FuelPHP v1.8.2 Release Notes

Release Date: 2019-06-27 // over 2 years ago
  • ๐Ÿ”’ Security advisories

    • [SEC-CORE-009]: Unzip vulnerability to slip-attack!

    ๐Ÿ”’ See the website for more information about reported security issues and their status.

    ๐Ÿ›  Important fixes, changes, notes. Read them carefully.

    • โš  The code has been scanned for new warnings emitted by PHP 7.2 and 7.3.

    ๐Ÿ›  Important fixes, changes, notes. Read them carefully.

    • โš  The code has been scanned for new warnings emitted by PHP 7.2. and PHP 7.3.

    ๐Ÿ”’ Security related

    ๐Ÿ‘€ See the advisories.

    Backward compatibility notes

    • ๐Ÿ‘ป Fieldset: An exception is thrown if you try to delete() a Fieldset field that does not exist.

    System changes

    • โšก๏ธ Htmlawed, used by Security::clean(), has been updated to v1.2.4.2, to provide PHP 7.3 compatibility.

    Specific classes

    • Fixed a bug in get_common_path() returning incorrect results when the first path passed is an empty string.
    • ๐Ÿš‘ DB: Broken database cached results object has been fixed (1.8.1.1 hotfix).
    • DB: Fixed last_query() no longer returning the last query after a call to count_last_query().
    • ๐Ÿš‘ DB: Fixed database result iteration (1.8.1.4 hotfix).
    • ๐Ÿ”ง DB: Still capture any PDO errors in the event these have been disabled in the PHP configuration.
    • DB: New caching option on query() and a new caching() method allow you to enable/disable result caching on a per-query basis. NB: you need a result cache object if you need random access to database results.
    • ๐Ÿ”ง Config: You can now use dot-notation when specifying group names, so you can load configuration data at any level in the tree.
    • ๐Ÿ›  DB: Fixed not being able to generate "ORDER BY group" due to a validation typo.
    • ๐Ÿš‘ Crypt: Replaced a PHP5.6+ function that creeped in by a coded alternative (1.8.1.3 hotfix).
    • ๐Ÿ‘ ErrorHandler: Added specific support for handling and displaying SoapFault error information.
    • Fieldset: New set_name() allows to you change the fieldname of an existing Fielset field.
    • ๐Ÿ‘ป Fieldset: An exception is thrown if you try to delete() a Fieldset field that does not exist.
    • ๐Ÿ‘ฏ Fieldset: New duplicate() method allows you to clone an existing Fieldset field.
    • Image: New extension() method returns the extension of the image file.
    • ๐Ÿ“œ Input: Fixed incorrectly parsing multipart/form-data if the boundary contained + signs.
    • ๐Ÿ›  Input: Fixed a bug that could assign rubbish data to the put(), patch() or delete() data fields.
    • ๐Ÿ“œ Input: URI parsing has been improved to fix issues with URI's containing encoded data.
    • ๐Ÿ“œ Input: Incorrectly parsing multipart/form-data when the form boundary string contains + signs.
    • ๐Ÿ›  Pagination: Fixed bug which allowed page numbers not to be numeric. This is now enforced.
    • ๐Ÿš‘ Session: Re-initialize if a session is started after it was closed (1.8.1.2 hotfix).
    • ๐Ÿš‘ Unzip: Addressed the zip-slip security vulnerability (1.8.1.6 hotfix).

    ๐Ÿ“ฆ Packages

    • Email: Mailgun driver has been made compatible with the Mailgun v3 API.
    • Email: It is now possible to define stream socket options for SMTP connections.
    • ๐Ÿ›  Email: A bug that failed to strip HTML comments from HTML email bodies correctly has been fixed.
    • ๐Ÿ›  Oil: Fixed broken SQL being generated for tables with Unique indexes in migrations.
    • ๐Ÿ›  Oil: Fixed pagination when generating admin pages for tables.
    • โšก๏ธ Oil: Admin scaffolding has been updated to generate better code.
    • ๐Ÿšš Oil: Everything related to Fuel Cells have been removed, it was never properly implemented.
    • โš  ORM: A few PHP warnings have been fixed when calling to_array() on an object with relations.
    • ORM: to_array() now returns related data correctly.
    • ORM: Observer_Typing no longer truncates float values with more than 6 digits precision.
    • ๐Ÿ‘ ORM: Observer_Typing now supports columns of type 'date', 'time' and 'datetime'.
    • ORM: Models now have the option to allow PK's to be set. This is required for non-autoincrement PK's.
    • ๐Ÿ›  ORM: Fixed a NestedSets bug that caused the tree-id not to be set on multi-tree models.
    • โšก๏ธ ORM: Fixed bug that allowed Models derived from a database view to be updated (causing a DB error).
    • ORM: Allow is_changed() to run observers before comparing, to prevent it always returning True when using the Typing observer bidirectionally.
    • ๐Ÿ›  ORM: Fixed bug in which not all Model properties were initialized on a forge() with partial data.

Previous changes from v1.8.1

  • ๐Ÿ”’ Security advisories

    • [SEC-CORE-008]: Crypt encryption has been compromised!

    ๐Ÿ”’ See the website for more information about reported security issues and their status.

    ๐Ÿ›  Important fixes, changes, notes. Read them carefully.

    • โš  The code has been scanned for new warnings emitted by PHP 7.1.
    • ๐Ÿ‘Œ Support for PHPUnit v6 has been added.
    • ๐Ÿ‘Œ Support for php-fpm has been improved.
    • ๐Ÿ‘ Function overloading for multibyte functions is no longer supported.
    • โ†ช A workaround for PHP bug 55701 has been added.

    ๐Ÿ”’ Security related

    โฌ†๏ธ The AES encryption used by the Crypt class has been compromised, as reported by Felix Widemann and Nils Rokita from Hamburg University. They have proven that with a powerful GPU, any encoded string can be decoded using brute force in a few minutes. If your application relies on the Crypt class (and most do, because the session cookie is using Crypt to encode it), upgrading your applications is highly advised!

    If you manually want to convert data, for example because you have them stored in the database, simply use:

    $new = \Crypt::encode(\Crypt::decode($old));
    

    โšก๏ธ It will detect if the string is using the old encryption or the new encryption. Your crypt.php containing the keys will be automatically updated as well (assuming the application has write rights to the file).

    Please note that due to the stronger encryption mechanism used, the encrypted strings are longer. This might be an issue where you have limited space available, for example is fixed or max width database fields, a session cookie that is already approaching the 4Kb limit, etc. So check the requirements of your application before upgrading!

    Backward compatibility notes

    • When you post a form that exceeds max_input_vars, in some PHP 7.x versions the excess values were silently dropped, causing incorrect application behavior. Input now emits an E_WARNING if PHP doesn't do so.
    • โ™ป๏ธ The Session classes have been refactored. The methods create()/read() and write() are removed, and start() and close() added to more closely mimic native session behavior.
    • 0๏ธโƒฃ Database results can now be returned in list or collection (cached) form. A list can only be iterated over, a collection has direct (array) access. By default a collection is returned to retain BC with 1.8.0, but in most cases, a list is faster if random access isn't needed, especially if the resultset is big.
    • ๐Ÿ‘ Function overloading for multibyte functions is no longer supported. When you have this enabled in your PHP config, Fuel will refuse to start.
    • ๐Ÿ‘€ If you require multibyte agnostic string functions for the functions of type 2 (see http://php.net/manual/en/mbstring.overload.php), use the methods in the Str class instead.

    System changes

    • โšก๏ธ Markdown has been updated to v1.7.0.
    • โšก๏ธ Monolog has been updated to v1.18 (latest composer version).
    • โšก๏ธ PHPSecLib has been updated to v2.* (latest composer version).
    • โ™ป๏ธ URI parsing has been refactored for better NGINX and php-fpm support.
    • ๐Ÿ‘ The autoloader has been patched to better support classnames in local charactersets.

    Specific classes

    • Asset: You can now call custom defined asset types the same way as you would built-in types (js,css,img).
    • โ™ป๏ธ Config: load() has been refactored. It no longer overwrites on subsequent loads unless you want to. It also no longer returns false in that case, but always returns the loaded config.
    • Crypt: Has been rewritten using Sodium. Decrypting old encoded strings is transparent, and will be converted on encrypting.
    • Date: create_from_string() no longer allows you to create timestamps from before the Unix Epoch, which wasn't supported, and caused weird things to happen...
    • DB: you can now use on_open() and on_close() when creating JOIN clauses.
    • โšก๏ธ DB: UPDATE now supports the same JOIN clauses as SELECT.
    • DB: Database result objects are now sanitized automatically when passed to a View.
    • DB: You can now choose to return database results as a list (can only be looped over in sequence) or a collection (has random access). A list uses a lot less memory with large resultsets.
    • DB: Introduced a cache() method to return a list as a collection.
    • DBUtil: Now has a list_indexes() method.
    • ๐Ÿ›  Fieldset: Fixed invalid HTML for tabular forms being generated when it contained hidden columns.
    • ๐Ÿ‘ Fieldset: Tabular forms now have built-in support for pagination.
    • ๐Ÿ›  File: Fixed several bugs that could cause errors when open_basedir was in effect.
    • ๐Ÿ”’ File: Fixed broken file locking when using open_file(). Lock type validation added.
    • ๐Ÿ”ง Form: Attribute usage with both configured attributes and passed attributes on open() calls has been fixed.
    • ๐Ÿ›  Format: Fixed a bug in which importing a multi-line CSV file could cause data loss.
    • ๐Ÿ›  Image: Alphablending has been fixed for Imagick.
    • Image: The Imagick driver now takes EXIF autorotation data into account, mimicing GD behaviour.
    • ๐Ÿ“œ Input: Only parses raw input when PHP hasn't done so (p.e. on put, patch or delete requests).
    • Input: A new raw() method has been introduced to access the raw PHP input data (from php://input).
    • ๐ŸŒฒ Log: Error and Exception objects are now passed on to Monolog for more detailing logging options.
    • Model_Crud: count() now uses the defined database connection, if available.
    • ๐Ÿ›  Model_Crud: Freezing/unfreezing error fixed when unserializing data into an object.
    • ๐Ÿ”ง Module: You can now configure that you want routes loaded from the module when you load a module.
    • Pagination: You can now specify the starting page (number, or 'first' or 'last') when no page number is present in the URL.
    • ๐Ÿ”’ Security: You can now configure NOT to rotate the CSRF token after validation.
    • ๐Ÿ”’ Security: set_token() is now a public method, so a token can be rotated manually.
    • ๐Ÿ›  Session: Broken destroy() method has been fixed.
    • Session: You can now create a session instance without implicitly starting it.
    • Session: You can now reset an active session to an empty state.
    • ๐Ÿ›  View: Fixed unsanitizing of Traversable objects.

    ๐Ÿ“ฆ Packages

    • ๐Ÿ›  Auth: Fixed a bug in the validation rules of the User model.
    • Auth: When checking for access, you can now also pass the area name only (matches any right assigned in that area).
    • ๐Ÿ”’ Auth: For security reasons, OpAuths response has been changed from serialized to jsob. This response is now supported.
    • Oil: Improved Model and Migration generation.
    • ๐Ÿ‘ Oil: Improved index support when generating migrations from an existing database table.
    • ๐Ÿ‘ Oil: Generated controllers now support pagination on their index page.
    • Oil: Generating from existing tables now yield more details about the column.
    • ๐Ÿ“œ Parser: Markdown views no longer uses a dedicated version of Markdown, but the version installed via Composer.
    • ๐Ÿ“œ Parser: Creating a parser view object without a view name passed no longer triggers an exception.
    • ๐Ÿ“ฆ Parser: Support added for Handlebars templates though the LightnCandy composerpackage.
    • Orm: forge() now accepts an object implementing ArrayAccess to add data to the ORM object.
    • ๐Ÿ‘ Orm: Observer_Typing now supports the fieldtype encrypt to transparently encrypt/decrypt data going into the database.
    • ๐Ÿ‘ Orm: Observer_Typing now support a field definition 'db_decimals', which you can use if your internal representation is different from the column definition (so objects aren't marked as changed incorrectly).
    • ๐Ÿ”ง Orm: Added a 'caching' config key to the ORM config, to configure default object caching behaviour.
    • Orm: Now has a caching() method to enable or disable ORM object caching.
    • Orm: Now has a flush_cache() method to flush the loaded ORM object cache.
    • Orm: You can now disconnect related objects by assigning null or array() to the relation, which behaves identical to using unset().
    • Email: Mailgun email header generation has been improved.