OXID eShop version 4.7.14 (CE + PE) & 5.0.14 (EE)

General hints for this package

  • Runs on PHP 5.4 and PHP 5.3. Might run on PHP 5.2 (not tested any longer).

Installation

For installation instructions of the update please see
http://www.oxid-esales.com/en/support-services/documentation-and-help/oxid-eshop/installation/oxid-eshop-update-installation.html

Templates

Template changes have been done in this patch release due to security improvements mentioned below. Please find detailed information about template changes in “templ_docu_azure/index.html” of the package and a tutorial about the template hierarchy and the override system here:
http://wiki.oxidforge.org/Tutorials/How_template_hierarchy_and_override_system_works

Fixed Bugs

bugs.oxid-esales.com/changelog_page.php

Features & Improvements

Further improvements to the so called “black Friday” bug

  • If shop has wrong license, we changed the error message for customers. And added a note for shop owners in admin login page. No message to the visitor of the shop about a license issue any longer, no matter what happened
  • If shop goes temporary unlicensed, the error message will not be cached: we removed sBackTag config option.
  • Also improved error handling, if shop cannot connect to database, it will show shop offline and not as unlicensed.

Important information for developers

Security improvement: Dynamic security token check

The dynamic security token parameter check was expanded to all forms and action URLs performed for logged in user. In the template forms this dynamic security token parameter is added automatically, together with a hidden session ID form element. Therefore standard or custom forms working with the [{$oViewConf->getHiddenSid()}] template getter do not require any changes.
Actions submitted via the GET method over a URL, require an additional dynamic security token parameter added to the action URL from this version on. Such actions are “To wishlist” or “To notice list” where the action is performed by a visitor clicking on the link instead of submitting a form. In this case the dynamic security token value could be accessed via the [{$oViewConf->getSessionChallengeToken()}] template getter. When updating the templates the dynamic security token parameter must be added not only for standard links, but also for any custom action link URLs.

For example your custom “To wishlist” link should be changed the following way:

Security improvement: changed the password encryption

As you might know, we used the cryptographic hash function MD5 plus an additional SALT hash in order to encrypt the user passwords in OXID eShop. Now MD5 became a bit outdated and for this reason, the security of a shop will not be certified. We decided to replace MD5 by the more modern cryptographic hash function SHA-2. Additionally the way the SALT hash was created was changed slightly.

No fear: your users will still have the possibility to log in properly, as long as your update ran through properly: we check the old and the new method, match if both hashes fit and let the user log in this way. There’s no need for requesting your users to re-new their passwords etc.

Changed method processUrl()

While fixing the bug #05809 the method oxUtilsUrl::processUrl() was changed. It checks now if an external URL is passed and if so it does not add parameters (like session and language) to it.

Encoding of captcha code

The encoding of captcha code was changed, ROT13 is not used any longer. New classes oxEncryptor and oxDecryptor were created for the usage of the captcha code encryption and decryption.

Full list of changes