everything and then replace everything (even if it didn't exist previously) like the good robot I am.

I don't have a lot of mods but everything seems to be working fine. Or at least as good as it was.

Thanks,

balinor · #62 11-10-2007, 11:47 AM

I would suggest to anyone reading this post that you DO NOT attempt to patch your carts using the current patch/files. Wait until next week when X-Cart (hopefully) releases a revised set of patch files.

donmck · #63 11-10-2007, 11:48 AM

Quote:

Originally Posted by digiemp

So if I added everything for my version, since the email told me to add everything, is it going to slow my site down? I now see that some things like magnifyer and RMA were not needed if I didn't already have them installed. I probably should have came here first but I decided to back up everything and then replace everything (even if it didn't exist previously) like the good robot I am.

I don't have a lot of mods but everything seems to be working fine. Or at least as good as it was.

Thanks,

No, extra files for mods that you don't have, won't slow your site.

Considering your level of knowledge, I think I would be waiting for the new diff files.

X-cart said they will come up with a working set this week.
I just found an interesting free diffmerge program, that operates using 3 file windows. I may play with that until the new diff files appear.

Trouble is, any new program always takes a couple of hours to get into it.

Cheers Don...

geckoday · #64 11-10-2007, 11:52 AM

Quote:

Originally Posted by digiemp

So if I added everything for my version, since the email told me to add everything, is it going to slow my site down? I now see that some things like magnifyer and RMA were not needed if I didn't already have them installed. I probably should have came here first but I decided to back up everything and then replace everything (even if it didn't exist previously) like the good robot I am.

I don't have a lot of mods but everything seems to be working fine. Or at least as good as it was.

Thanks,

It won't hurt to add the extra files for addon modules you don't have and it won't slow anything down. X-Cart checks to see if the modules are turned on in the admin first before including the module files so they will just sit there and never be used.

And for those contemplating the upgrade to 4.1.9 instead of applying the patch: you should read the thread on upgrading to 4.1.9 before deciding to try it. It doesn't sound pretty - definitely not something I would jump into this close to the holiday selling season.

donmck · #65 11-10-2007, 10:58 PM

Quote:

Originally Posted by donmck

I just found an interesting free diffmerge program, that operates using 3 file windows. I may play with that until the new diff files appear.

Trouble is, any new program always takes a couple of hours to get into it.

Well as it turned out it didn't.
Program is SourceGear DiffMerge.
Firstly, I backed up func.php

I placed the new file in the left window, my current file in the right window, and with 3 navigation arrows, went through the file doing the changes, patch by patch. In fact, I did it about 6 times just for the practice to make sure it appeared OK, and that I was satisfied.

It didn't take an hour, including the 6 dry runs and the learning curve.

I uploaded the newly created file, tested it as best I could, no errors, so if you don't hear back from me on this one, I got it right.

My cart is heavily modded, and most of it was done by x-cart.

Cheers Don...

ironmansp · #66 11-11-2007, 10:58 PM

This was he main reason I suggest an extra mod manager. With this extra mod manager, you should be able to unistall your modifications and leave the soft as fresh install version, apply the security or upgrade patch and reinstall the extra managers in order to see if the extra mod changes something important and they are compatible with the new version or not. Actually,with these "changes" we should patch every shop manually wasting several hours. If the extra mod does not work ok with the new release we decide to use the old version with the mod or the new wih the patch, but it is our decision.

This is my opinion as developer,sorry to be a little hard, but I hope that our shops are the first. I expect that Qualiteam gets ideas for this situation in order to not to repeat,and implement a method with quality tests.

ambal · #67 11-11-2007, 11:07 PM

Hello Everyone,

Quote:

Originally Posted by balinor

I would suggest to anyone reading this post that you DO NOT attempt to patch your carts using the current patch/files. Wait until next week when X-Cart (hopefully) releases a revised set of patch files.

First of all I must admit that we were in hurry with making the .DIFF files and it was the reason of the situation we can see now.

I am sorry for the situation and troubles it caused.

We are going to publish the improved patch with corrected .DIFF files and some explanations within next few days. I understand that this is not really fast, but we have already been in hurry with this once and now all of us (Qt and the community) can see the results. Since so many X-Cart versions are affected we need to be careful. At the moment the improved version of the patch is being tested by our Software QA dept. Once they approve it we'll make an announcement here and in your HelpDesk accounts.

Thank you for your patience.

kevinperson · #68 11-13-2007, 06:40 AM

Hey gang,

I just paid the X-Cart team to install the security-patch-2007-06-20.tgz for me, and I just wanted to know can someone please explain to me just what exactly this patch does? What is it for? I'm a novice to all of this and I'd like to understand what the purpose was for. Is it supposed to help protect X-Cart from hackers?

Thanks a lot!
Kevin

balinor · #69 11-13-2007, 06:46 AM

Yes, it fixes a possible exploit.

geckoday · #70 11-13-2007, 07:05 AM

Quote:

Originally Posted by kevinperson

Hey gang,

I just paid the X-Cart team to install the security-patch-2007-06-20.tgz for me, and I just wanted to know can someone please explain to me just what exactly this patch does? What is it for? I'm a novice to all of this and I'd like to understand what the purpose was for. Is it supposed to help protect X-Cart from hackers?

Thanks a lot!
Kevin

Yes, it is to help prevent against hackers. Input from the browser is often used in SQL statements to access the database. Hackers try specially crafted input using special characters (such as quotes) followed by their own SQL so that when put into an SQL statement in the program it terminates the intended SQL statement and runs theirs instead returning whatever information they want from the database. Programs must carefully validate input from the browser and/or escape it (convert special characters into things like \') to prevent this hijacking of SQL. X-Cart is fixing some specific instances where escaping isn't done when using browser input in SQL statements. They also added some generic system wide changes to minimize the possibility of such hacks being successful.