[Agavi-Announce] Agavi 1.0.5 RC1 released!

3 views
Skip to first unread message

David Zülke

unread,
Jun 6, 2011, 8:02:10 AM6/6/11
to anno...@lists.agavi.org, d...@lists.agavi.org, us...@lists.agavi.org
Hi everyone,

Agavi 1.0.5 RC1 is now available for download at http://www.agavi.org/ and through the http://pear.agavi.org/ channel.

There are quite a few changes in this release, so I'll quote from the RELEASE_NOTES:

> This release improves the robustness of AgaviFormPopulationFilter especially for XHTML and HTML5, and fixes several issues. The database adapters for ext/mysql, ext/mysqli and ext/pdo (when used with MySQL connections) now also prevent potentially unsafe setting of connection encodings.
>
> AgaviFormPopulationFilter can now recover from various non-fatal parse errors, such as unknown tags or malformed markup in HTML parsing mode, and undefined entities in XML parsing mode.
> This marks an end to issues with non-XML entities like " " in XML parsing mode, and allows the use of HTML5 elements (which libxml does not know yet) in HTML parsing mode (i.e. without using the XML serialization of HTML5).
> Instead of a boolean true or false, the configuration parameter "ignore_parse_errors" now takes the possible values "LIBXML_ERR_NONE" (equivalent to boolean false), "LIBXML_ERR_WARNING" (quite useless), "LIBXML_ERR_ERROR" (the new default) and "LIBXML_ERR_FATAL" (equivalent to boolean true). FPF will suppress errors and continue operation if the errors encountered during parsing do not exceed the configured maximum ignore level. In the event of a fatal error, such as malformed markup in XML parsing mode, FPF will silently abort execution if "LIBXML_ERR_FATAL" is configured, as fatal errors are not recoverable. In all other cases, FPF will throw an exception or recover from the error, depending on the configured ignore level and the highest error level encountered during parsing.
> The new default ignore level "LIBXML_ERR_ERROR" means that users will see significantly fewer errors during development; it also means, however, that in HTML parsing mode in particular, well-formedness errors may remain unnoticed. For this reason, FPF will continue to log errors (if logging is enabled), and map the error level of the parse error (LIBXML_ERR_WARNING, LIBXML_ERR_ERROR or LIBXML_ERR_FATAL) to the error level of the logging system (AgaviILogger::WARN, AgaviILogger::ERROR or AgaviILogger::FATAL). As a consequence, the "logging_severity" configuration parameter has been removed.
>
> AgaviZendclouddocumentserviceDatabase is a database adapter for Zend Framework's Zend_Cloud_DocumentService. It has a convenience interface mirroring most of the Zend_Cloud_DocumentService_Adapter functions in such a way that the collection/domain/database name does not have to be passed to every call. The collection name can then be configured in databases.xml.
>
> AgaviMysqlDatabase, AgaviMysqliDatabase and AgaviPdoDatabase now throw errors when attempting to use a statement like "SET NAMES utf8" as an initialization query, since the respective client libraries (libmysql or mysqlnd) will not be aware of this changed character set. For the usual connection encodings like "latin1" or "utf8", this is not a problem, but in combination with multi-byte character sets that use bytes without the most significant bit set in multi-byte character sequences (such as GBK or Big5), this may result in incorrectly quoted strings, which could ultimately result in vulnerabilities in applications.
> For AgaviMysqlDatabase and AgaviMysqliDatabase, the simple fix is to remove the "SET NAMES" query from "init_queries" and use the new option "charset" instead. For AgaviPdoDatabase, a similar approach (specifying the charset in the DSN) works for PHP version 5.3.6 and newer, but in older versions of PHP, the PDO MySQL driver ignores the "charset" option in the DSN. If your my.cnf configuration file specifies "latin1" and you simply switch to UTF-8 using "SET NAMES utf8", this is no problem, but for some charsets, this may result in the quoting issues mentioned above. This is why AgaviPdoDatabase requires you to set "warn_mysql_charset" to false in such environments. With this flag explicitly disabled, it will also be possible to use "SET NAMES" init queries again, but be advised that this is at your own risk. You may mitigate the risks by using native prepared statements (disable PDO::ATTR_EMULATE_PREPARES), but this will not affect calls to PDO::quote() or prepared statements where this flag has been overridden.
>
> Passing an empty string as the scheme in the options array when generating a URL with AgaviWebRouting will now produce a protocol-relative URL starting with "//". This is useful for generated content embedded by third party sites that use both normal and secured HTTP transports.
>
> AgaviMysqlSessionStorage and AgaviPdoSessionStorage have improved update and insert behaviors for MySQL that should eliminate occasional non-critical "exception thrown without a stack frame" errors on shutdown when no session data (including the timestamp) was modified.
>
> AgaviCreoleDatabase, AgaviCreoleSessionStorage and support for Propel versions older than 1.3 in AgaviPropelDatabase have been marked deprecated and are slated for removal in Agavi 1.1.
>
> The recommended URL rewrites in Apache .htaccess files have been adjusted once more to disable the DirectorySlash directive.
>
> X-Forwarded-Proto style HTTPS indicators as used on Amazon's Elastic Load Balancers are now supported for the "HTTPS" data source key in AgaviWebRequest.
>
> The timezone database has been updated to 2011g.

A final release will follow shortly if no show-stoppers are found.

Have a great week,

David


Reply all
Reply to author
Forward
0 new messages