Feb 05

Agavi 1.0.0 beta 8 released, fixes vulnerability

Agavi 1.0.0 beta 8 is now available for download at www.agavi.org

This release fixes a number of issues and introduces a bunch of new features and enhancements over beta 7.

Most importantly, this release fixes an attack vector affecting AgaviWebRouting::gen(null) in combination with some web browsers that (in violation of RFC 3986 and earlier versions) do not urlencode certain characters in the URL when making requests to a web server, allowing attackers to craft potentially malicious URLs that lead to a possible cross-site scripting vulnerability. Current and previous versions of Microsoft Internet Explorer are known to exhibit this behavior. We’d like to thank Daniel Kubitza for advising us of this issue.

Please see the associated ticket #1019 for details, temporary workarounds and standalone patches against previous releases.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2009-0417 to this issue. This is a candidate for inclusion in the CVE list, which standardizes names for security problems.

As it also fixes a couple of bugs related to handling of request data and validation, upgrading is highly recommended for all users.

A couple of enhancements and changes over 1.0.0 beta 7 are worth mentioning:

  • A brand new Routing implementation (backwards compatible)
  • The move to the new XML config system is officially finished; AgaviReturnArrayConfigHandler remains an old-style handler for the time being
  • Complete support for multiple SOAP services in the same application
  • Command line support (request/response/routing)
  • Support for anti-stampede callbacks in Execution Filter
  • AgaviController::dispatch() accepts an AgaviExecutionContainer as optional second argument
  • Sample App was refactored completely and got some enhancements
  • Support for arbitrary HTTP POST Content Types
  • Automatically decode HTTP PUT payload into request parameters for application/x-www-form-urlencoded Content-Type in AgaviWebRequest
  • Allow relative min and max values using strtotime syntax in AgaviDateTimeValidator
  • Throw named error if “required” condition is not satisfied in validators
  • Streamline date formatting and parsing behaviors when using timezones

Of course, all of the enhancements, changes and fixes from the latest 0.11.6 release are also in this release. We have recently updated our CHANGELOG structure to list changes merged from older version branches under the destination version, so you can quickly get a precise overview of what changes exactly are included in a release.

For a full list of changes and descriptions of important changes, please refer to the CHANGELOG and RELEASE_NOTES.

We will roll another beta this week with a very, very sexy new validation report query API. Once that is done, Agavi 1.0 will be feature complete, and we can start the release candidate cycle.