Home Explore Help
Sign In
boarspring
/
repo_zf1Php7
forked from boarspring/repo_zf1
2
0
Fork 0
Files
Tree: 16565e341b
Branches Tags
repo_zf1Php7
/
README.txt

README.txt 8.9 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257 
  1. Welcome to the Zend Framework 1.12 Release! 
    2. 

  2. 

  3. RELEASE INFORMATION
    4. 

  4. ===================
    5. 

  5. 

  6. Zend Framework 1.12.4dev Release ([INSERT REV NUM HERE]).
    7. 

  7. Released on <Month> <Day>, <Year>.
    8. 

  8. 

  9. IMPORTANT FIXES FOR 1.12.3
    10. 

  10. --------------------------
    11. 

  11. 

  12. This release incorporates is primarily aimed to update
    13. 

  13. Zend_Service_Twitter to the Twitter v1.1 API:
    14. 

  14. 

  15.  - http://framework.zend.com/issues/browse/ZF-12530
    16. 

  16. 

  17. Because the Twitter v1.1 API is not backwards compatible with v1.0, the
    18. 

  18. API for Zend_Service_Twitter has been changed; if you have been using it
    19. 

  19. previously, you will need to update your code accordingly. Both the
    20. 

  20. end-user and API documentation have been updated to reflect the changes.
    21. 

  21. 

  22. IMPORTANT FIXES FOR 1.12.2
    23. 

  23. --------------------------
    24. 

  24. 

  25. This release incorporates over 40 bugfixes. In particular, the following
    26. 

  26. issue has been resolved in Zend_Service_Twitter:
    27. 

  27. 

  28.  - http://framework.zend.com/issues/browse/ZF-9253
    29. 

  29. 

  30. This fix ensures that Zend_Service_Twitter uses the new versioned API 
    31. 

  31. endpoint required by Twitter.
    32. 

  32. 

  33. SECURITY FIXES FOR 1.12.1
    34. 

  34. -------------------------
    35. 

  35. 

  36. This release incorporates fixes for:
    37. 

  37. 

  38.  - http://framework.zend.com/security/advisory/ZF2012-05
    39. 

  39. 

  40. Zend_Feed_Rss and Zend_Feed_Atom were found to contain XML eXternal
    41. 

  41. Entity (XXE) Injection vectors due to insecure usage of the DOM
    42. 

  42. extension.  External entities could be specified by adding a specific
    43. 

  43. DOCTYPE element to XML-RPC requests; exploiting this vulnerability could
    44. 

  44. coerce opening arbitrary files and/or TCP connections.
    45. 

  45. 

  46. A similar issue was fixed for 1.12.0, in the Zend_Feed::import() method;
    47. 

  47. however, the reporter of the issue discovered that the individual
    48. 

  48. classes contained similar functionality in their constructors which
    49. 

  49. remained vulnerable.
    50. 

  50. 

  51. The patch applied removes the XXE vector by calling
    52. 

  52. libxml_disable_entity_loader() before attempting to parse the feed via
    53. 

  53. DOMDocument::loadXML().
    54. 

  54. 

  55. The above patches are also available in the 1.11 series of releases.
    56. 

  56. 

  57. Thanks goes to Yury Dyachenko at Positive Research Center for for
    58. 

  58. reporting the XXE vulnerability and reviewing the patches created to fix
    59. 

  59. the issue.
    60. 

  60. 

  61. SECURITY FIXES FOR 1.12.0
    62. 

  62. -------------------------
    63. 

  63. 

  64. This release incorporates fixes for each of:
    65. 

  65. 

  66.  - http://framework.zend.com/security/advisory/ZF2012-01
    67. 

  67.  - http://framework.zend.com/security/advisory/ZF2012-02
    68. 

  68. 

  69. Several components were found to be vulnerable to XML eXternal Entity
    70. 

  70. (XXE) Injection attacks due to insecure usage of the SimpleXMLElement
    71. 

  71. class (SimpleXML PHP extension).  External entities could be specified
    72. 

  72. by adding a specific DOCTYPE element to XML-RPC requests; exploiting
    73. 

  73. this vulnerability could coerce opening arbitrary files and/or TCP
    74. 

  74. connections.
    75. 

  75. 

  76. Additionally, these same components were found to be vulnerable to XML
    77. 

  77. Entity Expansion (XEE) vectors. XEE attacks define custom entities
    78. 

  78. within the DOCTYPE that refer to themselves, leading to recursion; the
    79. 

  79. end result is excessive consumption of CPU and RAM, making Denial of
    80. 

  80. Service (DoS) attacks easier to implement.
    81. 

  81. 

  82. Vulnerable components included:
    83. 

  83. 

  84.  - Zend_Dom
    85. 

  85.  - Zend_Feed
    86. 

  86.  - Zend_Soap
    87. 

  87.  - Zend_XmlRpc
    88. 

  88. 

  89. The patches applied do the following:
    90. 

  90. 

  91.  - To remove XXE vectors, libxml_disable_entity_loader() is called
    92. 

  92.    before any SimpleXML calls are executed.
    93. 

  93. 

  94.  - To remove XEE vectors, we loop through the DOMDocument child nodes,
    95. 

  95.    ensuring none are of type XML_DOCUMENT_TYPE_NODE, and raising an
    96. 

  96.    exception if any are. If SimpleXML is used, a DOMDocument is created
    97. 

  97.    first, processed as above, and then passed to simplexml_import_dom.
    98. 

  98. 

  99. The above patches are also available in the 1.11 series of releases.
    100. 

  100. 

  101. Thanks goes to Johannes Greil and Kestutis Gudinavicius of SEC-Consult
    102. 

  102. for reporting the original XXE vulnerability against Zend_XmlRpc and
    103. 

  103. working with us to provide a working solution. Thanks goes to Pádraic
    104. 

  104. Brady for helping us identify other XXE vectors, as well as identifying
    105. 

  105. and patching the XEE vectors.
    106. 

  106. 

  107. NEW FEATURES
    108. 

  108. ============
    109. 

  109. 

  110. Zend_Loader changes
    111. 

  111. -------------------
    112. 

  112. 

  113. A number of autoloaders and autoloader facilities were back ported from
    114. 

  114. ZF2 to provide performant alternatives to those already available in the
    115. 

  115. 1.X releases.  These include: Zend_Loader_StandardAutoloader, which
    116. 

  116. improves on Zend_Loader_Autoloader by allowing the ability to specify a
    117. 

  117. specific path to associate with a vendor prefix or namespace;
    118. 

  118. Zend_Loader_ClassMapAutoloader, which provides the ability to use lookup
    119. 

  119. tables for autoloading (which are typically the fastest possible way to
    120. 

  120. autoload); and Zend_Loader_AutoloaderFactory, which can both create and
    121. 

  121. update autoloaders for you, as well as register them with
    122. 

  122. spl_autoload_register().
    123. 

  123. 

  124. The Zend_Loader changes were back ported from ZF2 by Matthew Weier
    125. 

  125. O’Phinney
    126. 

  126. 

  127. Zend_EventManager
    128. 

  128. -----------------
    129. 

  129. 

  130. Zend_EventManager is a component that allows you to attach and detach
    131. 

  131. listeners to named events, both on a per-instance basis as well as via
    132. 

  132. shared collections; trigger events; and interrupt execution of
    133. 

  133. listeners.
    134. 

  134. 

  135. Zend_EventManager was back ported from ZF2 by Matthew Weier O’Phinney
    136. 

  136. 

  137. Zend_Http_UserAgent_Features_Adapter_Browscap
    138. 

  138. ---------------------------------------------
    139. 

  139. 

  140. This class provides a features adapter that calls get_browser() in order
    141. 

  141. to discover mobile device capabilities to inject into UserAgent device
    142. 

  142. instances.
    143. 

  143. 

  144. Browscap (http://browsers.garykeith.com/) is an open project dedicated
    145. 

  145. to collecting an disseminating a “database” of browser capabilities. PHP
    146. 

  146. has built-in support for using these files via the get_browser()
    147. 

  147. function. This function requires that your php.ini provides a browscap
    148. 

  148. entry pointing to the PHP-specific php_browscap.ini file which is
    149. 

  149. available at http://browsers.garykeith.com/stream.asp?PHP_BrowsCapINI.
    150. 

  150. 

  151. Zend_Http_UserAgent_Features_Adapter_Browscap was created by Matthew
    152. 

  152. Weier O’Phinney
    153. 

  153. 

  154. Zend_Mobile_Push
    155. 

  155. ----------------
    156. 

  156. 

  157. Zend_Mobile_Push is a component for implementing push notifications for
    158. 

  158. the 3 major push notification platforms (Apple (Apns), Google (C2dm) and
    159. 

  159. Microsoft (Mpns).
    160. 

  160. 

  161. Zend_Mobile_Push was contributed by Mike Willbanks.
    162. 

  162. 

  163. Zend_Gdata_Analytics
    164. 

  164. --------------------
    165. 

  165. 

  166. Zend_Gdata_Analytics is an extension to Zend_Gdata to allow interaction
    167. 

  167. with Google’s Analytics Data Export API. This extension does not
    168. 

  168. encompass any major changes in the overall operation of Zend_Gdata
    169. 

  169. components.
    170. 

  170. 

  171. Zend_Gdata_Analytics was contributed by Daniel Hartmann.
    172. 

  172. 

  173. Removed features
    174. 

  174. ================
    175. 

  175. 

  176. Zend_Http_UserAgent_Features_Adapter_WurflApi
    177. 

  177. ---------------------------------------------
    178. 

  178. 

  179. Due to the changes in licensing of WURFL, we have removed the WurflApi
    180. 

  180. adapter. We will be providing the WurflApi adapter to ScientiaMobile so
    181. 

  181. that users of WURFL will still have that option.
    182. 

  182. 

  183. Bug Fixes
    184. 

  184. =========
    185. 

  185. 

  186. In addition,  over 200 reported issues in the tracker have been fixed.
    187. 

  187. We’d like to particularly thank Adam Lundrigan, Frank Brückner and
    188. 

  188. Martin Hujer for their efforts in making this happen. Thanks also to the
    189. 

  189. many people who ran the ZF1 unit tests and reported their results!
    190. 

  190. 

  191. For a complete list, visit:
    192. 

  192. 

  193.  * http://framework.zend.com/issues/secure/IssueNavigator.jspa?requestId=12877
    194. 

  194.  * http://framework.zend.com/changelog/
    195. 

  195. 

  196. MIGRATION NOTES
    197. 

  197. ===============
    198. 

  198. 

  199. A detailed list of migration notes may be found at:
    200. 

  200. 

  201. http://framework.zend.com/manual/en/migration.html
    202. 

  202. 

  203. SYSTEM REQUIREMENTS
    204. 

  204. ===================
    205. 

  205. 

  206. Zend Framework requires PHP 5.2.11 or later. Please see our reference
    207. 

  207. guide for more detailed system requirements:
    208. 

  208. 

  209. http://framework.zend.com/manual/en/requirements.html
    210. 

  210. 

  211. INSTALLATION
    212. 

  212. ============
    213. 

  213. 

  214. Please see [INSTALL.txt](INSTALL.txt).
    215. 

  215. 

  216. REPOSITORY HISTORY
    217. 

  217. ==================
    218. 

  218. 

  219. This repository was created based on the release-1.12 branch of a Subversion
    220. 

  220. repository, http://framework.zend.com/svn/framework/standard/. It contains a
    221. 

  221. subset of the project history, dating from between the 1.5.0 and 1.6.0 releases,
    222. 

  222. and only contains the tags for the 1.12 series. If you would like an older
    223. 

  223. version, you may access the subversion repository linked above, or download an
    224. 

  224. older version from http://framework.zend.com/downloads/archives.
    225. 

  225. 

  226. QUESTIONS AND FEEDBACK
    227. 

  227. ======================
    228. 

  228. 

  229. Online documentation can be found at http://framework.zend.com/manual.
    230. 

  230. Questions that are not addressed in the manual should be directed to the
    231. 

  231. appropriate mailing list:
    232. 

  232. 

  233. http://framework.zend.com/wiki/display/ZFDEV/Mailing+Lists
    234. 

  234. 

  235. If you find code in this release behaving in an unexpected manner or
    236. 

  236. contrary to its documented behavior, please create an issue in the Zend
    237. 

  237. Framework issue tracker at:
    238. 

  238. 

  239. http://framework.zend.com/issues
    240. 

  240. 

  241. If you would like to be notified of new releases, you can subscribe to
    242. 

  242. the fw-announce mailing list by sending a blank message to:
    243. 

  243. 

  244. fw-announce-subscribe@lists.zend.com.
    245. 

  245. 

  246. LICENSE
    247. 

  247. =======
    248. 

  248. 

  249. The files in this archive are released under the Zend Framework license.
    250. 

  250. You can find a copy of this license in [LICENSE.txt](LICENSE.txt).
    251. 

  251. 

  252. ACKNOWLEDGEMENTS
    253. 

  253. ================
    254. 

  254. 

  255. The Zend Framework team would like to thank all the contributors to the Zend
    256. 

  256. Framework project, our corporate sponsor, and you, the Zend Framework user.
    257. 

  257. Please visit us sometime soon at http://framework.zend.com.
    258.