posted by Grégoire Hubert 1 day ago
symfony 1.0.16 is out and fixes an important security breach. This is the shortest changelog one may find between two releases: a one line file.
- r8922: fixed yml validator file can be overriden by a remote attacker (#1617)
The issue is described in ticket #1617.
An attacker could bypass the validation process and get unsecure data through your actions. Your applications are only vulnerable is you use the :action placeholder in your routing rules. This is the case if you rely on the default symfony routing rule (/:module/:action/*).
If you use symfony 1.1, your applications are only vulnerable if you use the 1.0 compat layer.
Everybody is encouraged to upgrade as soon as possible.
For 1.0 : You can apply the patch directly from here http://trac.symfony-project.com/changeset/8922 or upgrade to 1.0.16 either by using the PEAR package (pear upgrade symfony/symfony-1.0.16) or by using the Debian package.
For 1.1 : You can apply the patch available here http://trac.symfony-project.com/changeset/8925. The patch will be part of the next 1.1 release candidate.
Read the 5 comments to this post
posted by Javier Eguiluz 5 days ago
Outstanding week for symfony with three new versions released: 1.0.14, 1.0.15 and 1.1.0 RC1. After its first release candidate, symfony 1.1 gets tons of fixes and enhancements. As usual, plugins continue breaking records with more than 22 updated plugins and 6 new plugins released during this week.
Development mailing list
Development highlights
- r8777: [1.1] fixed sfPropelDatabase unit tests
- r8782: [1.1] fixed Incorrect File Upload Path
- Milestone 1.0.14 completed
- r8804: [1.1] changed column name format for sfValidatorPropelChoice from PHP name to column name to be coherent with the way everything else works (you must rebuild your forms with propel:build-forms)
- r8805: [1.1] added primary key column name when generating validator for foreign keys (so now this information is build at compilation instead of at runtime)
- r8806: [1.1] split sfPatternRouting::parse into two methods to allow side-effect free retrieval of route that might match a url. Useful for link rewriting that might want to check if a link will match an internal route, without actually "switching" there.
- r8807: [1.1] added a sfValidatorPropelUnique validator and added automatic support in propel:build-forms
- r8809: [1.1] added an error message in project:freeze if the given symfony data dir does not exist
- r8811: [1.1] fixed loc.php
- r8813: [1.1] added a check for license when install a plugin with the plugin:install task
- r8814: [1.1] modified the way admin generator deletes selected objects to ensure that post-deletion behaviors can be executed
- r8815: [1.1] added support for propels inheritance model to symfony 1.1 propel 1.2 plugin
- r8819, r8820: [1.0, 1.1] corrected ID generation for TinyMCE rich editor when no id was given
- r8821: [1.1] merged XHTML fixes from 1.0
- r8823, r8824: [1.0, 1.1] fixed FCK editor not being populated by fillin filter
- r8825, r8826: [1.0, 1.1] fixed I18N helper dependency
- r8827, r8828: [1.0, 1.1] remote_function will return a complete Javascript statement including the trailing semicolon
- r8832: [1.1] fixed include_remove option not used in ObjectAdminHelper
- r8836, r8837: [1.0, 1.1] fixed some issues with butto_to helper, query string is now appended correctly, short notation of attributes is parsed correctly, some internal refactoring and unit tests
- Milestone 1.1.0 RC1 completed
- r8861: [1.0] fixed problem with PHP 5.2.6 and ini variables access value
- r8862: [1.1] moved i18n factory creation before routing to allow i18n usage in the routing process
- r8869: [1.1] fixed yaml regression
- Milestone 1.0.15 completed
- r8883: [1.1] added an exception when binding a multipart form without a files argument
- r8893: [1.1] modified plugin:install error message if no version is available for installation
- r8894: [1.1] fixed application.log log messages in CLI
- r8896: [1.1] fixed behavior registration bug in propel tasks
- r8906: [1.1] fixed HTML attributes for select tags
- r8907: [1.1] fixed HTML attributes for Date, Time, and DateTime widgets
- Updated dwhittle branch
- ...and many other changes
Development digest: 140 changesets, 31 defects created, 49 defects closed, 6 enhancements created, 19 enhancements closed, 3 documentation defects created, 6 documentation defects closed and 11 documentation edits.
Book and documentation
Wiki
- New Job Postings:
- Symfony Developer @ Immune Technologies - freelance / full-time job based in Copenhagen, Denmark - Contact: ja [at] immune [dot] dk
- New developers for hire:
- Punch Code, LLC.: is an enterprise web 2.0 development firm in Dallas, TX (USA). We've been using symfony since early 2007. By building our applications on the symfony framework we have been able to more effectively deliver robust solutions in a shorter timeframe.
- New symfony blogger:
Plugins
- New plugins
- sfIconPlugin: icon set and helpers used to display the icon on the templates
- sfPhotoGalleryPlugin: allows you to associate one or more photo (with thumbnail automatically created) to any persistent object present in your model
- sfFirePHPPlugin: enables you to print to your Firebug Console using a simple PHP function call
- sfDynamicsFormBuilderPlugin: builds forms dynamically with a OOP interface, not associated with sfFormBuilderPlugin and works differently
- sfHighlightPlugin: collection of tools to highlight text and media formats, such as XML. It is highly extensible to support any format or highlighting scheme
- ZajoPlugin: offers helpers that integrate the Jquery Javascript framework in an unobtrusive way
- Updated plugins
- sfDoctrinePlugin: fix to packages, some fixes for symfony 1.1, Doctrine related fixes, updated links to latest Doctrine documentation
- sfExtjsThemePlugin: initial implementation of event-throwing, added new event handlers (deleting and closing), implemented event-listeners, reimplementing list in maintainable-style, reimplementation of grid-panel in pjs files, enhancements for new list/grid in config-style, implemented toolbar buttons, improved implementation of extended objects
- sfDoctrineSimpleCMSPlugin: Updates for symfony 1.1 and updated 1.1 plugins
- sfGuardDoctrinePlugin: fixing more porting from propel, fixing the duplicate use of 'admin' as a fixtures key
- dbFusionChartPlugin: released 0.0.4 version
- nahoPropelOptimizerPlugin: fixed package.xml
- sfAdvancedAdminGeneratorPlugin: fixed bug on sorting columns
- ckWebServicePlugin: updated wsdl generation task to be compatible with symfony 1.1, renamed ckWebServiceGenerateWsdlTask class file to be autoloaded added utility class for string checks, switched to use of ckString utility class where applicable, fixed compatibility issues of ckWebServiceController with altered sfController implementation in symfony 1.1, changed configuration model for modules/actions, added code to prevent malicious calls to actions which are not part of the webservice api through manipulated soap requests
- sfBreadNavPlugin: released 1.1.0 version, updated documentation
- sfFormExtraPlugin: released 1.0.1 version, fixed package.xml
- sfGuardPlugin: fixed form tag typo
- sfOpenSocialPlugin: released 1.0.0 version
- sfWebBrowserPlugin: change header normalization to process respectfully all the existing headers with right upper/lower case
- sfFeed2Plugin: fixed isPermaLink typo, changed printed rss feed version to 2.0, encapsulated content in cdata sections, fixed category retrieval
- sfMediaLibraryPlugin: added finnish, hungarian and persian translation
- sfExtjs2Plugin: added Toolbar objects
- sfDoctrineNestedSetManagerPlugin: updated doctrine class calls to new standard
- sfPropelImpersonatorPlugin: updated svn url in readme, added doSelectRS impersonating to ->addSelectcolumns() if user did not and to use propels behaviors
- sfPropelActAsTaggableBehaviorPlugin: released 0.6 version (added "nb_common_tags" option, added the possibility to retrieve the triple tags of an object, added "separator" option in the tag_list() helper, improved preloadTags() performance)
- sfN1IterationPlugin: released 0.1.3 version, added N1IterationToolkit.class.php with a method to easily save related objects
- sfSearchPlugin: added prove-all script to test suite
- sfLucenePlugin: small code formatting change
Some new symfony powered websites
They talked about us
Be the first to
comment this post
posted by Grégoire Hubert 7 days ago
After the release of PHP 5.2.6 here is symfony 1.0.15. This revision fixes a regression in php5.2.6 and we do recommend you to upgrade if you plan to upgrade your PHP. Symfony 1.1 is not impacted by this problem.
- r8861: fixed problem with PHP 5.2.6 and ini variables access value (closes #3466 - related to http://bugs.php.net/bug.php?id=44936)
- r8836: fixed some issues with button_to helper (closes #3184)
- r8831: fixed include_remove option not used in ObjectAdminHelper? (closes #2079)
- r8827: remote_function will return a complete Javascript statement including the trailing semicolon. (closes #3135)
- r8825: fixed I18N helper dependency (closes #1794)
- r8823: fixed FCK editor not being populated by fillin filter. (closes #732)
- r8819: corrected ID generation for TinyMCE rich editor when no id was given. (closes #3474)
I did not release the 1.0.14 debian package as I knew we would have to release a new version these days. The 1.0.15 package will come shortly.
Read the 7 comments to this post
posted by Dustin Whittle 8 days ago
Yahoo! used symfony to redevelop another project. This time symfony was used as part of the foundation for Yahoo! Answers. Yahoo! Answers is the largest collection of human knowledge on the Web with more than 135 million users and 515 million answers worldwide. Yahoo! Answers is the 2nd ranked education & reference site on the web and is available in 26 markets and 12 languages.
Why did Yahoo! choose symfony for another large web application project?
Philosophy
- Full-stack framework for building complex web applications
- Adopt best ideas from anywhere, using existing code if available (Mojavi, Prado, Rails, Django)
Design
- Clean separation between Model, View, and Controller
- Controller using modules and actions
- Views using templates in straight PHP with helpers
- Easy to reuse view modules to compose a page (Layouts, Components, Partials, Slots)
Configurability / Flexibility
- Features we do not want are easily disabled
- Use of factories for easy customization
Documentation / Support Community
- The Definitive Guide to symfony (free online)
- Excellent tutorials and example applications - Askeet
- Active community with wiki, mailing lists, forums, irc channel
Once again symfony fits the requirements of an enterprise web application. Dustin Whittle of Yahoo! presented a case study on redeveloping Y! Answers. The focus was how to work with open source tools to create a complete framework (PHP, JS, CSS) for the enterprise. He used his experience redeveloping Yahoo! Answers with symfony and Yahoo! User Interface libraries as a case study. Download the presentation from slideshare.
Read the 11 comments to this post
posted by Nicolas Perriault 9 days ago
As promised, we end today the beta releases cycle of symfony 1.1, with the publication of the first release candidate version (RC1). No new feature will be added from now, so you're encouraged to test it thoroughly and report any problem to help us fixing the remaining bugs before we publish the stable version.
What has been done between the beta4 and this brand new RC1?
- The sfValidatorPropelChoice validator doesn't use the PHP name format anymore to reference table columns, but directly the column name, to be coherent with the way everything else works. Also, the sfValidatorPropelUnique validator has been added and is now used by the propel:build-forms task.
- Also regarding the forms framework, the possibility has been added to pass HTML attributes for each field when rendering a form or a widget schema, to ease forms templating and output customization.
- The plugin:install task now checks the license of the plugin. If the plugin is not licensed under a LGPL, MIT, BSD, Apache, or PHP license, the task won't install it except if you pass a --force-license option.
- Support has been added to the schema YAML format for Propel 1.2 inheritance.
- Paths were incorrect when uploading a file. This has been fixed.
- Tests has been updated to ensure they work under both case-sensitive and unsensitive filesystems.
- Fabian Lange has provided a huge work to ensure the fillin filter works as expected in any case.
- The autoloading performance problem which was occuring in dev environment in certain very rare circumstances has been fixed.
To upgrade an existing project based on another 1.1 beta, you have to run the following commands:
$ php symfony propel:build-model
$ php symfony propel:build-forms
$ php symfony cache:clear
To upgrade a project using symfony 1.0, you're invited to carrefully read the UPGRADE file.
So what's the next step? You can expect a RC2 and a stable release in the following weeks.
Read the 13 comments to this post
