Hi all, Yesterday I released Mezzanine 4.1 and Cartridge 0.11 to PyPI.
There haven't been any particularly notable changes since the last releases, but still contain a combined total of over 130 commits. These are mostly either bug fixes, or work on bringing things up to date with Django 1.9 which is now supported along with Django 1.8 as well. The Cartridge release also contains a security fix that I referred to last week: https://groups.google.com/forum/#!topic/mezzanine-users/eTjOqrjuCOI The issue is that the shipping/tax handlers are only called on submission of the first checkout step, where address details are entered, and presumably used to calculate shipping/tax. The checkout form however always contains all form fields for the order - they're just set to hidden fields when not applicable for the current step. This means that a malicious customer could change the values of the hidden address fields while on the payment step of the checkout, and their order would be completed. One example of this being abused is where the malicious customer first entered a local billing address, they then receive a local shipping rate, and then they change to an international address during the payment step. I've not yet pushed updated docs for both releases to the Mezzanine project site, so they don't contain the changelogs yet, but you can see these via the commits on each project: https://github.com/stephenmcd/mezzanine/commit/977a0a976c6180e2d99f3b6ae4692af0497b6db1 https://github.com/stephenmcd/cartridge/commit/73367d6bd131ecd61e0471c21545ef8610aa08ab A huge thanks to everyone who contributed to these releases over the last 6 months, particularly Alex Hill for all the work on supporting Django 1.9, and David Sanders for discovering the security issue in Cartridge and working with the core team privately to resolve it. -- Stephen McDonald http://jupo.org -- You received this message because you are subscribed to the Google Groups "Mezzanine Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
