FuelPHP changelog

Changelog History

Page 1

• v1.8.2 Changes

  June 27, 2019

  🔒 Security advisories

  • [SEC-CORE-009]: Unzip vulnerability to slip-attack!

  🔒 See the website for more information about reported security issues and their status.

  🛠 Important fixes, changes, notes. Read them carefully.

  • ⚠ The code has been scanned for new warnings emitted by PHP 7.2 and 7.3.

  🛠 Important fixes, changes, notes. Read them carefully.

  • ⚠ The code has been scanned for new warnings emitted by PHP 7.2. and PHP 7.3.

  🔒 Security related

  👀 See the advisories.

  Backward compatibility notes

  • 👻 Fieldset: An exception is thrown if you try to delete() a Fieldset field that does not exist.

  System changes

  • ⚡️ Htmlawed, used by Security::clean(), has been updated to v1.2.4.2, to provide PHP 7.3 compatibility.

  Specific classes

  • Fixed a bug in get_common_path() returning incorrect results when the first path passed is an empty string.
  • 🚑 DB: Broken database cached results object has been fixed (1.8.1.1 hotfix).
  • DB: Fixed last_query() no longer returning the last query after a call to count_last_query().
  • 🚑 DB: Fixed database result iteration (1.8.1.4 hotfix).
  • 🔧 DB: Still capture any PDO errors in the event these have been disabled in the PHP configuration.
  • DB: New caching option on query() and a new caching() method allow you to enable/disable result caching on a per-query basis. NB: you need a result cache object if you need random access to database results.
  • 🔧 Config: You can now use dot-notation when specifying group names, so you can load configuration data at any level in the tree.
  • 🛠 DB: Fixed not being able to generate "ORDER BY group" due to a validation typo.
  • 🚑 Crypt: Replaced a PHP5.6+ function that creeped in by a coded alternative (1.8.1.3 hotfix).
  • 👍 ErrorHandler: Added specific support for handling and displaying SoapFault error information.
  • Fieldset: New set_name() allows to you change the fieldname of an existing Fielset field.
  • 👻 Fieldset: An exception is thrown if you try to delete() a Fieldset field that does not exist.
  • 👯 Fieldset: New duplicate() method allows you to clone an existing Fieldset field.
  • Image: New extension() method returns the extension of the image file.
  • 📜 Input: Fixed incorrectly parsing multipart/form-data if the boundary contained + signs.
  • 🛠 Input: Fixed a bug that could assign rubbish data to the put(), patch() or delete() data fields.
  • 📜 Input: URI parsing has been improved to fix issues with URI's containing encoded data.
  • 📜 Input: Incorrectly parsing multipart/form-data when the form boundary string contains + signs.
  • 🛠 Pagination: Fixed bug which allowed page numbers not to be numeric. This is now enforced.
  • 🚑 Session: Re-initialize if a session is started after it was closed (1.8.1.2 hotfix).
  • 🚑 Unzip: Addressed the zip-slip security vulnerability (1.8.1.6 hotfix).

  📦 Packages

  • Email: Mailgun driver has been made compatible with the Mailgun v3 API.
  • Email: It is now possible to define stream socket options for SMTP connections.
  • 🛠 Email: A bug that failed to strip HTML comments from HTML email bodies correctly has been fixed.
  • 🛠 Oil: Fixed broken SQL being generated for tables with Unique indexes in migrations.
  • 🛠 Oil: Fixed pagination when generating admin pages for tables.
  • ⚡️ Oil: Admin scaffolding has been updated to generate better code.
  • 🚚 Oil: Everything related to Fuel Cells have been removed, it was never properly implemented.
  • ⚠ ORM: A few PHP warnings have been fixed when calling to_array() on an object with relations.
  • ORM: to_array() now returns related data correctly.
  • ORM: Observer_Typing no longer truncates float values with more than 6 digits precision.
  • 👍 ORM: Observer_Typing now supports columns of type 'date', 'time' and 'datetime'.
  • ORM: Models now have the option to allow PK's to be set. This is required for non-autoincrement PK's.
  • 🛠 ORM: Fixed a NestedSets bug that caused the tree-id not to be set on multi-tree models.
  • ⚡️ ORM: Fixed bug that allowed Models derived from a database view to be updated (causing a DB error).
  • ORM: Allow is_changed() to run observers before comparing, to prevent it always returning True when using the Typing observer bidirectionally.
  • 🛠 ORM: Fixed bug in which not all Model properties were initialized on a forge() with partial data.

• v1.8.1 Changes

  April 18, 2018

  🔒 Security advisories

  • [SEC-CORE-008]: Crypt encryption has been compromised!

  🔒 See the website for more information about reported security issues and their status.

  🛠 Important fixes, changes, notes. Read them carefully.

  • ⚠ The code has been scanned for new warnings emitted by PHP 7.1.
  • 👌 Support for PHPUnit v6 has been added.
  • 👌 Support for php-fpm has been improved.
  • 👍 Function overloading for multibyte functions is no longer supported.
  • ↪ A workaround for PHP bug 55701 has been added.

  🔒 Security related

  ⬆️ The AES encryption used by the Crypt class has been compromised, as reported by Felix Widemann and Nils Rokita from Hamburg University. They have proven that with a powerful GPU, any encoded string can be decoded using brute force in a few minutes. If your application relies on the Crypt class (and most do, because the session cookie is using Crypt to encode it), upgrading your applications is highly advised!

  If you manually want to convert data, for example because you have them stored in the database, simply use:

  $new = \Crypt::encode(\Crypt::decode($old));
  

  ⚡️ It will detect if the string is using the old encryption or the new encryption. Your crypt.php containing the keys will be automatically updated as well (assuming the application has write rights to the file).

  Please note that due to the stronger encryption mechanism used, the encrypted strings are longer. This might be an issue where you have limited space available, for example is fixed or max width database fields, a session cookie that is already approaching the 4Kb limit, etc. So check the requirements of your application before upgrading!

  Backward compatibility notes

  • When you post a form that exceeds max_input_vars, in some PHP 7.x versions the excess values were silently dropped, causing incorrect application behavior. Input now emits an E_WARNING if PHP doesn't do so.
  • 🔨 The Session classes have been refactored. The methods create()/read() and write() are removed, and start() and close() added to more closely mimic native session behavior.
  • 0️⃣ Database results can now be returned in list or collection (cached) form. A list can only be iterated over, a collection has direct (array) access. By default a collection is returned to retain BC with 1.8.0, but in most cases, a list is faster if random access isn't needed, especially if the resultset is big.
  • 👍 Function overloading for multibyte functions is no longer supported. When you have this enabled in your PHP config, Fuel will refuse to start.
  • 👀 If you require multibyte agnostic string functions for the functions of type 2 (see http://php.net/manual/en/mbstring.overload.php), use the methods in the Str class instead.

  System changes

  • ⚡️ Markdown has been updated to v1.7.0.
  • ⚡️ Monolog has been updated to v1.18 (latest composer version).
  • ⚡️ PHPSecLib has been updated to v2.* (latest composer version).
  • 🔨 URI parsing has been refactored for better NGINX and php-fpm support.
  • 👍 The autoloader has been patched to better support classnames in local charactersets.

  Specific classes

  • Asset: You can now call custom defined asset types the same way as you would built-in types (js,css,img).
  • 🔨 Config: load() has been refactored. It no longer overwrites on subsequent loads unless you want to. It also no longer returns false in that case, but always returns the loaded config.
  • Crypt: Has been rewritten using Sodium. Decrypting old encoded strings is transparent, and will be converted on encrypting.
  • Date: create_from_string() no longer allows you to create timestamps from before the Unix Epoch, which wasn't supported, and caused weird things to happen...
  • DB: you can now use on_open() and on_close() when creating JOIN clauses.
  • ⚡️ DB: UPDATE now supports the same JOIN clauses as SELECT.
  • DB: Database result objects are now sanitized automatically when passed to a View.
  • DB: You can now choose to return database results as a list (can only be looped over in sequence) or a collection (has random access). A list uses a lot less memory with large resultsets.
  • DB: Introduced a cache() method to return a list as a collection.
  • DBUtil: Now has a list_indexes() method.
  • 🛠 Fieldset: Fixed invalid HTML for tabular forms being generated when it contained hidden columns.
  • 👍 Fieldset: Tabular forms now have built-in support for pagination.
  • 🛠 File: Fixed several bugs that could cause errors when open_basedir was in effect.
  • 🔒 File: Fixed broken file locking when using open_file(). Lock type validation added.
  • 🔧 Form: Attribute usage with both configured attributes and passed attributes on open() calls has been fixed.
  • 🛠 Format: Fixed a bug in which importing a multi-line CSV file could cause data loss.
  • 🛠 Image: Alphablending has been fixed for Imagick.
  • Image: The Imagick driver now takes EXIF autorotation data into account, mimicing GD behaviour.
  • 📜 Input: Only parses raw input when PHP hasn't done so (p.e. on put, patch or delete requests).
  • Input: A new raw() method has been introduced to access the raw PHP input data (from php://input).
  • 🌲 Log: Error and Exception objects are now passed on to Monolog for more detailing logging options.
  • Model_Crud: count() now uses the defined database connection, if available.
  • 🛠 Model_Crud: Freezing/unfreezing error fixed when unserializing data into an object.
  • 🔧 Module: You can now configure that you want routes loaded from the module when you load a module.
  • Pagination: You can now specify the starting page (number, or 'first' or 'last') when no page number is present in the URL.
  • 🔒 Security: You can now configure NOT to rotate the CSRF token after validation.
  • 🔒 Security: set_token() is now a public method, so a token can be rotated manually.
  • 🛠 Session: Broken destroy() method has been fixed.
  • Session: You can now create a session instance without implicitly starting it.
  • Session: You can now reset an active session to an empty state.
  • 🛠 View: Fixed unsanitizing of Traversable objects.

  📦 Packages

  • 🛠 Auth: Fixed a bug in the validation rules of the User model.
  • Auth: When checking for access, you can now also pass the area name only (matches any right assigned in that area).
  • 🔒 Auth: For security reasons, OpAuths response has been changed from serialized to jsob. This response is now supported.
  • Oil: Improved Model and Migration generation.
  • 👍 Oil: Improved index support when generating migrations from an existing database table.
  • 👍 Oil: Generated controllers now support pagination on their index page.
  • Oil: Generating from existing tables now yield more details about the column.
  • 📜 Parser: Markdown views no longer uses a dedicated version of Markdown, but the version installed via Composer.
  • 📜 Parser: Creating a parser view object without a view name passed no longer triggers an exception.
  • 📦 Parser: Support added for Handlebars templates though the LightnCandy composerpackage.
  • Orm: forge() now accepts an object implementing ArrayAccess to add data to the ORM object.
  • 👍 Orm: Observer_Typing now supports the fieldtype encrypt to transparently encrypt/decrypt data going into the database.
  • 👍 Orm: Observer_Typing now support a field definition 'db_decimals', which you can use if your internal representation is different from the column definition (so objects aren't marked as changed incorrectly).
  • 🔧 Orm: Added a 'caching' config key to the ORM config, to configure default object caching behaviour.
  • Orm: Now has a caching() method to enable or disable ORM object caching.
  • Orm: Now has a flush_cache() method to flush the loaded ORM object cache.
  • Orm: You can now disconnect related objects by assigning null or array() to the relation, which behaves identical to using unset().
  • Email: Mailgun email header generation has been improved.

• v1.8.0 Changes

  April 12, 2016

  🛠 Important fixes, changes, notes. Read them carefully.

  ⬆️ This version provides full compatibility with PHP 7. To achieve this, the \Fuel\Error class had to be renamed to \Fuel\Errorhandler. The new error handler has full support for PHP 7's new Error exceptions. If your application calls the Error class directly, or has extended the Error class, make sure you make the appropriate changes after you have upgraded!

  ⚡️ The oil installer has been updated to use composer to install Fuel, and to provide better support for MacOS.

  Backward compatibility notes

  • 📦 The included PHPSecLib version has been swapped by the composer package. If your application creates instances of PHPSecLib classes, check your code for compatibility issues, for example with the use of namespaces.

• v1.8.0.4

  January 15, 2017

• v1.8.0.1

  June 03, 2016

• v1.7.3 Changes

  • 🚚 The old "mysql" DB driver has been removed because of removal in recent PHP versions. You can keep using mysqli if for some reason you don't want to use PDO. A new "mysql" driver has been introduced that uses PDO underneath. This should be transparent for most applications.

• v1.7.2 Changes

  🛠 Important fixes, changes, notes. Read them carefully.

  Viewmodel

  🗄 As of 1.7.2, the Viewmodel class is deprecated, and replaced by the Presenter class. Functionality has remained largely the same, and a Viewmodel alias is present to maintain backward compatibility.

  It has proven difficult to explain what a Viewmodel is and does, and why you should use it. Also having a classes/view and a views folder was very confusing for a lot of people. It is also a step closer to Fuel v2, there this class is also called Presenter.

  Backward compatibility notes

  Request_Curl

  0️⃣ As a result of the security issue mentioned below, the auto-format of the response in the Request_Curl class is now disabled by default, as it is possible for a malicious site to construct a response of a specific reponse type that can lead to code execution. This means that if you use Request_Curl, you have to either enable this manually in your code (ONLY if you absolutely trust the site you connect to!), or add code to validate the response before you process it.

  Validation

  The validation rule required rule no longer treats an input value false as a value, so passing this value will now trigger a validation error.

  Database

  The PDO driver now returns the error code of the underlying database driver back as the error code in the Database_Exception, instead of the PDO error code. This allows you to act on specific platform errors.

  ↪ It also means you loose access to the original generic PDO error code, which you can work around by retrieving the current PDO database connection (through the connection() method on the database object) and call PDO's errorCode() method to retrieve the original generic PDO error code.

• v1.7.1 Changes

  None.

• v1.7 Changes

  None.

• v1.6.1 Changes

  Backward compability notes

  Orm: You can no longer use property assignment to create a custom property on a model object if that model implements an EAV container. It will set an EAV value instead.

• 1
• 2
• 3
• Next ›
• Last »