Posted
9 months
ago
Hello folks,
Agavi 1.0.1 RC1 is now available for download at www.agavi.org
This maintenance release fixes a number of issues over Agavi 1.0.0 and brings a couple of minor enhancements.
The following are worth
... [More]
mentioning:
Most notable, a race condition in configuration file compilation was fixed that could lead to corrupt compiled files on disk.
Exporting values from validators with argument bases is now possible, and it’s possible to control the exact use of keys in the process.
The bundled Timezone database was updated to version 2009d.
Last but not least, it’s now possible to set session_cache_expire(), session_cache_limiter() and session_module_name() through configuration.
Support for document/literal wrapped style SOAP services has been improved.
Two regressions related to AgaviRoutingCallback::onGenerate() have been fixed.
Handling of slashes and dots in Action, View and Model names has been unified - slashes are now always used internally.
Several other minor fixes and enhancements.
As usual, please check the CHANGELOG for a complete list of changes.
Stay strong,
David [Less]
Posted
9 months
ago
Agavi 0.11.7 is now available for download at www.agavi.org
This maintenance release fixes a number of issues over Agavi 0.11.6.
The following are worth mentioning:
Most notable, a race condition in configuration file
... [More]
compilation was fixed that could lead to corrupt compiled files on disk.
Exporting values from validators with argument bases is now possible, and it’s possible to control the exact use of keys in the process.
The bundled Timezone database was updated to version 2009d.
Last but not least, it’s now possible to set session_cache_expire(), session_cache_limiter() and session_module_name() through configuration.
Several other minor fixes.
As usual, please check the CHANGELOG for a complete list of changes.
Greetings,
David [Less]
Posted
10 months
ago
We’re delighted to announce the release of Agavi version 1.0, available for download at www.agavi.org.
The list of notable features is too long to include in entirety here, so I’ll just list the most important ones:
New XML
... [More]
configuration infrastructure, now much more capable than before, with native XML support in config handlers, support for XSL transformations, XML Schema, RELAX NG and Schematron validations, separate envelope and content namespaces for configuration files. All fully backwards compatible.
Rewritten Routing, now supports arbitrary numbers of callbacks per route, allows “ rss” and “-rss” style gen() calls, supports objects and any other non-scalar value as gen() parameters. It also allows much more consistent and fine-grained control over encoding of values and supports modifications to the execution container from callbacks, and a response can now be returned from a callback to skip any execution.
New project configuration system with massive cleanups, support for custom build targets, much improved best practices, can be completely automated through command line arguments, supports Agavi’s deployment approach, allows for more fine-grained control of the build process.
Completely new convenience API for accessing validation results.
Experimental(!) unit testing system for projects.
Execution containers now have their own request method.
Support for command line applications.
Caching has support for callbacks to control group values and overall caching status dynamically, and sports hooks for stampede protection mechanisms.
A rewritten Sample Application with much more best practices and cleaner code.
Several improvements for SOAP and REST web services.
Please refer to the CHANGELOG and RELEASE_NOTES files for more detailed information; UPGRADING has a list of changes that might affect you if you’re upgrading from 0.11.x.
I’d like to thank everyone who supported us over all these years, and, of course, our thanks also go to anyone who has contributed to the project. Your support and your inspirations were essential in making the framework what it is today.
We already have great plans for future releases; I’ll keep you posted. A revamped tutorial manual (to be renamed “Guide” soon) will also be published soon.
Take care and make sure to celebrate this release with a bottle of beer, a glass of wine, or at least some cake :) [Less]
Posted
10 months
ago
Agavi 1.0.0 RC2 is now available for download at www.agavi.org.
This release fixes one regression in the routing, comes with several improvements to the best practices implemented in projects generated by the project configuration system
... [More]
, and now allows passing of a validation report object to Form Population Filter. Also, a last-minute change in RC1 that made “pattern” attributes optional in routing.xml has been reverted.
As you can see, the number of changes is quite minimal, wich means we’re now extremely close to a final 1.0 release, which you should expect to be released this week. [Less]
Posted
10 months
ago
I’m pleased to announce the immediate availability of Agavi 1.0.0 Release Candidate 1. Download it now at www.agavi.org!
We fixed a couple of regressions in beta8/beta9, but nothing dramatic, so updating should, as always, be
... [More]
smooth.
Speaking of which, I’d like to encourage everyone to give this release a try - we’ve been working hard over the last weeks and months to eliminate backwards compatibility problems, and we ourselves have updated several big and complex projects running 0.11 to run on 1.0 without problems. Please test this release thoroughly so we can release a final 1.0 soon!
With Agavi 1.0 now feature complete, the focus over the next couple of days will shift towards documentation and the website, so stay tuned for updates in those areas - we’ll keep you posted, of course!
Stay strong, Agavi nation, and thank you for being so very supportive and so very awesome! [Less]
Posted
10 months
ago
Agavi 1.0.0 beta 9 is now available for download at www.agavi.org.
This release includes a relatively modest number of changes over 1.0.0 beta 8:
Testing infrastructure (experimental!) was declared “finished” (it will be changed
... [More]
and improved until at least 1.1)
Routing callbacks can now return an AgaviResponse from onMatched() and onNotMatched()
Cache group callbacks need to throw an exception of type AgaviUncacheableException now to prevent caching
Routing callbacks now have onNotMatched() called by the framework, even if the same callback’s onMatched() method returns false
Several regressions were fixed in the new Routing.
As always, the CHANGELOG has a complete list of all changes.
There is, however, one new feature that I’d like to devote special attention to:
A new API for accessing information about the result of a validation run is now available through AgaviValidationManager::getReport().
It is vastly more convenient and capable of the previous APIs which have been deprecated.
The primary instrument for accessing validation result information are query objects, which you can retrieve using AgaviValidationReport::createQuery().
They have methods for defining query filter rules (byArgument, byValidator, byMinSeverity, byErrorName), which form a fluent interface.
Methods like has(), count() or getErrorMessages() are available to retrieve information from the resulting collection.
This new interface allows you to query any kind of result from the validation system in just one (albeit long) line of code, and we’re pretty excited about it, because, frankly, the old APIs were a bit of a mess and not very intuitive to use.
Be sure to check out ticket #1022 to see some examples on how to use the new interface.
We’ll release an RC1 very soon now, so stay tuned, friends! [Less]
Posted
11 months
ago
Agavi 1.0.0 beta 8 is now available for download at www.agavi.org
This release fixes a number of issues and introduces a bunch of new features and enhancements over beta 7.
Most importantly, this release fixes an attack vector
... [More]
affecting AgaviWebRouting::gen(null) in combination with some web browsers that (in violation of RFC 3986 and earlier versions) do not urlencode certain characters in the URL when making requests to a web server, allowing attackers to craft potentially malicious URLs that lead to a possible cross-site scripting vulnerability. Current and previous versions of Microsoft Internet Explorer are known to exhibit this behavior. We’d like to thank Daniel Kubitza for advising us of this issue.
Please see the associated ticket #1019 for details, temporary workarounds and standalone patches against previous releases.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2009-0417 to this issue. This is a candidate for inclusion in the CVE list, which standardizes names for security problems.
As it also fixes a couple of bugs related to handling of request data and validation, upgrading is highly recommended for all users.
A couple of enhancements and changes over 1.0.0 beta 7 are worth mentioning:
A brand new Routing implementation (backwards compatible)
The move to the new XML config system is officially finished; AgaviReturnArrayConfigHandler remains an old-style handler for the time being
Complete support for multiple SOAP services in the same application
Command line support (request/response/routing)
Support for anti-stampede callbacks in Execution Filter
AgaviController::dispatch() accepts an AgaviExecutionContainer as optional second argument
Sample App was refactored completely and got some enhancements
Support for arbitrary HTTP POST Content Types
Automatically decode HTTP PUT payload into request parameters for application/x-www-form-urlencoded Content-Type in AgaviWebRequest
Allow relative min and max values using strtotime syntax in AgaviDateTimeValidator
Throw named error if “required” condition is not satisfied in validators
Streamline date formatting and parsing behaviors when using timezones
Of course, all of the enhancements, changes and fixes from the latest 0.11.6 release are also in this release. We have recently updated our CHANGELOG structure to list changes merged from older version branches under the destination version, so you can quickly get a precise overview of what changes exactly are included in a release.
For a full list of changes and descriptions of important changes, please refer to the CHANGELOG and RELEASE_NOTES.
We will roll another beta this week with a very, very sexy new validation report query API. Once that is done, Agavi 1.0 will be feature complete, and we can start the release candidate cycle. [Less]
Posted
11 months
ago
Agavi 0.11.6 is now available for download at www.agavi.org
This maintenance release fixes a number of issues and provides several minor enhancements and additions.
Most importantly, this release fixes an attack vector affecting
... [More]
AgaviWebRouting::gen(null) in combination with some web browsers that (in violation of RFC 3986 and earlier versions) do not urlencode certain characters in the URL when making requests to a web server, allowing attackers to craft potentially malicious URLs that lead to a possible cross-site scripting vulnerability. Current and previous versions of Microsoft Internet Explorer are known to exhibit this behavior. We’d like to thank Daniel Kubitza for advising us of this issue.
Please see the associated ticket #1019 for details, temporary workarounds and standalone patches against previous releases.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2009-0417 to this issue. This is a candidate for inclusion in the CVE list, which standardizes names for security problems.
As it also fixes a couple of bugs related to handling of request data and validation, upgrading is highly recommended for all users.
A couple of changes over 0.11.5 are worth mentioning:
AgaviArraylengthValidator was added.
PHP 5.2.8 or later is now required in combination with magic_quotes_gpc. This is due to security reasons unrelated to the issue in the PHP 5.2.7 release. Ticket #953 explains things in detail.
Slot responses are now merged into the parent even if the response content is empty.
Several best practices have been added and improved in the sample app and the code templates, and warnings are now thrown for outdated libxml versions, all intended to make it easier for new users to dive into Agavi.
The timezone database was updated to version 2009a.
Access to global request data is now locked during AgaviAction::getDefaultViewName() execution.
Handling of array keys has been unified across AgaviWebRequestDataHolder sources.
Unvalidated request data is not available anymore in the View if the Action didn’t serve the current request method.
New projects now generate separate exception templates for production environments, and the built-in exception templates now simply re-throw the exception instead of displaying any information if the display_errors php.ini setting is disabled.
‘secure’ flags can optionally be set automatically on session and response cookies, and the session save path can be defined for AgaviSessionStorage through factories.xml. These measures are useful for mitigating potential attack vectors on applications.
For a full list of changes and descriptions of important changes, please refer to the CHANGELOG and RELEASE_NOTES. [Less]
Posted
11 months
ago
Agavi 0.11.6 RC 2 is now available at agavi.org.
It contains a handful of bug fixes, most notably related to validation, and also features a couple of convenient ways to improve session and cookie security through validation.
The
... [More]
olson timezone database was updated to version 2009a.
As always, CHANGELOG and RELEASE_NOTES have the full story.
Unless hell freezes over, we’ll release a final version shortly.
A 1.0.0 beta 8 (with a refactored Routing!) is also coming in a bit. [Less]
Posted
11 months
ago
Agavi 1.0.0 beta 7 is now available for download at http://www.agavi.org/
It consists of all the changes ported from 0.11.6, of course, and also brings a small number of new features and more changes under the hood (e.g. config cache
... [More]
handling) as well as more new unit tests and testing system features.
Please help us test this release so we can roll another beta in 1-2 weeks. [Less]
