Post by Daniel » Sun Apr 04, 2010 2:15 am

I have just had to reupload 1.4.6. Someone messaged me saying there was a vulnerability in the dompdf library i included in the last few OC releases.

To fix the problem on your own store just goto your system/helper/dompdf folder and delete it. Its not being used by OC. It was for creating PDF invoices, but I have not implemeneted this feature yet.

Download:
http://opencart.googlecode.com/files/op ... v1.4.6.zip
Last edited by Daniel on Sun Apr 04, 2010 9:48 am, edited 4 times in total.
Reason: Split from the OpenCart 1.4.6 release topic.

OpenCart®
Project Owner & Developer.


User avatar
Administrator

Posts

Joined
Fri Nov 03, 2006 6:57 pm

Post by Adrian3008 » Sun Apr 04, 2010 7:11 am

Thank you Daniel for your hard work.

User avatar
Newbie

Posts

Joined
Sat Mar 13, 2010 4:29 pm

Post by HKOCH » Sun Apr 04, 2010 8:27 am

Thanks Daniel

For your quality conscious

New member

Posts

Joined
Sun Dec 20, 2009 3:33 am
Location - near to Copenhagen, Denmark

Post by readyman » Sun Apr 04, 2010 12:37 pm

Does this go for all previous versions that have dompdf as well?

http://www.alreadymade.com
Follow me on twitter.com/alreadymade


User avatar
Global Moderator

Posts

Joined
Wed May 20, 2009 5:16 am
Location - Sydney

Post by japanees » Sun Apr 04, 2010 12:57 pm

Hi guys,

We are currently spending a lot of money on custom mods for opencart and use 1.4.4
Does this new version allow us to use these mods on the new 1.4.6?

We also just bought a new custom skin based on 1.4.4 will this work with 1.4.6

What is the release schedule for this project?

New member

Posts

Joined
Sat Mar 20, 2010 12:34 am

Post by readyman » Sun Apr 04, 2010 1:18 pm

Your question is too open ended, there is no way to give you a specific answer whether a custom mod or a custom template is going to work in 1.4.6. if it was designed for 1.4.4. is going to work. Especially without any code examples.
The fortunate thing for you is that they are not that different so that it is not fixable - it will probably only generate a few errors that require moving variables to another file or adjusting the code a little to accomodate the small changes.
View changes here - http://code.google.com/p/opencart/source/list

http://www.alreadymade.com
Follow me on twitter.com/alreadymade


User avatar
Global Moderator

Posts

Joined
Wed May 20, 2009 5:16 am
Location - Sydney

Post by i2Paq » Sun Apr 04, 2010 2:33 pm

readyman wrote:Does this go for all previous versions that have dompdf as well?
Daniel wrote:To fix the problem on your own store just goto your system/helper/dompdf folder and delete it. Its not being used by OC. It was for creating PDF invoices, but I have not implemeneted this feature yet.

Norman in 't Veldt
Moderator OpenCart Forums

_________________ READ and Search BEFORE POSTING _________________

Our FREE search: Find your answer FAST!.

[How to] BTW + Verzend + betaal setup.


User avatar
Global Moderator

Posts

Joined
Mon Nov 09, 2009 7:00 pm
Location - Winkel - The Netherlands

Post by i2Paq » Sun Apr 04, 2010 2:37 pm

japanees wrote:Hi guys,

We are currently spending a lot of money on custom mods for opencart and use 1.4.4
Does this new version allow us to use these mods on the new 1.4.6?

We also just bought a new custom skin based on 1.4.4 will this work with 1.4.6

What is the release schedule for this project?
Like readyman says, it does not only depends on the version if it was designed for but more on what it uses from the 1.4.4 which code might be changed in 1.4.6.

In the next release, wich will ONLY be a large bug-fix release, there will be no (major) code changes to the core that will break modules/templates build for 1.4.6.
That said, if a bug is fixt there could be changes in code that will break modules/templates.

As Q is doing these fixes I'm confident that he will provide a change/bug-fix log.

Norman in 't Veldt
Moderator OpenCart Forums

_________________ READ and Search BEFORE POSTING _________________

Our FREE search: Find your answer FAST!.

[How to] BTW + Verzend + betaal setup.


User avatar
Global Moderator

Posts

Joined
Mon Nov 09, 2009 7:00 pm
Location - Winkel - The Netherlands

Post by audiomarket » Sun Apr 04, 2010 6:29 pm

well make!

New member

Posts

Joined
Mon Mar 15, 2010 1:55 am

Post by Chrissy Poo » Sun Apr 04, 2010 8:46 pm

Thanks for the Update :)

10% Discount on all Shared and Reseller Hosting Packages at Vidahost.com

Discount Code: DISCOUNT10


Active Member

Posts

Joined
Mon Jun 29, 2009 8:48 am
Location - UK

Post by Qphoria » Sun Apr 04, 2010 11:42 pm

From experience with my own modules, I found very few mods that are affected by the 1.4.4 to 1.4.6 changes so you shouldn't have any real troubles.

Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by BLIZNA » Mon Apr 05, 2010 8:53 am

Thanks for the Update

Newbie

Posts

Joined
Sun Dec 13, 2009 12:37 pm

Post by saint » Mon Apr 05, 2010 11:45 am

Sorry guys, I need a little more specifics on what I should be deleting here.

From what I understand it's the dompdf library, but not knowing what a dompdf library is, would that be the entire dompdf folder? The "lib" folder inside the dompdf folder or something else altogether?

Thanks folks.

This whole opencart experience has certainly given my brain a little stretch. I appreciate your patience.

Newbie

Posts

Joined
Tue Mar 23, 2010 1:15 am

Post by rph » Mon Apr 05, 2010 1:02 pm

saint wrote:From what I understand it's the dompdf library, but not knowing what a dompdf library is, would that be the entire dompdf folder?
Yes.

-Ryan


rph
Expert Member

Posts

Joined
Fri Jan 08, 2010 5:05 am
Location - Lincoln, Nebraska

Post by dramony » Tue Apr 06, 2010 11:36 am

What about on 1.3.2?

Active Member

Posts

Joined
Sat Oct 24, 2009 12:34 pm

Post by Qphoria » Tue Apr 06, 2010 12:33 pm

just delete it from all versions

Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by fido-x » Thu Apr 08, 2010 11:08 am

Qphoria wrote:just delete it from all versions
Typical "knee-jerk" reaction. "Just delete it". According to digital junkies (the guys who developed dompdf), the vulnerability exists in ONE file only, this being "dompdf.php". Quote from their website:
[2008-02-05] A security vulnerability in dompdf has recently been discovered. The vulnerability would allow an attacker to access any file readable by the webserver. A solution is being developed presently.

Until a new version is available, it is recommended that all users remove the dompdf.php file from their installation and to use the dompdf class directly (see http://www.digitaljunkies.ca/dompdf/usage.php#class). If it is not possible to remove dompdf.php, the PHP ini option open_basedir should be set to a secure base directory (see http://www.php.net/manual/en/features.s ... en-basedir).
In OpenCart, this just means deleting "system/helper/dompdf/dompdf.php". Since my own contributions in this area (PDF viewer for OC versions 1.3.2 and 1.3.4) already use the class directly, they will continue to work with the "dompdf.php" file removed.

Image
Modules for OpenCart 2.3.0.2
Homepage Module [Free - since OpenCart 0.7.7]
Multistore Extensions
Store Manager Multi-Vendor/Multi-Store management tool

If you're not living on the edge ... you're taking up too much space!


User avatar
Expert Member

Posts

Joined
Sat Jun 28, 2008 1:09 am
Location - Tasmania, Australia

Post by Qphoria » Thu Apr 08, 2010 11:19 am

OK So whats your point? knee jerk or not. its not used by the core or by you .. so delete it. Understand that a "person" is smart and "people" are paranoid. If you start talking about just one file, then people start asking, "Well what about these other files? Are those safe?"
"Which version, It this version ok?"
"How do I know if I have the bad one?"
blah blah blah
Just delete the damn folder

Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by fido-x » Thu Apr 08, 2010 11:30 am

Qphoria wrote:... its not used by the core or by you ..
Can't you read? It IS being used, maybe not by Daniel or by you. As I stated above, my own contribution (the PDF Viewer module for OpenCart 1.3.2 and 1.3.4 - which IS being used by people other than me, you or Daniel) does use the dompdf library.

And, as stated, it is only necessary to remove ONE file (doesn't matter which version of OpenCart you are using since they ALL use the same version of dompdf).

Image
Modules for OpenCart 2.3.0.2
Homepage Module [Free - since OpenCart 0.7.7]
Multistore Extensions
Store Manager Multi-Vendor/Multi-Store management tool

If you're not living on the edge ... you're taking up too much space!


User avatar
Expert Member

Posts

Joined
Sat Jun 28, 2008 1:09 am
Location - Tasmania, Australia

Post by Qphoria » Thu Apr 08, 2010 11:42 am

fido-x wrote: Can't you read? It IS being used, maybe not by Daniel or by you. As I stated above, my own contribution (the PDF Viewer module for OpenCart 1.3.2 and 1.3.4 - which IS being used by people other than me, you or Daniel) does use the dompdf library.
fido-x wrote:Since my own contributions in this area (PDF viewer for OC versions 1.3.2 and 1.3.4) already use the class directly, they will continue to work with the "dompdf.php" file removed.
You wrote it, I read it

Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am
Who is online

Users browsing this forum: Majestic-12 [Bot] and 96 guests