Skip to content

Changelog v1.7.2

Jump to bottom
Harro Verton edited this page May 11, 2014 · 28 revisions

This keeps track of important changes to the 1.x branch.

When you decide to upgrade to a new version, pay attention to the changes documented in this changelog, and the upgrade procedures documented.

Important fixes, changes, notes. Read them carefully.

None.

Backward compatibility notes

As a result of the security issue mentioned below, the auto-format of the response in the Request_Curl class is now disabled by default, as it is possible for a malicious site to construct a response of a specific reponse type that can lead to code execution. This means that if you use Request_Curl, you have to either enable this manually in your code (ONLY if you absolutely trust the site you connect to!), or add code to validate the response before you process it.

The validation rule required rule no longer treats an input value false as a value, so passing this value will now trigger a validation error.

Removed code (because it was deprecated in v1.7.1 or earlier)

None.

Security related

There was one security advisory issued for 1.7.1, which also impact all previous versions from 1.1 onwards (see http://fuelphp.com/security-advisories). The issue is mitigated in 1.7.2, it is strongly advised that you upgrade as soon as possible, or alternatively follow the advice in the advisory.

System changes

  • A possible XSS vulnerabity in the Profiler output has been fixed.
  • When using multiple DB connections, the profiler now shows the connection used for the query.
  • The Profiler now html encodes the output to avoid incorrect handling of the ampersand.
  • The internal Markdown class has been removed, and replaced by the Composer library.
  • Some methods were still defined as private. This has been changed to protected to allow extension.
  • Fully namespaced controllers are now supported. Now you can use class names like Controller\Foo\Bar, Controller_Foo_Bar, or Controller\Foo_Bar.
  • The Database layer now has support for nested transactions, either through native SQL support, or via SAVEPOINTS.
  • The Agent class has been switched back to the original browscap.org URL's.
  • Saving a Lang or Config file will now flush the APC and/or Opcode cache.
  • Double quotes inside an HTML tag attribute value are now escaped.
  • Debug logging has been added to the Session classes to aid in debugging session loss.
  • GZIP compression is now automatically disabled if the client indicates it doesn't support it.
  • Unit tests have been adapted where needed to support PHPUnit 4.
  • The html_tag helper function now generates compliant HTML.
  • Several pieces of file handling code has been modified to handle Windows file paths better.
  • The Autoloader now thows an exception if the class file can be found, but it doesn't contain the class expected.
  • The Autoloader now supports loading Traits.

Specific classes

  • Agent: Now correctly uses the defined browser agent instead of the system one.
  • Arr: New keyval_to_assoc() method converts key-value pairs into an associative array.
  • Arr: When passing an object as key to get(), it is now cast to string.
  • Cache: A check is added to avoid possible deadlocks with using files for caching.
  • Cli: Backtrace output has been rewritten to make it more readable on the commandline.
  • Config: When saving a config file, the configured permission mask is now applied.
  • Controller_Hybrid: Now correctly handles returned array responses.
  • Controller_Rest: When no data is returned, "204 NO CONTENT" status is set.
  • Controller_Rest: Better support for Digest authentication.
  • Controller_Rest: The option to specify the return format in the URL now actually works.
  • Database: The PDO driver will now add the charset to the DSN if not specified.
  • Database: The MySQL drivers no longer use the "AUTOCOMMIT" value, which interferes with table locking.
  • Database: Insert now has the options to define multiple value sets, to insert multiple rows at once.
  • DBUtil: Default values are now correctly quoted, instead of escaped.
  • DBUtil: Make sure the COMMENT keyword appears before AFTER and BEFORE.
  • DBUtil: Now allows you to set a specific DB connection to operate on.
  • Fieldset: field() without parameter will now correctly return all defined fieldset fields.
  • File: download() now has the option to delete the file after download is completed.
  • File: New file_exists() method that will honour the defined Area.
  • File: Fixed possible infinite recursion in delete_dir().
  • Form: If no action is specified to open(), the current URI will be used.
  • Format: CSV conversion methods now have separate config for import and export of CSV data.
  • Format: Improved CSV parsing, to support non-standards formats created by Microsoft applications.
  • Format: CSV files without headers can now be imported.
  • Format: to_csv() now allows you to define custom headers.
  • Format: Incorrect handling of empty XML tags has been fixed.
  • FTP: Fixed directory recursion in delete_dir().
  • Inflector: The separator of friendly_title() is now configurable.
  • Input: Added better support for NGINX.
  • Lang: If multiple languages are defined, the lang files are now loaded in the correct order.
  • Log: New log_filename config key allows you to override the generated log file name.
  • Model_Crud: Can now correctly handle properties with a null value.
  • Mongo_Db: like() method now correctly uses it's wildcard parameters.
  • Mongo_Db: New method list_collections().
  • Pagination: Logic has been completely rewritten to fix all bugs.
  • Pagination: You can now define an offset to shift the active page in the navigation block left or right.
  • Session: set_flash() now correctly resets the state when setting an existing expired flash value.
  • Session: Deleting a session cookie now takes the configured path and domain into account.
  • Session: Now has emulation of $_SESSION, to support external code using this to access session data.
  • Str: The truncate method now correctly handles multibyte strings.
  • Uri: An empty URI string is valid input for Uri::create().
  • Uri: Uri suffixing has been rewritten to accept new long TLD names.
  • Validation: valid_string now allows you to test for "slash" and "backslash".
  • Validation: New valid_collection rule allows you to check against a predefined list of values.
  • Validation: The required rule no longer treats false as a value.
  • Viewmodel: Now has the option to unset a variable set on it.

Packages

  • Auth: The included ORM User model now supports both Ormauth and Simpleauth.
  • Auth: Ormgroup's member() method now correctly checks for group membership.
  • Auth: Calculating effective user permissions in Ormauth has been fixed.
  • Auth: Opauth: if no nickname is returned by the provider, try to find a match on email address.
  • Auth: Ormauth now supports database selection and DB's replication features.
  • Email: Recepient names are now quoted to support comma's in the name.
  • Email: New Mailgun driver to support sending email through Mailgun's email service.
  • Email: SMTP driver now only authenicates ones per connection, to facilitate bulk email.
  • Email: Added the option to strip or leave HTML comments in the HTML message body.
  • Email: New Mandrill driver to support sending email through Mandrill's email service.
  • Email: SMTP driver now supports STARTTLS for secure email. Used for example by Google mail.
  • Oil: oil server now has inline help.
  • Oil: Authentication in generated Admin controllers has been fixed.
  • Oil: Added the --module argument to add module support to the code generation commands.
  • Oil: Scaffolding templates are updated for Boostrap 3.
  • Oil: oil test now supports the PHPunit argument --testsuite.
  • Oil: oil test now supports the PHPunit argument --debug.
  • Oil: oil generate model now can generate ORM temporal or nestedset models.
  • Orm: to_array now also also exports EAV value pairs.
  • Orm: The before_save observer is now called before the object is checked for changes.
  • Orm: New enable_event and disable_event methods for enabling/disabling observer events.
  • Orm: Fixed Soft_Delete::purge, now it actually deletes the purged records.
  • Orm: You can now pass custom data when forging an ORM object.
  • Orm: Observer_Slug now has a configurable separator.
  • Orm: Observer_Slug now allows you to generate duplicate slugs, or to assign slugs manually.
  • Orm: Fixed validation of new objects, now all fields are correctly validated.
  • Orm: There is now support for DB::expr() in ORM select().
  • Orm: There is now support for select('*').
  • Orm: You can now add custom sanitation code to a model (used when a model object is passed to a View).
  • Parser: Twig driver now support Input::post, Session::get and Auth::check.
  • Parser: Smarty driver how has the same Fuel interface plugins as Twig.
Clone this wiki locally