-
Notifications
You must be signed in to change notification settings - Fork 346
Changelog v1.8.1
This keeps track of important changes to the 1.x branch.
When you decide to upgrade to a new version, pay attention to the changes documented in this changelog, and the upgrade procedures documented.
- [SEC-CORE-008]: Crypt encryption has been compromised!
See the website for more information about reported security issues and their status.
- The code has been scanned for new warnings emitted by PHP 7.1.
- Support for PHPUnit v6 has been added.
- Support for php-fpm has been improved.
- Function overloading for multibyte functions is no longer supported.
- A workaround for PHP bug 55701 has been added.
The AES encryption used by the Crypt
class has been compromised, as reported by Felix Widemann and Nils Rokita from Hamburg University. They have proven that with a powerful GPU, any encoded string can be decoded using brute force in a few minutes. If your application relies on the Crypt
class (and most do, because the session cookie is using Crypt
to encode it), upgrading your applications is highly advised!
If you manually want to convert data, for example because you have them stored in the database, simply use:
$new = \Crypt::encode(\Crypt::decode($old));
It will detect if the string is using the old encryption or the new encryption. Your crypt.php
containing the keys will be automatically updated as well (assuming the application has write rights to the file).
Please note that due to the stronger encryption mechanism used, the encrypted strings are longer. This might be an issue where you have limited space available, for example is fixed or max width database fields, a session cookie that is already approaching the 4Kb limit, etc. So check the requirements of your application before upgrading!
- When you post a form that exceeds
max_input_vars
, in some PHP 7.x versions the excess values were silently dropped, causing incorrect application behavior.Input
now emits an E_WARNING if PHP doesn't do so. - The
Session
classes have been refactored. The methodscreate()
/read()
andwrite()
are removed, andstart()
andclose()
added to more closely mimic native session behavior. - Database results can now be returned in list or collection (cached) form. A list can only be iterated over, a collection has direct (array) access. By default a collection is returned to retain BC with 1.8.0, but in most cases, a list is faster if random access isn't needed, especially if the resultset is big.
- Function overloading for multibyte functions is no longer supported. When you have this enabled in your PHP config, Fuel will refuse to start.
- If you require multibyte agnostic string functions for the functions of type 2 (see http://php.net/manual/en/mbstring.overload.php), use the methods in the
Str
class instead.
- Markdown has been updated to v1.7.0.
- Monolog has been updated to v1.18 (latest composer version).
- PHPSecLib has been updated to v2.* (latest composer version).
- URI parsing has been refactored for better NGINX and php-fpm support.
- The autoloader has been patched to better support classnames in local charactersets.
-
Asset
: You can now call custom defined asset types the same way as you would built-in types (js,css,img). -
Config
:load()
has been refactored. It no longer overwrites on subsequent loads unless you want to. It also no longer returnsfalse
in that case, but always returns the loaded config. -
Crypt
: Has been rewritten using Sodium. Decrypting old encoded strings is transparent, and will be converted on encrypting. -
Date
:create_from_string()
no longer allows you to create timestamps from before the Unix Epoch, which wasn't supported, and caused weird things to happen... -
DB
: you can now useon_open()
andon_close()
when creating JOIN clauses. -
DB
: UPDATE now supports the same JOIN clauses as SELECT. -
DB
: Database result objects are now sanitized automatically when passed to a View. -
DB
: You can now choose to return database results as a list (can only be looped over in sequence) or a collection (has random access). A list uses a lot less memory with large resultsets. -
DB
: Introduced acache()
method to return a list as a collection. -
DBUtil
: Now has alist_indexes()
method. -
Fieldset
: Fixed invalid HTML for tabular forms being generated when it contained hidden columns. -
Fieldset
: Tabular forms now have built-in support for pagination. -
File
: Fixed several bugs that could cause errors whenopen_basedir
was in effect. -
File
: Fixed broken file locking when usingopen_file()
. Lock type validation added. -
Form
: Attribute usage with both configured attributes and passed attributes onopen()
calls has been fixed. -
Format
: Fixed a bug in which importing a multi-line CSV file could cause data loss. -
Image
: Alphablending has been fixed for Imagick. -
Image
: The Imagick driver now takes EXIF autorotation data into account, mimicing GD behaviour. -
Input
: Only parses raw input when PHP hasn't done so (p.e. on put, patch or delete requests). -
Input
: A newraw()
method has been introduced to access the raw PHP input data (from php://input). -
Log
: Error and Exception objects are now passed on to Monolog for more detailing logging options. -
Model_Crud
:count()
now uses the defined database connection, if available. -
Model_Crud
: Freezing/unfreezing error fixed when unserializing data into an object. -
Module
: You can now configure that you want routes loaded from the module when you load a module. -
Pagination
: You can now specify the starting page (number, or 'first' or 'last') when no page number is present in the URL. -
Security
: You can now configure NOT to rotate the CSRF token after validation. -
Security
:set_token()
is now a public method, so a token can be rotated manually. -
Session
: Brokendestroy()
method has been fixed. -
Session
: You can now create a session instance without implicitly starting it. -
Session
: You can now reset an active session to an empty state. -
View
: Fixed unsanitizing of Traversable objects.
-
Auth
: Fixed a bug in the validation rules of the User model. -
Auth
: When checking for access, you can now also pass the area name only (matches any right assigned in that area). -
Auth
: For security reasons, OpAuths response has been changed from serialized to jsob. This response is now supported. -
Oil
: Improved Model and Migration generation. -
Oil
: Improved index support when generating migrations from an existing database table. -
Oil
: Generated controllers now support pagination on their index page. -
Oil
: Generating from existing tables now yield more details about the column. -
Parser
: Markdown views no longer uses a dedicated version of Markdown, but the version installed via Composer. -
Parser
: Creating a parser view object without a view name passed no longer triggers an exception. -
Parser
: Support added for Handlebars templates though the LightnCandy composerpackage. -
Orm
:forge()
now accepts an object implementing ArrayAccess to add data to the ORM object. -
Orm
:Observer_Typing
now supports the fieldtypeencrypt
to transparently encrypt/decrypt data going into the database. -
Orm
:Observer_Typing
now support a field definition 'db_decimals', which you can use if your internal representation is different from the column definition (so objects aren't marked as changed incorrectly). -
Orm
: Added a 'caching' config key to the ORM config, to configure default object caching behaviour. -
Orm
: Now has acaching()
method to enable or disable ORM object caching. -
Orm
: Now has aflush_cache()
method to flush the loaded ORM object cache. -
Orm
: You can now disconnect related objects by assigningnull
orarray()
to the relation, which behaves identical to usingunset()
. -
Email
: Mailgun email header generation has been improved.