The Very Simple PayPal Bridge is a PHP class that, as the name suggests, provides a very simple interface for the PayPal NVP API. If you’re writing your own code for a bespoke e-commerce solution, rather than shoehorning in generic ‘Shopping Cart’ software, there is quite a lot to think about in order to communicate successfully with the API and provide a great payment experience for the site’s customers. Interacting with the PayPal NVP API is something that a lot of e-commerce websites need to do. ![]() The Van Patten Media Labs site has all the details of the Very Simple PayPal Bridge - a simple way to connect to the PayPal API. Just a quick note to say that I’m proud to announce the release of some more open source code, as part of my collaboration with Van Patten Media. Once I figure out a cipher suite configuration that I am happy with, and understand, in Pound (my reverse proxy acting as the TLS terminus), I will update the app again to require forward secrecy. The astute among you may note that in the ist for this update, I explicitly disable the OS X 10.11 SDK’s check for HTTPS forward secrecy in the HTTPS communications to the update server. I had somehow missed the original reporting of the vulnerability, so I particularly appreciate Kevin bringing this to my timely attention. Thanks to Kevin Chen for pointing out the existence of the issue with Sparkle and that it affected DfontSplitter. The automatic updates feature within DfontSplitter should detect the update, but you can also download and install it manually. Due to new build requirements in Xcode 7.2, the application now requires at least OS X Snow Leopard (10.6) and a 64-bit Intel processor. This update fixes the Sparkle-related security issue by updating Sparkle and requiring HTTPS for all future DfontSplitter app update communications. More details and a full breakdown are at the post on Vulnerable Security. Due to the context that the WebView runs in, the app could then be convinced to run local files, expose local files to a remote server and even execute arbitrary code. The vulnerability means that in a scenario where an attacker could launch a man-in-the-middle attack during a Sparkle-enabled app’s update detection process, arbitrary JavaScript could execute in the WebView hosting the release notes. (It was more than five years ago when the last release was made!) As of 0.4.2, the update pages are now, naturally, served over HTTPS. This is a critical security update that fixes an issue relating to the Sparkle software update framework when the update pages are served over HTTP. ![]() Today I release DfontSplitter 0.4.2 for Mac.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |