FuelPHP v1.8.1 Release Notes

Release Date: 2018-04-18 // about 6 years ago
  • ๐Ÿ”’ Security advisories

    • [SEC-CORE-008]: Crypt encryption has been compromised!

    ๐Ÿ”’ See the website for more information about reported security issues and their status.

    ๐Ÿ›  Important fixes, changes, notes. Read them carefully.

    • โš  The code has been scanned for new warnings emitted by PHP 7.1.
    • ๐Ÿ‘Œ Support for PHPUnit v6 has been added.
    • ๐Ÿ‘Œ Support for php-fpm has been improved.
    • ๐Ÿ‘ Function overloading for multibyte functions is no longer supported.
    • โ†ช A workaround for PHP bug 55701 has been added.

    ๐Ÿ”’ Security related

    โฌ†๏ธ The AES encryption used by the Crypt class has been compromised, as reported by Felix Widemann and Nils Rokita from Hamburg University. They have proven that with a powerful GPU, any encoded string can be decoded using brute force in a few minutes. If your application relies on the Crypt class (and most do, because the session cookie is using Crypt to encode it), upgrading your applications is highly advised!

    If you manually want to convert data, for example because you have them stored in the database, simply use:

    $new = \Crypt::encode(\Crypt::decode($old));

    โšก๏ธ It will detect if the string is using the old encryption or the new encryption. Your crypt.php containing the keys will be automatically updated as well (assuming the application has write rights to the file).

    Please note that due to the stronger encryption mechanism used, the encrypted strings are longer. This might be an issue where you have limited space available, for example is fixed or max width database fields, a session cookie that is already approaching the 4Kb limit, etc. So check the requirements of your application before upgrading!

    Backward compatibility notes

    • When you post a form that exceeds max_input_vars, in some PHP 7.x versions the excess values were silently dropped, causing incorrect application behavior. Input now emits an E_WARNING if PHP doesn't do so.
    • ๐Ÿ”จ The Session classes have been refactored. The methods create()/read() and write() are removed, and start() and close() added to more closely mimic native session behavior.
    • 0๏ธโƒฃ Database results can now be returned in list or collection (cached) form. A list can only be iterated over, a collection has direct (array) access. By default a collection is returned to retain BC with 1.8.0, but in most cases, a list is faster if random access isn't needed, especially if the resultset is big.
    • ๐Ÿ‘ Function overloading for multibyte functions is no longer supported. When you have this enabled in your PHP config, Fuel will refuse to start.
    • ๐Ÿ‘€ If you require multibyte agnostic string functions for the functions of type 2 (see http://php.net/manual/en/mbstring.overload.php), use the methods in the Str class instead.

    System changes

    • โšก๏ธ Markdown has been updated to v1.7.0.
    • โšก๏ธ Monolog has been updated to v1.18 (latest composer version).
    • โšก๏ธ PHPSecLib has been updated to v2.* (latest composer version).
    • ๐Ÿ”จ URI parsing has been refactored for better NGINX and php-fpm support.
    • ๐Ÿ‘ The autoloader has been patched to better support classnames in local charactersets.

    Specific classes

    • Asset: You can now call custom defined asset types the same way as you would built-in types (js,css,img).
    • ๐Ÿ”จ Config: load() has been refactored. It no longer overwrites on subsequent loads unless you want to. It also no longer returns false in that case, but always returns the loaded config.
    • Crypt: Has been rewritten using Sodium. Decrypting old encoded strings is transparent, and will be converted on encrypting.
    • Date: create_from_string() no longer allows you to create timestamps from before the Unix Epoch, which wasn't supported, and caused weird things to happen...
    • DB: you can now use on_open() and on_close() when creating JOIN clauses.
    • โšก๏ธ DB: UPDATE now supports the same JOIN clauses as SELECT.
    • DB: Database result objects are now sanitized automatically when passed to a View.
    • DB: You can now choose to return database results as a list (can only be looped over in sequence) or a collection (has random access). A list uses a lot less memory with large resultsets.
    • DB: Introduced a cache() method to return a list as a collection.
    • DBUtil: Now has a list_indexes() method.
    • ๐Ÿ›  Fieldset: Fixed invalid HTML for tabular forms being generated when it contained hidden columns.
    • ๐Ÿ‘ Fieldset: Tabular forms now have built-in support for pagination.
    • ๐Ÿ›  File: Fixed several bugs that could cause errors when open_basedir was in effect.
    • ๐Ÿ”’ File: Fixed broken file locking when using open_file(). Lock type validation added.
    • ๐Ÿ”ง Form: Attribute usage with both configured attributes and passed attributes on open() calls has been fixed.
    • ๐Ÿ›  Format: Fixed a bug in which importing a multi-line CSV file could cause data loss.
    • ๐Ÿ›  Image: Alphablending has been fixed for Imagick.
    • Image: The Imagick driver now takes EXIF autorotation data into account, mimicing GD behaviour.
    • ๐Ÿ“œ Input: Only parses raw input when PHP hasn't done so (p.e. on put, patch or delete requests).
    • Input: A new raw() method has been introduced to access the raw PHP input data (from php://input).
    • ๐ŸŒฒ Log: Error and Exception objects are now passed on to Monolog for more detailing logging options.
    • Model_Crud: count() now uses the defined database connection, if available.
    • ๐Ÿ›  Model_Crud: Freezing/unfreezing error fixed when unserializing data into an object.
    • ๐Ÿ”ง Module: You can now configure that you want routes loaded from the module when you load a module.
    • Pagination: You can now specify the starting page (number, or 'first' or 'last') when no page number is present in the URL.
    • ๐Ÿ”’ Security: You can now configure NOT to rotate the CSRF token after validation.
    • ๐Ÿ”’ Security: set_token() is now a public method, so a token can be rotated manually.
    • ๐Ÿ›  Session: Broken destroy() method has been fixed.
    • Session: You can now create a session instance without implicitly starting it.
    • Session: You can now reset an active session to an empty state.
    • ๐Ÿ›  View: Fixed unsanitizing of Traversable objects.

    ๐Ÿ“ฆ Packages

    • ๐Ÿ›  Auth: Fixed a bug in the validation rules of the User model.
    • Auth: When checking for access, you can now also pass the area name only (matches any right assigned in that area).
    • ๐Ÿ”’ Auth: For security reasons, OpAuths response has been changed from serialized to jsob. This response is now supported.
    • Oil: Improved Model and Migration generation.
    • ๐Ÿ‘ Oil: Improved index support when generating migrations from an existing database table.
    • ๐Ÿ‘ Oil: Generated controllers now support pagination on their index page.
    • Oil: Generating from existing tables now yield more details about the column.
    • ๐Ÿ“œ Parser: Markdown views no longer uses a dedicated version of Markdown, but the version installed via Composer.
    • ๐Ÿ“œ Parser: Creating a parser view object without a view name passed no longer triggers an exception.
    • ๐Ÿ“ฆ Parser: Support added for Handlebars templates though the LightnCandy composerpackage.
    • Orm: forge() now accepts an object implementing ArrayAccess to add data to the ORM object.
    • ๐Ÿ‘ Orm: Observer_Typing now supports the fieldtype encrypt to transparently encrypt/decrypt data going into the database.
    • ๐Ÿ‘ Orm: Observer_Typing now support a field definition 'db_decimals', which you can use if your internal representation is different from the column definition (so objects aren't marked as changed incorrectly).
    • ๐Ÿ”ง Orm: Added a 'caching' config key to the ORM config, to configure default object caching behaviour.
    • Orm: Now has a caching() method to enable or disable ORM object caching.
    • Orm: Now has a flush_cache() method to flush the loaded ORM object cache.
    • Orm: You can now disconnect related objects by assigning null or array() to the relation, which behaves identical to using unset().
    • Email: Mailgun email header generation has been improved.