Updatepaket vom 02.12.2016

ANLEITUNG/index.html

@@ -59,7 +59,7 @@ <h1>Willkommen bei der deutschen Zen Cart Version 1.5.5</h1>
 <em>Das Team der deutschen Zen Cart Version</em></p>
 <hr />
 <span class="small">
-Die deutsche Zen Cart Version 1.5.5 ist eine Modifikation der amerikanischen Zen Cart Version 1.5.5a von <a href="http://www.zen-cart.com" target="_blank">zen-cart.com</a>.<br/>
+Die deutsche Zen Cart Version 1.5.5 ist eine Modifikation der amerikanischen Zen Cart Version 1.5.5b von <a href="http://www.zen-cart.com" target="_blank">zen-cart.com</a>.<br/>
 <br/>
 Dieses Programm wird in der Hoffnung vertrieben, dass es nützlich ist, allerdings OHNE IRGENDWELCHE GARANTIEN; ohne  die  Garantie der MARKTGÄNGIGKEIT oder der EIGNUNG ZU EINEM BESTIMMTEN ZWECK
 und wird vertrieben unter der GNU General Public License </span>
@@ -143,7 +143,7 @@ <h1>Neue Funktionen gegenüber 1.5.4</h1>
 </ul>
 
 <p>
-  Folgende Neuerungen und Bugfixes wurden aus der amerikanischen 1.5.5a Version  übernommen:</p>
+  Folgende Neuerungen und Bugfixes wurden aus der amerikanischen 1.5.5b Version  übernommen:</p>
 <ul>
   <li>All known v1.5.4 bugfixes and security fixes are included in v1.5.5,   including tighter control around XSS as well as clickjacking</li>
   <li>Template: The default out-of-the-box template (called "Responsive   Classic") is now a mobile-friendly responsive-design theme built for   flexibility with tablets, mobile devices, and desktops.</li>
@@ -936,7 +936,7 @@ <h1>Vorinstallierte Erweiterungen</h1>
   Die Rechtstexte für AGB, Impressum, Datenschutz und Widerrufsbelehrung können nun für Kunden der IT Recht Kanzlei automatisch aktualisiert werden.<br>
   <a href="addons/it-recht-kanzlei/index.html"><strong>Ausführliche Infos zur Konfiguration des Moduls IT Recht Kanzlei</strong></a></p>
 <p><strong>pdf Rechnung</strong><br>
-Die Rechtstexte für AGB, Impressum, Datenschutz und Widerrufsbelehrung können nun automatisch aktualisiert werden.<br>
+Im Adminbereich kann in der Bestellübersicht auf Knopfdruck eine Rechnung im pdf-Format erzeugt werden. Diese Rechnung kann optional auch gleich bei der Bestellung oder bei Bestellstausänderungen mitgemailt werden und steht dem Kunden auch später in seiner Bestellhistorie zum Download zur Verfügung. Es können auch AGB und Widerrufsrecht als pdf Anhänge mitgemailt werden.<br>
 <a href="addons/pdf-rechnung/index.html"><strong>Ausführliche Infos zur Konfiguration des Moduls pdf Rechnung</strong></a></p>
 <p><strong>MailBeez</strong><br>
 MailBeez ist ein Aftersales Email Marketing Tool für Zen Cart.<br>

README.md

@@ -73,4 +73,4 @@ Zen Cart 1.5.5 deutsch ermöglicht den Einsatz von Zen Cart unter PHP 7 und brin
 * pdf Rechnung integriert
 * Bei Bestellungen können die Adressdaten korrigiert werden
 
-Alle Neuerungen und Bugfixes aus der amerikanischen 1.5.5a Version wurden ebenfalls übernommen
+Alle Neuerungen und Bugfixes aus der amerikanischen 1.5.5b Version wurden ebenfalls übernommen

TOOLS/extras/curltester.php

@@ -7,9 +7,9 @@
  *   i=1 -- in conjunction with [d] or [r], will show the detailed curlinfo certificate data from the host being connected to. Helpful for advanced debugging.
  *
  * @package utilities
- * @copyright Copyright 2003-2015 Zen Cart Development Team
+ * @copyright Copyright 2003-2016 Zen Cart Development Team
  * @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
- * @version GIT: $Id: Author: DrByte  Modified in v1.5.5 $
+ * @version $Id: Author: DrByte  Wed Mar 16 16:12:21 2016 -0500 Modified in v1.5.5 $
  */
 // no caching
 header('Cache-Control: no-cache, no-store, must-revalidate');
@@ -55,18 +55,18 @@
 doCurlTest('http://www.ups.com/using/services/rave/qcostcgi.cgi');
 dofsockTest('www.ups.com', 80);
 
-echo 'Connecting to UPSXML (SSL) (wwwcie.ups.com) ...<br>';
-doCurlTest('https://wwwcie.ups.com/ups.app/xml/Rate');
-
-echo 'Connecting to UPSXML (SSL) (www.ups.com) ...<br>';
-doCurlTest('https://www.ups.com/ups.app/xml/Rate');
-
-echo 'Connecting to UPSXML (SSL) (onlinetools.ups.com) ...<br>';
+echo 'Connecting to UPSXML (onlinetools.ups.com) ...<br>';
 doCurlTest('https://onlinetools.ups.com/ups.app/xml/Rate');
 
+echo 'Connecting to UPSXML (sandbox) ...<br>';
+doCurlTest('https://wwwcie.ups.com/ups.app/xml/Rate');
+
 echo 'Connecting to FedEx (port 80)...<br>';
 dofsockTest('fedex.com', 80);
 
+echo 'Connecting to Canada Post REST API (SSL) ...<br>';
+doCurlTest('https://ct.soa-gw.canadapost.ca/rs/ship/price');
+
 echo 'Connecting to PayPal IPN (port 443)...<br>';
 dofsockTest('www.paypal.com', 443);
 doCurlTest('https://www.paypal.com/cgi-bin/webscr');
@@ -89,11 +89,6 @@
 echo 'Connecting to PayPal Express/Pro Sandbox ...<br>';
 doCurlTest('https://api-3t.sandbox.paypal.com/nvp');
 
-if (time() < mktime(0, 0, 0, 3, 1, 2016)) {
-  echo 'Connecting to PayPal SECURITY ENDPOINT 2016 Sandbox ...<br>';
-  doCurlTest('https://test-api-3t.sandbox.paypal.com/nvp');
-}
-
 echo 'Connecting to PayPal Payflowpro Server ...<br>';
 doCurlTest('https://payflowpro.paypal.com/transaction');
 
@@ -115,6 +110,12 @@
 echo 'Connecting to Payeezy Sandbox Server...<br>';
 doCurlTest('https://api-cert.payeezy.com/v1/transactions');
 
+echo 'Connecting to Elavon Server...<br>';
+doCurlTest('https://www.myvirtualmerchant.com/VirtualMerchant/process.do');
+
+echo 'Connecting to Elavon Sandbox Server...<br>';
+doCurlTest('https://demo.myvirtualmerchant.com/VirtualMerchantDemo/process.do');
+
 ?>
 
 <em>Testing completed. See results above.</em>
@@ -153,17 +154,28 @@ function doCurlTest($url = 'http://s3.amazonaws.com/zencart-curltest/endpoint',
   curl_setopt($ch, CURLOPT_FRESH_CONNECT, TRUE);
   curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
   curl_setopt($ch, CURLOPT_MAXREDIRS, 10);
-  curl_setopt($ch, CURLOPT_USERAGENT, 'Zen Cart(tm) - CURL TEST');
+  curl_setopt($ch, CURLOPT_USERAGENT, 'Zen Cart(tm) - CURL TEST v155');
 
   if (isset($_GET['i'])) curl_setopt($ch, CURLOPT_CERTINFO, TRUE);
 
-//  curl_setopt($ch, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
+//  curl_setopt($ch, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2); // not directly implemented here, because it is more future-proof and therefore generally more secure to allow Curl to autonegotiate the best mutually-supported protocol, by not specifying CURLOPT_SSLVERSION at all.
+
 //  curl_setopt($ch, CURLOPT_CAINFO, '/local/path/to/cacert.pem'); // for offline testing, this file can be obtained from http://curl.haxx.se/docs/caextract.html ... should never be used in production!
 
 
   $result = curl_exec($ch);
   $errtext = curl_error($ch);
   $errnum = curl_errno($ch);
+  // check for curl TLS version problem, and resubmit  (common with outdated hosts like HostGator)
+  if (in_array($errnum, array(35))) {
+    echo $errorMessage . $errnum . ': ' . $errtext;
+    echo '<br><p style="color:red;"><strong>Error 35 often means that the TLS/SSL connection capabilities of your server are outdated and your server administrator is behind schedule applying security updates, thus preventing the ability to connect to 3rd-party services using more modern security for communications.</strong></p>';
+    echo 'Testing again with less security...<br>';
+    curl_setopt($ch, CURLOPT_SSLVERSION, 6); // Using the defined value of 6 instead of CURL_SSLVERSION_TLSv1_2 since these outdated hosts also don't properly implement this constant either.
+    $result = curl_exec($ch);
+    $errtext = curl_error($ch);
+    $errnum = curl_errno($ch);
+  }
   // check for common certificate errors, and resubmit
   if (in_array($errnum, array(60,61))) {
     echo $errorMessage . $errnum . ': ' . $errtext;

TOOLS/extras/paypal_tlstest.php

@@ -9,7 +9,7 @@
  * @package utilities
  * @copyright Copyright 2003-2016 Zen Cart Development Team
  * @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
- * @version $Id: Author: DrByte  Wed Dec 30 18:38:35 2015 -0500 New in v1.5.5 $
+ * @version $Id: Author: DrByte  Wed Mar 16 16:12:21 2016 -0500  New in v1.5.5 $
  */
 // don't show error messages to browser
 ini_set('display_errors', 0);
@@ -38,11 +38,21 @@
 $errtext = curl_error($ch);
 $errnum = curl_errno($ch);
 $commInfo = @curl_getinfo($ch);
-curl_close ($ch);
 
 if (isset($commInfo['url'])) $commInfo['url'] = '"' . $commInfo['url'] . '"';
 
 // Handle results
+if ($errnum == 35) {
+  echo '<p style="color:red;font-weight: bold;">Error 35 - Your server does not yet support proper auto-negotiation of secure communications protocols. We will try again by downgrading the communications parameters. This means your server administrator still needs to apply some updates to make your server fully compatible with modern security standards.</p><br><br>';
+  echo 'Trying again with lesser security:<br><br>';
+  curl_setopt($ch, CURLOPT_SSLVERSION, 6); // Using the defined value of 6 instead of CURL_SSLVERSION_TLSv1_2 since these outdated hosts also don't properly implement this constant either.
+  $result = curl_exec($ch);
+  $errtext = curl_error($ch);
+  $errnum = curl_errno($ch);
+  $commInfo = @curl_getinfo($ch);
+}
+curl_close ($ch);
+
 if ($errnum != 0) {
   echo 'Error: ' . $errnum . ': ' . $errtext . '<br><br>';
 } else {

UPLOAD/admin/includes/application_top.php

@@ -4,7 +4,7 @@
  * @copyright Copyright 2003-2016 Zen Cart Development Team
  * @copyright Portions Copyright 2003 osCommerce
  * @license http://www.zen-cart-pro.at/license/2_0.txt GNU Public License V2.0
- * @version $Id: application_top.php 803 2015-12-21 19:47:36Z webchills $
+ * @version $Id: application_top.php 804 2016-11-03 08:47:36Z webchills $
  */
 /**
  * File contains just application_top code
@@ -49,7 +49,7 @@
 if (version_compare(PHP_VERSION, 5.3, '<') && function_exists('set_magic_quotes_runtime')) set_magic_quotes_runtime(0);
 if (version_compare(PHP_VERSION, 5.4, '<') && @ini_get('magic_quotes_sybase') != 0) @ini_set('magic_quotes_sybase', 0);
 // set php_self in the local scope
-if (!isset($PHP_SELF)) $PHP_SELF = $_SERVER['PHP_SELF'];
+if (!isset($PHP_SELF)) $PHP_SELF = $_SERVER['SCRIPT_NAME'];
 $PHP_SELF = htmlspecialchars($PHP_SELF);
 // Suppress html from error messages
 @ini_set("html_errors","0");

UPLOAD/admin/includes/ckeditor.php

@@ -4,7 +4,7 @@
  * @copyright Copyright 2010 Kuroi Web Design
  * @copyright Portions Copyright 2003-2016 Zen Cart Development Team
  * @license http://www.zen-cart-pro.at/license/2_0.txt GNU Public License V2.0
- * @version $Id: ckeditor.php 283 2016-06-04 08:09:32Z webchills $
+ * @version $Id: ckeditor.php 284 2016-11-03 08:05:32Z webchills $
  */
 if (!defined('IS_ADMIN_FLAG')) {
   die('Illegal Access');
@@ -17,7 +17,8 @@
   $jsLanguageLookupArray .= "  lang[" . $key['id'] . "] = '" . $key['code'] . "';\n";
 }
 ?>
-<script type="text/javascript" src="../<?php echo DIR_WS_EDITORS ?>ckeditor/jquery-1.12.4.min.js"></script>
+<script src="https://code.jquery.com/jquery-1.12.4.min.js" integrity="sha256-ZosEbRLbNQzLpnKIkEdrPv7lOy9C27hHQ+Xp8a4MxAQ=" crossorigin="anonymous"></script>
+<script>window.jQuery || document.write('<script src="includes/javascript/jquery-1.12.4.min.js"><\/script>');</script>
 <script type="text/javascript" src="../<?php echo DIR_WS_EDITORS ?>ckeditor/ckeditor.js"></script>
 <script type="text/javascript"><!--
 $(document).ready(function() {

UPLOAD/admin/includes/classes/AdminRequestSanitizer.php

@@ -4,7 +4,7 @@
  * @copyright Copyright 2003-2016 Zen Cart Development Team
  * @copyright Portions Copyright 2003 osCommerce
  * @license http://www.zen-cart-pro.at/license/2_0.txt GNU Public License V2.0
- * @version $Id: AdminRequestSanitizer.php 4 2016-05-08 09:49:16Z webchills $
+ * @version $Id: AdminRequestSanitizer.php 5 2016-11-03 08:49:16Z webchills $
  */
 
 /**
@@ -28,7 +28,6 @@ class AdminRequestSanitizer extends base
      * @var
      */
     private $adminSanitizerTypes;
-
     /**
      * @var bool
      */
@@ -575,10 +574,11 @@ private function filterProductNameDeepRegex($parameterName)
      */
     private function filterStrictSanitizeValues()
     {
+        $this->addParamsToIgnore('STRICT_SANITIZE_VALUES');
         $postToIgnore = $this->getPostKeysAlreadySanitized();
         $getToIgnore = $this->getGetKeysAlreadySanitized();
-        $this->traverseStrictSanitize($_POST, $postToIgnore);
-        $this->traverseStrictSanitize($_GET, $getToIgnore);
+        $this->traverseStrictSanitize($_POST, $postToIgnore, false, 'post');
+        $this->traverseStrictSanitize($_GET, $getToIgnore, false, 'get');
     }
 
     /**
@@ -587,24 +587,56 @@ private function filterStrictSanitizeValues()
      * @param bool|false $inner
      * @return mixed
      */
-    private function traverseStrictSanitize(&$item, $ignore, $inner = false)
+    private function traverseStrictSanitize(&$item, $ignore, $inner, $type)
     {
         foreach ($item as $k => $v) {
             if ($inner || (!$inner && !in_array($k, $ignore))) {
                 if (is_array($v)) {
-                    $item[$k] = $this->traverseStrictSanitize($v, $ignore, true);
+                    $item[$k] = $this->traverseStrictSanitize($v, $ignore, true, $type);
                 } else {
                     $this->debugMessages[] = 'PROCESSING STRICT_SANITIZE_VALUES == ' . $k;
                     $item[$k] = htmlspecialchars($item[$k]);
                 }
             }
             if (!$inner) {
-                $this->postKeysAlreadySanitized[] = $k;
+                if ($type == 'post') {
+                    if (!in_array($k, $this->postKeysAlreadySanitized)) {
+                        $this->postKeysAlreadySanitized[] = $k;
+                    }
+                }
+                if ($type == 'get') {
+                    if (!in_array($k, $this->getKeysAlreadySanitized)) {
+                        $this->getKeysAlreadySanitized[] = $k;
+                    }
+                }
             }
         }
         return $item;
     }
 
+    /**
+     * @param $group
+     */
+    private function addParamsToIgnore($group)
+    {
+        foreach ($this->requestParameterList as $key => $details) {
+            foreach ($details as $detail) {
+                if ($detail['sanitizerType'] == $group) {
+                    if ($detail['method'] == 'both') {
+                        $this->addKeyAlreadySanitized('post', $key);
+                        $this->addKeyAlreadySanitized('get', $key);
+                    }
+                    if ($detail['method'] == 'get') {
+                        $this->addKeyAlreadySanitized('get', $key);
+                    }
+                    if ($detail['method'] == 'post') {
+                        $this->addKeyAlreadySanitized('post', $key);
+                    }
+                }
+            }
+        }
+    }
+
     /**
      *
      */
@@ -626,6 +658,20 @@ private function filterStrictSanitizeKeys()
         }
     }
 
+    /**
+     * @param $type
+     * @param $key
+     */
+    private function addKeyAlreadySanitized($type, $key)
+    {
+        if ($type == 'post' && !in_array($key, $this->postKeysAlreadySanitized)) {
+            $this->postKeysAlreadySanitized[] = $key;
+        }
+        if ($type == 'get' && !in_array($key, $this->getKeysAlreadySanitized)) {
+            $this->getKeysAlreadySanitized[] = $key;
+        }
+    }
+
     /**
      * @param array $errorMessages
      */

UPLOAD/admin/includes/extra_configures/enable_error_logging.php

@@ -10,7 +10,7 @@
  * @package debug
  * @copyright Copyright 2003-2016 Zen Cart Development Team
  * @license http://www.zen-cart-pro.at/license/2_0.txt GNU Public License V2.0
- * @version $Id: enable_error_logging.php 789 2016-07-29 18:13:51Z webchills $
+ * @version $Id: enable_error_logging.php 790 2016-11-03 08:13:51Z webchills $
  */
 
 function zen_debug_error_handler ($errno, $errstr, $errfile, $errline) {

UPLOAD/admin/includes/header_navigation.php

@@ -4,7 +4,7 @@
  * @copyright Copyright 2003-2016 Zen Cart Development Team
  * @copyright Portions Copyright 2003 osCommerce
  * @license http://www.zen-cart-pro.at/license/2_0.txt GNU Public License V2.0
- * @version $Id: header_navigation.php 731 2016-03-27 19:49:16Z webchills $
+ * @version $Id: header_navigation.php 732 2016-11-03 08:49:16Z webchills $
  */
 
 if (!defined('IS_ADMIN_FLAG')) die('Illegal Access');
@@ -36,6 +36,7 @@
           <?php } ?>
           <li class="upperMenuItems"><a href="<?php echo zen_href_link(FILENAME_DEFAULT, '', 'NONSSL'); ?>" class="headerLink"><?php echo HEADER_TITLE_TOP; ?></a></li>
           <li class="upperMenuItems"><a href="<?php echo zen_catalog_href_link(FILENAME_DEFAULT); ?>" class="headerLink" target="_blank"><?php echo HEADER_TITLE_ONLINE_CATALOG; ?></a></li>
+          <li class="upperMenuItems"><a href="https://www.zen-cart-pro.at" class="headerLink" target="_blank" class="headerLink"><?php echo HEADER_TITLE_SUPPORT_SITE; ?></a></li>
           <li class="upperMenuItems"><a href="<?php echo zen_href_link(FILENAME_SERVER_INFO, '', 'NONSSL'); ?>" class="headerLink"><?php echo HEADER_TITLE_VERSION; ?></a></li>
           <li class="upperMenuItems"><a href="<?php echo zen_href_link(FILENAME_ADMIN_ACCOUNT, '', 'NONSSL'); ?>" class="headerLink"><?php echo HEADER_TITLE_ACCOUNT; ?></a></li>
           <li class="upperMenuItems"><a href="<?php echo zen_href_link(FILENAME_LOGOFF, '', 'NONSSL'); ?>" class="headerLink"><?php echo HEADER_TITLE_LOGOFF; ?></a></li>

UPLOAD/admin/includes/init_includes/init_sanitize.php

@@ -5,11 +5,11 @@
  * @package initSystem
  * @copyright Copyright 2003-2016 Zen Cart Development Team
  * @license http://www.zen-cart-pro.at/license/2_0.txt GNU Public License V2.0
- * @version $Id: init_sanitize.php 736 2016-08-14 09:49:16Z webchills $
+ * @version $Id: init_sanitize.php 738 2016-11-03 08:03:16Z webchills $
  */
 
 if (!defined('DO_STRICT_SANITIZATION')) {
-    DEFINE('DO_STRICT_SANITIZATION', true);
+    DEFINE('DO_STRICT_SANITIZATION', false);
 }
 
 if (!defined('DO_DEBUG_SANITIZATION')) {
@@ -182,7 +182,6 @@
 
 $group = array(
     'handler',
-    'type_name',
     'action',
     'product_attribute_is_free',
     'attributes_default',
@@ -196,7 +195,8 @@
 );
 $sanitizer->addSimpleSanitization('ALPHANUM_DASH_UNDERSCORE', $group);
 
-$group = array('title', 'coupon_name', 'banners_title', 'coupon_code', 'group_name', 'geo_zone_name', 'geo_zone_description',
+$group = array('pages_title', 'page_params', 'music_genre_name', 'artists_name', 'record_company_name', 'countries_name', 'name', 'type_name', 'manufacturers_name',
+               'title', 'coupon_name', 'banners_title', 'coupon_code', 'group_name', 'geo_zone_name', 'geo_zone_description',
                'tax_class_description', 'tax_class_title', 'tax_description', 'entry_company', 'customers_firstname',
                'customers_lastname', 'entry_street_address', 'entry_suburb', 'entry_city', 'entry_state', 'customers_referral',
                'symbol_left', 'symbol_right');
@@ -220,7 +220,7 @@
 $group = array('coupon_min_order');
 $sanitizer->addSimpleSanitization('CURRENCY_VALUE_REGEX', $group);
 
-$group = array('products_name', 'orders_status_name', 'configuration');
+$group = array('categories_name', 'products_name', 'orders_status_name', 'configuration');
 $sanitizer->addSimpleSanitization('PRODUCT_NAME_DEEP_REGEX', $group);
 
 $group = array('configuration_value', 'configuration_key', 'search', 'query_string');
@@ -229,4 +229,6 @@
 $group = array();
 $sanitizer->addSimpleSanitization('STRICT_SANITIZE_KEYS', $group);
 
+$group = array('products_name' => array('sanitizerType' => 'WORDS_AND_SYMBOLS_REGEX', 'method' => 'post', 'pages' => array('reviews')));
+$sanitizer->addComplexSanitization($group);
 $sanitizer->runSanitizers();