Play 1.2.5rc1 released!

1,028 views
Skip to first unread message

Nicolas Leroux - committer

unread,
May 1, 2012, 5:32:07 PM5/1/12
to play-fr...@googlegroups.com
Hi all,

The long awaited 1.2.5 is nearly there. The RC1 is released and you can grab it here:


The changes in this release are listed in the "Play 1.2.5 milestone":https://play.lighthouseapp.com/projects/57987-play-framework/milestones/131471-125 on Lighthouse, including 86 resolved tickets. The most important changes are:

* fixed multiple continuations/await bugs
* security fix for hash-colission-atack
* JNDI DataSource 
* improved chunked transfer/streaming support
* all libraries upgraded, including groovy, hibernate 4.1.1 and netty 3.4.2
* web socket support for all browsers

If no major bugs are found, 1.2.5 should be available by the end of the week.

Nicolas Leroux

J. O. Meyer

unread,
May 1, 2012, 8:02:41 PM5/1/12
to play-fr...@googlegroups.com
Thx Nicolas, that's great news :)

green

unread,
May 1, 2012, 8:05:24 PM5/1/12
to play-fr...@googlegroups.com
+1

On Wed, May 2, 2012 at 10:02 AM, J. O. Meyer <jo.oliv...@gmail.com> wrote:
Thx Nicolas, that's great news :)

--
You received this message because you are subscribed to the Google Groups "play-framework" group.
To view this discussion on the web visit https://groups.google.com/d/msg/play-framework/-/WXIfhCIiHTsJ.
To post to this group, send email to play-fr...@googlegroups.com.
To unsubscribe from this group, send email to play-framewor...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/play-framework?hl=en.


sas

unread,
May 1, 2012, 9:30:17 PM5/1/12
to play-framework
thanks nicholas

good work

On 1 mayo, 21:05, green <greenlaw...@gmail.com> wrote:
> +1
>

Johan Vosloo

unread,
May 2, 2012, 9:25:24 AM5/2/12
to play-fr...@googlegroups.com
Hi Nicolas

That's great news. I took it for a spin and the only issue I've found so far is the very annoying Hibernate warning:

 WARN  ~ [DEPRECATION] Encountered positional parameter near line 1, column 36.  Positional parameter are considered deprecated; use named parameters or JPA-style positional parameters instead.

I see there's already a ticket with pull request to fix this - any chance to get this in before 1.2.5 final?
The Hibernate warnings will really clog up the log files otherwise (and probably give a impose a small performance hit, since it's very verbose and each touch of the database in our app produces reams of these)

Nicolas Leroux

unread,
May 2, 2012, 9:27:46 AM5/2/12
to play-fr...@googlegroups.com, play-fr...@googlegroups.com
Yes it will be fixed.

Sent from my iPhone
--
You received this message because you are subscribed to the Google Groups "play-framework" group.
To view this discussion on the web visit https://groups.google.com/d/msg/play-framework/-/C0qEOiUPNlsJ.

Chris

unread,
May 2, 2012, 9:30:38 AM5/2/12
to play-fr...@googlegroups.com
Awesome news.

clloyd

unread,
May 2, 2012, 10:26:41 AM5/2/12
to play-framework
Hi guys. We found a fairly significant security hole in 1.2.4 that is
still present in mainline. In fact I had to work a patch for 1.2.4
because we are going live with a major new PLAY base service today.

Since you are considering a release this week, I'm mentioning it here.

Bug: Trivial to generate 500 errors in a PLAY app running in Tomcat,
this also logs a SEVERE warning to Tomcat logs.

This bug shows itself when using .war packaging with Tomcat 7 all
releases. Sometimes this will not show up if you are proxying through
another server like Apache but 100% reproduceable with any PLAY app
running in Tomcat in a .war.

The easiest way to reproduce is to use Chrome (not firefox) and visit
such a URL.

http://myserverdomain/mypath/[

Basically, tomcat will let through URI Unsafe characters, and PLAY
throws an uncaught URISyntaxException.

SEVERE: Servlet.service() for servlet [play] in context with path []
threw exception [java.net.URISyntaxException: Illegal character in
path at index 6: /c/v/[ with root cause
java.net.URISyntaxException: Illegal character in path at index 6: /c/
v/[
at java.net.URI$Parser.fail(URI.java:2809)
at java.net.URI$Parser.checkChars(URI.java:2982)
at java.net.URI$Parser.parseHierarchical(URI.java:3066)
at java.net.URI$Parser.parse(URI.java:3024)
at java.net.URI.<init>(URI.java:578)
at play.server.ServletWrapper.parseRequest(ServletWrapper.java:241)
at play.server.ServletWrapper.service(ServletWrapper.java:132)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:
304)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:
210)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:
224)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:
175)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:
462)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:
851)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:
164)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:
100)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:
851)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:
118)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:
405)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:
278)
at org.apache.coyote.AbstractProtocol
$AbstractConnectionHandler.process(AbstractProtocol.java:515)
at org.apache.tomcat.util.net.JIoEndpoint
$SocketProcessor.run(JIoEndpoint.java:300)
at java.util.concurrent.ThreadPoolExecutor
$Worker.runTask(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor
$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:662)


NOTE: This is the exact same problem as Jersey had and a bug was filed
JERSEY-780. It was fixed in Jersey by sending back a 400 instead of a
500 and essentially that's the exact patch I made to fix it too.

http://java.net/jira/browse/JERSEY-780

Jersey fix is here
https://github.com/dparoulek

I have the tested PLAY fix to ServletWrapper.java and will email it or
put it somewhere if you let me now where.


One other more minor security issuew we found is that the standard
error messages in .txt format echo back the URI requested. If a client
can trick a browser or other http client to treat the txt as .html
then it creates a cross-scripting attack vector.

The fix for that is to NOT echo back the requested URI in prod mode.

I would go through the normal bug fix process but as I sais, going
live this week so very limited time. Would love to see this fix make
it into 1.2.5 as I think it is quite severe.

Thx Chris





smallufo

unread,
May 2, 2012, 12:54:49 PM5/2/12
to play-fr...@googlegroups.com
It's pity the router encoding problem (ticket #1362) is not solved in 1.2.5
If you cannot solve it , can you fall back to 1.2.3's way ?


2012/5/2 Nicolas Leroux - committer <leroux....@gmail.com>

Nicolas Leroux

--
You received this message because you are subscribed to the Google Groups "play-framework" group.
To view this discussion on the web visit https://groups.google.com/d/msg/play-framework/-/FXH6mYr11KYJ.

Nicolas Leroux

unread,
May 2, 2012, 2:21:47 PM5/2/12
to play-fr...@googlegroups.com
Hmm I think it needs to be fixed. I will have another look

-- 
Nicolas Leroux

Odilio Noronha

unread,
May 3, 2012, 12:35:24 AM5/3/12
to play-fr...@googlegroups.com
thanks nicholas

good work

 play 1.2.x it's amazing framework

2012/5/2 Nicolas Leroux <leroux....@gmail.com>

Nicolas Leroux

unread,
May 3, 2012, 10:18:28 AM5/3/12
to play-fr...@googlegroups.com
I will have a look. Why is it a security hole exactly?

-- 
Nicolas Leroux

Marcel May

unread,
May 3, 2012, 4:30:47 PM5/3/12
to play-framework
Hi Nicolas!

Could you also include the suggested fix for Fixtures.deleteAllModels
and abstract model classes? It's a very trivial one - see
https://play.lighthouseapp.com/projects/57987/tickets/765-issue-having-superclass-for-modelgenericmodel
.

Just noticed that the RC1 still complains:

play.exceptions.UnexpectedException: Model models.AbstractFoo is not
managed by any plugin
at play.db.Model$Manager.factoryFor(Model.java:57)
at play.test.Fixtures.delete(Fixtures.java:68)
at play.test.Fixtures.delete(Fixtures.java:88)
at play.test.Fixtures.deleteAllModels(Fixtures.java:101)
...

Thx alot,
Marcel

clloyd

unread,
May 3, 2012, 5:56:32 PM5/3/12
to play-framework
First of all, thanks for working on 1.2.x branch. Fantastic
framework.

Re your question.

Because no external calls should be able to generate 500 responses
from a server at will. It also generates SEVERE alerts into Tomcat
logs. Since there is no way to trap this in PLAY app, also clients get
500s which is not good either.

In our case, this generates beeper calls in the middle of the night.

For example, our security review forced us to patch this as a security
vulnerability.
> > To post to this group, send email to play-fr...@googlegroups.com (mailto:play-fr...@googlegroups.com).
> > To unsubscribe from this group, send email to play-framewor...@googlegroups.com (mailto:play-framewor...@googlegroups.com).

Derek Williams

unread,
May 3, 2012, 6:25:12 PM5/3/12
to play-fr...@googlegroups.com
Thanks for all of the effort, and great framework.  We'lll grab the rc this weekend and give it a spin.
--
You received this message because you are subscribed to the Google Groups "play-framework" group.
To view this discussion on the web visit https://groups.google.com/d/msg/play-framework/-/FXH6mYr11KYJ.
To post to this group, send email to play-fr...@googlegroups.com.
To unsubscribe from this group, send email to play-framewor...@googlegroups.com.

Johan Vosloo

unread,
May 4, 2012, 2:38:20 AM5/4/12
to play-fr...@googlegroups.com
+1

Grzegorz Słowikowski

unread,
May 5, 2012, 6:32:29 PM5/5/12
to play-fr...@googlegroups.com, Nicolas Leroux - committer, Grzegorz Słowikowski
Hi Nicolas

Some notes from me.

1.
Two versions of xstream library: xstream-1.3.jar and xstream-1.4.2.jar.
Remove the older 1.3 version.

2.
"org.eclipse.jdt.core-3.8.0.v_C18.jar" is a renamed "v_C03" version from
Play! 1.2.4. Why is it renamed? Maybe someone wanted to upgrade,
but didn't do it. The rename operation was part of the issue #1440. This
file should be renamed back to "org.eclipse.jdt.core-3.8.0.v_C03.jar"

3.
hibernate-c3p0 and hibernate-ehcache dependencies were added as part of
ticket #1440 (https://play.lighthouseapp.com/projects/57987/tickets/1440)
Are they really needed? I don't see any place in the code using them.
Tattletale report shows that no other library depends on them.

4.
"jboss-logging" is a dependency of hibernate libraries. It's version was
upgraded from 3.1.0.CR2 to 3.1.0.GA in Hibernate 4.1.1.
Hibernate version upgrade from 4.1.0.Final to 4.1.1.Final was done as
part of ticket #1431
(https://play.lighthouseapp.com/projects/57987/tickets/1431),
but jboss-logging version was not upgraded. It should be. Better late
then never.

5.
Unnecessary *.iml files in the zip distribution

Greetings
Grzegorz Slowikowski

tazmaniac

unread,
May 6, 2012, 3:11:31 AM5/6/12
to play-fr...@googlegroups.com
Hi Nicolas,

Thx for putting this release together.

This release contains gson library v1.7.1 and I was wondering if it would be possible to include a more recent release such as v2.2?

Nicolas Leroux

unread,
May 6, 2012, 4:40:54 AM5/6/12
to Grzegorz Słowikowski, play-fr...@googlegroups.com
Thanks you. I will correct those issues.

-- 
Nicolas Leroux

Nicolas Leroux

unread,
May 6, 2012, 4:41:18 AM5/6/12
to play-fr...@googlegroups.com
I suppose it could be.

-- 
Nicolas Leroux

--
You received this message because you are subscribed to the Google Groups "play-framework" group.
To view this discussion on the web visit https://groups.google.com/d/msg/play-framework/-/SUiqmBwbQAUJ.

Nicolas Leroux

unread,
May 6, 2012, 6:00:18 AM5/6/12
to Grzegorz Słowikowski, play-fr...@googlegroups.com
I don't think the eclipse compiler was renamed, it is a new version of the lib. I think git is somehow confused.

Nicolas

-- 
Nicolas Leroux

On Sunday, May 6, 2012 at 12:32 AM, Grzegorz Słowikowski wrote:

Nicolas Leroux

unread,
May 6, 2012, 6:19:48 AM5/6/12
to play-fr...@googlegroups.com
If I have time I will fix it today so it will be in 1.2.5

-- 
Nicolas Leroux

On Wednesday, May 2, 2012 at 6:54 PM, smallufo wrote:

gaso lin

unread,
May 9, 2012, 10:09:39 PM5/9/12
to play-fr...@googlegroups.com
Such appreciate to you guys whom keeping 1.x active. It's still the best and the easy-to-use framework of breed.

Fehmi Can Saglam

unread,
May 10, 2012, 5:22:08 PM5/10/12
to play-fr...@googlegroups.com
Hi Nicolas,

Is it also possible to upgrade async-http-client? There seems to be a regression with the current version when uploading large files on Mac OS X.

Nicolas Leroux

unread,
May 10, 2012, 6:03:43 PM5/10/12
to play-fr...@googlegroups.com
Done.

-- 
Nicolas Leroux

--
You received this message because you are subscribed to the Google Groups "play-framework" group.
To view this discussion on the web visit https://groups.google.com/d/msg/play-framework/-/f6Sd8_N2cZsJ.

canavar

unread,
May 11, 2012, 3:42:45 AM5/11/12
to play-fr...@googlegroups.com

Thanks.

11 May 2012 01:03 tarihinde "Nicolas Leroux" <leroux....@gmail.com> yazdı:
Reply all
Reply to author
Forward
0 new messages