Feb 05

Agavi 0.11.6 released, fixes vulnerability

Agavi 0.11.6 is now available for download at www.agavi.org

This maintenance release fixes a number of issues and provides several minor enhancements and additions.

Most importantly, this release fixes an attack vector affecting AgaviWebRouting::gen(null) in combination with some web browsers that (in violation of RFC 3986 and earlier versions) do not urlencode certain characters in the URL when making requests to a web server, allowing attackers to craft potentially malicious URLs that lead to a possible cross-site scripting vulnerability. Current and previous versions of Microsoft Internet Explorer are known to exhibit this behavior. We’d like to thank Daniel Kubitza for advising us of this issue.

Please see the associated ticket #1019 for details, temporary workarounds and standalone patches against previous releases.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2009-0417 to this issue. This is a candidate for inclusion in the CVE list, which standardizes names for security problems.

As it also fixes a couple of bugs related to handling of request data and validation, upgrading is highly recommended for all users.

A couple of changes over 0.11.5 are worth mentioning:

  • AgaviArraylengthValidator was added.
  • PHP 5.2.8 or later is now required in combination with magic_quotes_gpc. This is due to security reasons unrelated to the issue in the PHP 5.2.7 release. Ticket #953 explains things in detail.
  • Slot responses are now merged into the parent even if the response content is empty.
  • Several best practices have been added and improved in the sample app and the code templates, and warnings are now thrown for outdated libxml versions, all intended to make it easier for new users to dive into Agavi.
  • The timezone database was updated to version 2009a.
  • Access to global request data is now locked during AgaviAction::getDefaultViewName() execution.
  • Handling of array keys has been unified across AgaviWebRequestDataHolder sources.
  • Unvalidated request data is not available anymore in the View if the Action didn’t serve the current request method.
  • New projects now generate separate exception templates for production environments, and the built-in exception templates now simply re-throw the exception instead of displaying any information if the display_errors php.ini setting is disabled.
  • 'secure' flags can optionally be set automatically on session and response cookies, and the session save path can be defined for AgaviSessionStorage through factories.xml. These measures are useful for mitigating potential attack vectors on applications.

For a full list of changes and descriptions of important changes, please refer to the CHANGELOG and RELEASE_NOTES.