Inicio Explorar Axuda
Iniciar sesión
boarspring
/
repo_zf1
réplica de https://github.com/bluescreen/zf1-php7.2.git
2
0
Fork 1
Ficheiros Incidencias 0 Wiki
Árbore: 9ea57e5746
Ramas Etiquetas
repo_zf1
/
README.txt

README.txt 6.4 KB
Histórico Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194 
  1. Welcome to the Zend Framework 1.12 Release! 
    2. 

  2. 

  3. RELEASE INFORMATION
    4. 

  4. ---------------
    5. 

  5. Zend Framework 1.12rc4 Release ([INSERT REV NUM HERE]).
    6. 

  6. Released on <Month> <Day>, <Year>.
    7. 

  7. 

  8. SECURITY FIXES FOR 1.12.0
    9. 

  9. -------------------------
    10. 

  10. 

  11. This release incorporates fixes for each of:
    12. 

  12. 

  13.  - http://framework.zend.com/security/advisory/ZF2012-01
    14. 

  14.  - http://framework.zend.com/security/advisory/ZF2012-02
    15. 

  15. 

  16. Several components were found to be vulnerable to XML eXternal Entity
    17. 

  17. (XXE) Injection attacks due to insecure usage of the SimpleXMLElement
    18. 

  18. class (SimpleXML PHP extension).  External entities could be specified
    19. 

  19. by adding a specific DOCTYPE element to XML-RPC requests; exploiting
    20. 

  20. this vulnerability could coerce opening arbitrary files and/or TCP
    21. 

  21. connections.
    22. 

  22. 

  23. Additionally, these same components were found to be vulnerable to XML
    24. 

  24. Entity Expansion (XEE) vectors. XEE attacks define custom entities
    25. 

  25. within the DOCTYPE that refer to themselves, leading to recursion; the
    26. 

  26. end result is excessive consumption of CPU and RAM, making Denial of
    27. 

  27. Service (DoS) attacks easier to implement.
    28. 

  28. 

  29. Vulnerable components included:
    30. 

  30. 

  31.  - Zend_Dom
    32. 

  32.  - Zend_Feed
    33. 

  33.  - Zend_Soap
    34. 

  34.  - Zend_XmlRpc
    35. 

  35. 

  36. The patches applied do the following:
    37. 

  37. 

  38.  - To remove XXE vectors, libxml_disable_entity_loader() is called
    39. 

  39.    before any SimpleXML calls are executed.
    40. 

  40. 

  41.  - To remove XEE vectors, we loop through the DOMDocument child nodes,
    42. 

  42.    ensuring none are of type XML_DOCUMENT_TYPE_NODE, and raising an
    43. 

  43.    exception if any are. If SimpleXML is used, a DOMDocument is created
    44. 

  44.    first, processed as above, and then passed to simplexml_import_dom.
    45. 

  45. 

  46. The above patches are also available in the 1.11 series of releases.
    47. 

  47. 

  48. Thanks goes to Johannes Greil and Kestutis Gudinavicius of SEC-Consult
    49. 

  49. for reporting the original XXE vulnerability against Zend_XmlRpc and
    50. 

  50. working with us to provide a working solution. Thanks goes to Pádraic
    51. 

  51. Brady for helping us identify other XXE vectors, as well as identifying
    52. 

  52. and patching the XEE vectors.
    53. 

  53. 

  54. 

  55. NEW FEATURES
    56. 

  56. ============
    57. 

  57. 

  58. Zend_Loader changes
    59. 

  59. ----
    60. 

  60. 

  61. A number of autoloaders and autoloader facilities were back ported from
    62. 

  62. ZF2 to provide performant alternatives to those already available in the
    63. 

  63. 1.X releases.  These include: Zend_Loader_StandardAutoloader, which
    64. 

  64. improves on Zend_Loader_Autoloader by allowing the ability to specify a
    65. 

  65. specific path to associate with a vendor prefix or namespace;
    66. 

  66. Zend_Loader_ClassMapAutoloader, which provides the ability to use lookup
    67. 

  67. tables for autoloading (which are typically the fastest possible way to
    68. 

  68. autoload); and Zend_Loader_AutoloaderFactory, which can both create and
    69. 

  69. update autoloaders for you, as well as register them with
    70. 

  70. spl_autoload_register().
    71. 

  71. 

  72. The Zend_Loader changes were back ported from ZF2 by Matthew Weier
    73. 

  73. O’Phinney
    74. 

  74. 

  75. Zend_EventManager
    76. 

  76. ----
    77. 

  77. 

  78. Zend_EventManager is a component that allows you to attach and detach
    79. 

  79. listeners to named events, both on a per-instance basis as well as via
    80. 

  80. shared collections; trigger events; and interrupt execution of
    81. 

  81. listeners.
    82. 

  82. 

  83. Zend_EventManager was back ported from ZF2 by Matthew Weier O’Phinney
    84. 

  84. 

  85. Zend_Http_UserAgent_Features_Adapter_Browscap
    86. 

  86. ----
    87. 

  87. 

  88. This class provides a features adapter that calls get_browser() in order
    89. 

  89. to discover mobile device capabilities to inject into UserAgent device
    90. 

  90. instances.
    91. 

  91. 

  92. Browscap (http://browsers.garykeith.com/) is an open project dedicated
    93. 

  93. to collecting an disseminating a “database” of browser capabilities. PHP
    94. 

  94. has built-in support for using these files via the get_browser()
    95. 

  95. function. This function requires that your php.ini provides a browscap
    96. 

  96. entry pointing to the PHP-specific php_browscap.ini file which is
    97. 

  97. available at http://browsers.garykeith.com/stream.asp?PHP_BrowsCapINI.
    98. 

  98. 

  99. Zend_Http_UserAgent_Features_Adapter_Browscap was created by Matthew
    100. 

  100. Weier O’Phinney
    101. 

  101. 

  102. Zend_Mobile_Push
    103. 

  103. ----
    104. 

  104. 

  105. Zend_Mobile_Push is a component for implementing push notifications for
    106. 

  106. the 3 major push notification platforms (Apple (Apns), Google (C2dm) and
    107. 

  107. Microsoft (Mpns).
    108. 

  108. 

  109. Zend_Mobile_Push was contributed by Mike Willbanks.
    110. 

  110. 

  111. Zend_Gdata_Analytics
    112. 

  112. ----
    113. 

  113. 

  114. Zend_Gdata_Analytics is an extension to Zend_Gdata to allow interaction
    115. 

  115. with Google’s Analytics Data Export API. This extension does not
    116. 

  116. encompass any major changes in the overall operation of Zend_Gdata
    117. 

  117. components.
    118. 

  118. 

  119. Zend_Gdata_Analytics was contributed by Daniel Hartmann.
    120. 

  120. 

  121. Removed features
    122. 

  122. ================
    123. 

  123. 

  124. Zend_Http_UserAgent_Features_Adapter_WurflApi
    125. 

  125. ----
    126. 

  126. 

  127. Due to the changes in licensing of WURFL, we have removed the WurflApi
    128. 

  128. adapter. We will be providing the WurflApi adapter to ScientiaMobile so
    129. 

  129. that users of WURFL will still have that option.
    130. 

  130. 

  131. Bug Fixes
    132. 

  132. =========
    133. 

  133. 

  134. In addition,  over 200 reported issues in the tracker have been fixed.
    135. 

  135. We’d like to particularly thank Adam Lundrigan, Frank Brückner and
    136. 

  136. Martin Hujer for their efforts in making this happen. Thanks also to the
    137. 

  137. many people who ran the ZF1 unit tests and reported their results!
    138. 

  138. 

  139. For a complete list, visit:
    140. 

  140. 

  141.  * http://framework.zend.com/issues/secure/IssueNavigator.jspa?requestId=12877
    142. 

  142.  * http://framework.zend.com/changelog/
    143. 

  143. 

  144. MIGRATION NOTES
    145. 

  145. ---------------
    146. 

  146. 

  147. A detailed list of migration notes may be found at:
    148. 

  148. 

  149. http://framework.zend.com/manual/en/migration.html
    150. 

  150. 

  151. SYSTEM REQUIREMENTS
    152. 

  152. -------------------
    153. 

  153. 

  154. Zend Framework requires PHP 5.2.4 or later. Please see our reference
    155. 

  155. guide for more detailed system requirements:
    156. 

  156. 

  157. http://framework.zend.com/manual/en/requirements.html
    158. 

  158. 

  159. INSTALLATION
    160. 

  160. ------------
    161. 

  161. 

  162. Please see INSTALL.txt.
    163. 

  163. 

  164. QUESTIONS AND FEEDBACK
    165. 

  165. ----------------------
    166. 

  166. 

  167. Online documentation can be found at http://framework.zend.com/manual.
    168. 

  168. Questions that are not addressed in the manual should be directed to the
    169. 

  169. appropriate mailing list:
    170. 

  170. 

  171. http://framework.zend.com/wiki/display/ZFDEV/Mailing+Lists
    172. 

  172. 

  173. If you find code in this release behaving in an unexpected manner or
    174. 

  174. contrary to its documented behavior, please create an issue in the Zend
    175. 

  175. Framework issue tracker at:
    176. 

  176. 

  177. http://framework.zend.com/issues
    178. 

  178. 

  179. If you would like to be notified of new releases, you can subscribe to
    180. 

  180. the fw-announce mailing list by sending a blank message to
    181. 

  181. fw-announce-subscribe@lists.zend.com.
    182. 

  182. 

  183. LICENSE
    184. 

  184. -------
    185. 

  185. 

  186. The files in this archive are released under the Zend Framework license.
    187. 

  187. You can find a copy of this license in LICENSE.txt.
    188. 

  188. 

  189. ACKNOWLEDGEMENTS
    190. 

  190. ----------------
    191. 

  191. 

  192. The Zend Framework team would like to thank all the contributors to the Zend
    193. 

  193. Framework project, our corporate sponsor, and you, the Zend Framework user.
    194. 

  194. Please visit us sometime soon at http://framework.zend.com.
    195.