| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375 |
- <?xml version="1.0" encoding="UTF-8"?>
- <!-- EN-Revision: 24249 -->
- <!-- Reviewed: no -->
- <sect1 id="migration.19">
- <title>Zend Framework 1.9</title>
- <para>
- Lors de la migration d'une version précédente à Zend Framework 1.9.0 vers une version 1.9,
- vous devriez prendre note de ce qui suit.
- </para>
- <sect2 id="migration.19.zend.file.transfer">
- <title>Zend_File_Transfer</title>
- <sect3 id="migration.110.zend.file.transfer.mimetype">
- <title>MimeType validation</title>
- <para>
- For security reasons we had to turn off the default fallback mechanism of the
- <classname>MimeType</classname>, <classname>ExcludeMimeType</classname>,
- <classname>IsCompressed</classname> and <classname>IsImage</classname> validators.
- This means, that if the <emphasis>fileInfo</emphasis> or
- <emphasis>magicMime</emphasis> extensions can not be found, the validation will
- always fail.
- </para>
- <para>
- If you are in need of validation by using the <acronym>HTTP</acronym> fields which
- are provided by the user then you can turn on this feature by using the
- <methodname>enableHeaderCheck()</methodname> method.
- </para>
- <note>
- <title>Security hint</title>
- <para>
- You should note that relying on the <acronym>HTTP</acronym> fields, which are
- provided by your user, is a security risk. They can easily be changed and could
- allow your user to provide a malcious file.
- </para>
- </note>
- <example id="migration.110.zend.file.transfer.example">
- <title>Allow the usage of the HTTP fields</title>
- <programlisting language="php"><![CDATA[
- // at initiation
- $valid = new Zend_File_Transfer_Adapter_Http(array('headerCheck' => true);
- // or afterwards
- $valid->enableHeaderCheck();
- ]]></programlisting>
- </example>
- </sect3>
- </sect2>
- <sect2 id="migration.19.zend.filter">
- <title>Zend_Filter</title>
- <para>
- Avant la version 1.9, <classname>Zend_Filter</classname> permettait l'utilisation
- de la méthode statique <methodname>get()</methodname>. Avec la version 1.9 cette
- méthode a été renommée en <methodname>filterStatic()</methodname> afin d'être plus
- descriptive. L'ancienne méthode <methodname>get()</methodname> est marquée comme
- dépréciée.
- </para>
- </sect2>
- <sect2 id="migration.19.zend.http.client">
- <title>Zend_Http_Client</title>
- <sect3 id="migration.19.zend.http.client.fileuploadsarray">
- <title>Changement dans le stockage interne des fichiers d'upload</title>
- <para>
- Dans la version 1.9 de Zend Framework, il y a eu un changement dans la manière dont
- <classname>Zend_Http_Client</classname> stocke en interne les informations concernant les
- fichiers ayant été uploadés, affectés grâce à <methodname>Zend_Http_Client::setFileUpload()</methodname>
- </para>
- <para>
- Ce changement a été mis en place de manière à permettre l'envoi de plusieurs fichiers
- avec le même nom dans le formulaire, en tant que tableau de fichiers. Plus d'informations à
- ce sujet peuvent être trouvées dans ce
- <ulink url="http://framework.zend.com/issues/browse/ZF-5744">rapport de bug</ulink>.
- </para>
- <example id="migration.19.zend.http.client.fileuploadsarray.example">
- <title>Stockage interne des informations sur les fichiers uploadés</title>
- <programlisting language="php"><![CDATA[
- // Uploade 2 fichiers avec le même nom d'élément de formulaire, en tant que tableau
- $client = new Zend_Http_Client();
- $client->setFileUpload('file1.txt', 'userfile[]', 'some raw data', 'text/plain');
- $client->setFileUpload('file2.txt', 'userfile[]', 'some other data', 'application/octet-stream');
- // Dans Zend Framework <=1.8, la valeur de l'attribut protégé $client->files est:
- // $client->files = array(
- // 'userfile[]' => array('file2.txt', 'application/octet-stream', 'some other data')
- // );
- // Dans Zend Framework >=1.9, la valeur de $client->files est:
- // $client->files = array(
- // array(
- // 'formname' => 'userfile[]',
- // 'filename' => 'file1.txt,
- // 'ctype' => 'text/plain',
- // 'data' => 'some raw data'
- // ),
- // array(
- // 'formname' => 'userfile[]',
- // 'filename' => 'file2.txt',
- // 'formname' => 'application/octet-stream',
- // 'formname' => 'some other data'
- // )
- // );
- ]]></programlisting>
- </example>
- <para>
- Comme vous le voyez, ce changement permet l'utilisation du même élément de formulaire avec plusieurs
- fichiers. Cependant ceci introduit un changement subtile dans l'API interne, il est donc signalé ici.
- </para>
- </sect3>
- <sect3 id="migration.19.zend.http.client.getparamsrecursize">
- <title>Deprecation of Zend_Http_Client::_getParametersRecursive()</title>
- <para>
- Starting from version 1.9, the protected method <methodname>_getParametersRecursive()</methodname>
- is no longer used by <classname>Zend_Http_Client</classname> and is deprecated.
- Using it will cause an E_NOTICE message to be emitted by <acronym>PHP</acronym>.
- </para>
- <para>
- If you subclass <classname>Zend_Http_Client</classname> and call this method, you
- should look into using the <methodname>Zend_Http_Client::_flattenParametersArray()</methodname>
- static method instead.
- </para>
- <para>
- Again, since this <classname>_getParametersRecursive</classname> is a protected method,
- this change will only affect users who subclass <classname>Zend_Http_Client</classname>.
- </para>
- </sect3>
- </sect2>
- <sect2 id="migration.19.zend.locale">
- <title>Zend_Locale</title>
- <sect3 id="migration.19.zend.locale.deprecated">
- <title>Méthodes dépréciées</title>
- <para>
- Quelques méthodes de traductions spéciales ont été dépréciées car elles dupliquaient
- un comportement existant. Notez cependant que les anciens appels vont toujours
- fonctionner, mais une notice utilisateur, qui décrira le nouvel appel, sera émise.
- Ces méthodes seront effacées en 2.0. Ci-dessous la liste des anciens et nouveaux
- appels :
- </para>
- <table id="migration.19.zend.locale.deprecated.table-1">
- <title>Liste des types de mesures</title>
- <tgroup cols="2">
- <thead>
- <row>
- <entry>Ancien appel</entry>
- <entry>Nouvel appel</entry>
- </row>
- </thead>
- <tbody>
- <row>
- <entry>getLanguageTranslationList($locale)</entry>
- <entry>getTranslationList('language', $locale)</entry>
- </row>
- <row>
- <entry>getScriptTranslationList($locale)</entry>
- <entry>getTranslationList('script', $locale)</entry>
- </row>
- <row>
- <entry>getCountryTranslationList($locale)</entry>
- <entry>getTranslationList('territory', $locale, 2)</entry>
- </row>
- <row>
- <entry>getTerritoryTranslationList($locale)</entry>
- <entry>getTranslationList('territory', $locale, 1)</entry>
- </row>
- <row>
- <entry>getLanguageTranslation($value, $locale)</entry>
- <entry>getTranslation($value, 'language', $locale)</entry>
- </row>
- <row>
- <entry>getScriptTranslation($value, $locale)</entry>
- <entry>getTranslation($value, 'script', $locale)</entry>
- </row>
- <row>
- <entry>getCountryTranslation($value, $locale)</entry>
- <entry>getTranslation($value, 'country', $locale)</entry>
- </row>
- <row>
- <entry>getTerritoryTranslation($value, $locale)</entry>
- <entry>getTranslation($value, 'territory', $locale)</entry>
- </row>
- </tbody>
- </tgroup>
- </table>
- </sect3>
- </sect2>
- <sect2 id="migration.19.zend.view.helper.navigation">
- <title>Zend_View_Helper_Navigation</title>
- <para>
- Prior to the 1.9 release, the menu helper
- (<classname>Zend_View_Helper_Navigation_Menu</classname>) did not
- render sub menus correctly. When the <code>onlyActiveBranch</code>
- was <constant>TRUE</constant> and the option <code>renderParents</code>
- <constant>FALSE</constant>, nothing would be rendered if the deepest active
- page was at a depth lower than the <code>minDepth</code> option.
- </para>
- <para>
- In simpler words; if <code>minDepth</code> was set to <code>1</code>
- and the active page was at one of the first level pages, nothing
- would be rendered, as the following example shows.
- </para>
- <para>
- Consider the following container setup:
- </para>
- <programlisting language="php"><![CDATA[
- $container = new Zend_Navigation(array(
- array(
- 'label' => 'Home',
- 'uri' => '#'
- ),
- array(
- 'label' => 'Products',
- 'uri' => '#',
- 'active' => true,
- 'pages' => array(
- array(
- 'label' => 'Server',
- 'uri' => '#'
- ),
- array(
- 'label' => 'Studio',
- 'uri' => '#'
- )
- )
- ),
- array(
- 'label' => 'Solutions',
- 'uri' => '#'
- )
- ));
- ]]></programlisting>
- <para>
- The following code is used in a view script:
- </para>
- <programlisting language="php"><![CDATA[
- echo $this->navigation()->menu()->renderMenu($container, array(
- 'minDepth' => 1,
- 'onlyActiveBranch' => true,
- 'renderParents' => false
- ));
- ]]></programlisting>
- <para>
- Before release 1.9, the code snippet above would output nothing.
- </para>
- <para>
- Since release 1.9, the <methodname>_renderDeepestMenu()</methodname> method in
- <classname>Zend_View_Helper_Navigation_Menu</classname> will accept
- active pages at one level below <code>minDepth</code>, as long as
- the page has children.
- </para>
- <para>
- The same code snippet will now output the following:
- </para>
- <programlisting language="html"><![CDATA[
- <ul class="navigation">
- <li>
- <a href="#">Server</a>
- </li>
- <li>
- <a href="#">Studio</a>
- </li>
- </ul>
- ]]></programlisting>
- </sect2>
- <sect2 id="migration.19.security">
- <title>Security fixes as with 1.9.7</title>
- <para>
- Additionally, users of the 1.9 series may be affected by other changes starting in
- version 1.9.7. These are all security fixes that also have potential backwards
- compatibility implications.
- </para>
- <sect3 id="migration.19.security.zend.dojo.editor">
- <title>Zend_Dojo_View_Helper_Editor</title>
- <para>
- A slight change was made in the 1.9 series to modify the default usage of the Editor
- dijit to use <acronym>div</acronym> tags instead of a <acronym>textarea</acronym>
- tag; the latter usage has <ulink
- url="http://api.dojotoolkit.org/jsdoc/HEAD/dijit._editor.RichText">security
- implications</ulink>, and usage of <acronym>div</acronym> tags is recommended by the
- Dojo project.
- </para>
- <para>
- In order to still allow graceful degradation, a new <varname>degrade</varname>
- option was added to the view helper; this would allow developers to optionally use a
- <acronym>textarea</acronym> instead. However, this opens applications developed with
- that usage to <acronym>XSS</acronym> vectors. In 1.9.7, we have removed this option.
- Graceful degradation is still supported, however, via a <acronym>noscript</acronym>
- tag that embeds a <acronym>textarea</acronym>. This solution addressess all security
- concerns.
- </para>
- <para>
- The takeaway is that if you were using the <varname>degrade</varname> flag, it will
- simply be ignored at this time.
- </para>
- </sect3>
- <sect3 id="migration.19.security.zend.filter.html-entities">
- <title>Zend_Filter_HtmlEntities</title>
- <para>
- In order to default to a more secure character encoding,
- <classname>Zend_Filter_HtmlEntities</classname> now defaults to
- <acronym>UTF-8</acronym> instead of <acronym>ISO-8859-1</acronym>.
- </para>
- <para>
- Additionally, because the actual mechanism is dealing with character encodings and
- not character sets, two new methods have been added,
- <methodname>setEncoding()</methodname> and <methodname>getEncoding()</methodname>.
- The previous methods <methodname>setCharSet()</methodname> and
- <methodname>setCharSet()</methodname> are now deprecated and proxy to the new
- methods. Finally, instead of using the protected members directly within the
- <methodname>filter()</methodname> method, these members are retrieved by their
- explicit accessors. If you were extending the filter in the past, please check your
- code and unit tests to ensure everything still continues to work.
- </para>
- </sect3>
- <sect3 id="migration.19.security.zend.filter.strip-tags">
- <title>Zend_Filter_StripTags</title>
- <para>
- <classname>Zend_Filter_StripTags</classname> contains a flag,
- <varname>commentsAllowed</varname>, that, in previous versions, allowed you to
- optionally whitelist HTML comments in HTML text filtered by the class. However, this
- opens code enabling the flag to <acronym>XSS</acronym> attacks, particularly in
- Internet Explorer (which allows specifying conditional functionality via HTML
- comments). Starting in version 1.9.7 (and backported to versions 1.8.5 and 1.7.9),
- the <varname>commentsAllowed</varname> flag no longer has any meaning, and all HTML
- comments, including those containing other HTML tags or nested commments, will be
- stripped from the final output of the filter.
- </para>
- </sect3>
- </sect2>
- </sect1>
|
