|
Bugs |
Generally bugs mentioned in a version are also present in previous versions.
Version 2.2.0
- Due to limitations of older versions of PHP and/or MySQL the character set may not be set on the connection in such a way that the quoting functions of MySQL take the character set into account. This may be a problem with UTF-8 and may have security implications, possibly including SQL injection vurnerabilities.
- Though the framework has DAO classes that are successfully used as the database abstraction layer with MySQL and SqLite, the use with other databases may require some additional refactoring. Please inform us about eventual problems and solutions with the use of other databases.
- EditDetailsPage on unload confirm does not work in Chrome, Safari and Opera
- PntHttpRequest::validateGpcValue errorneuosly warns for voor integer 0 being too short. Patch: compare session_name by ===
- PntHttpRequest does not allow windows drive colon in PATH_TRANSLATED (usually does not occur because this server var is usually empty or not set)
- PntStringConverter::sanitizeHtml patterns contains UTF-8 modifiers, if characterset is LATIN errorneously returns empty string. (This method is used for editing properties with type html) Patch: remove u at the end of each pattern if not using UTF-8
Version 2.1.0
- Includes quoted parameters in SQL (should only use parameterized queries)
- Ignores invalid pnt request parameters or just throwns/triggers unspecific error
Version 2.1.rc1
- Applications are not protected against cross frame scripting. (This is only relevalnt for applications using authentication/authorization - the extension for this is not included in the open source version)
- Action database transaction does not catch rollback exception
- Indexpage does not filter and sort (not present in previous versions)
- Selection report not correct with search forms (not present in previous versions)
- FireFox 17.0.1 window.confirm does not work onunload
Version 2.0.0a
- The abstract user interface is probably vurnerable for cross site scripting (CSS)
- Incompatibility with PHP 5.4: The StringConverter does not specify the character set to htmlentities
Version 2.0.0
- PntGen::includeClass bug: missing slash after classes folder name. This bug is not present in previous versions.
- Gen ::includeClass and tryIncludeClass not safe with register_globals ON. This bug is not present in versions before 1.5.0.
- SaveAction can not find the edited object if id > 999. This bug is not present in previous versions.
Patch: in includes/skinDetailsFormStartPart.php replace $this->getConvert($this->getRequestedObject(), 'id') by $this->getReqParam('id', true)
Version 1.5.0a
- With php 4.4 and 5.1 phpPeanuts still triggers some notifications "Only variable references should be returned by reference": When a function that returns a PntError it is not first put into a variable.
- Reference Anomalies: Before the generic workaround was applied (introduced in 1.1 beta 1, released dd 16-11-2004), use of references by phpPeanuts occasionally made uninitialized php variables or associations arbitrarily hold values that seemed to come from another variable. This rarily happened and since the generic workaround it did not happen again until the changes where made to get rid of reference notifications. Read the "remarks for use with existing applications" in the release notes to avoid them. Do not use phpPeanuts for mission critical applications.
- produces E_STRICT notifications on php5 (see release notes under portability).
Version 1.5.0
- global $cfgCommonClassDirs in classes/pnt/generalfunctions.php is not safe with register_globals ON. This bug is not present in previous versions.
Version 1.4.0
- Column mappings do not work correctly with navigational search on classes with polymorphic persistency
- triggers E_DEPRICATED errors on PHP 5.3
- error handler can not correctly handle E_DEPRICATED and E_USER_DEPRICATED errors
Version 1.4.beta3
- Column mappings may not be consequently applied. If you need to set a columnName different to the propertyName on an PropertyDescriptor, test your applications database persistence functionality thouroughly.
Version 1.4.beta2
- Due to sanitization the FilterFormPart used by several types of SearcvhPages does not work properly for advanced search with < and <= ,
- Encoding id by PntSelectWidget causes advanced search in FilterFormPart to 'forget' selections,
- Usage of E_STRIC constant by PntAction::handleError causes notifications in PHP4,
- overflow=hidden style for BODY element causes report pages to be unscrollable.
Version 1.4.beta1
- PropertyPage delete results in error because pntActionTicket is missing (You can solve this yourself by copying the hidden form field from skinIndexPart to skinPropertyPart. Both skins are in the includes folder).
Version 1.3.0
- Vurnerable to cross site scripting. If authentication is added and a user that is already logged in is forged into sending a request with requestdata containing a script the script may be able to obtain cookies that are used to authenticate the user and send them to third parties.
- Though the framework has a class that is pointed to become the database abstraction layer, there is still quite some code that does not delegate to this layer, but will clearly have to delegate if phpPeanuts has to work on other databases. If you need database abstraction, consider the use of 1.4.beta1 or up
- PntSite::getFunkyRequestData does not urlEncode and adds no slashes
- PntFilterFormPart::getInitializedAdvancedFilters assigns cloned filter by reference
Version 1.3.beta3
- With php4.4 and 5.2.0 (documentation suggests the same will happen with 5.1) phpPeanuts still triggers notifications "Only variables should be assigned by reference". Because of polymorphisms and our coding rule to pass objects by reference but pass primitive values and arrays by value it is practically impossible to get rid of all of these.
Version 1.3.beta2
- Getting rid of reference notifications is only half way in this version. Returning arrays by value at one place and (assigning them) by reference at another sometimes causes Reference Anomalies.
- returning StringConverter by value at one place and (assigning it) by reference at another causes dereference problems that may crash php.
These two bugs are considered not to be present in earlier versions.
Version 1.3.beta1
- WARNING: include exploit in pnt/unit Inspect.php. We strongly advise not to use pnt/unit in production and not to expose pnt/unit to any other users then selected maintenance/development personell and to install the bugfix ASAP(). More information
- When an MtoNDialog is reopend after closing, the current values of the MtoNDialogWidget it was opened from are not reflected in the dialog. Patching this is not a big deal, look on the forum for a patch.
- not tested with php5.1 and php5.2. From the upgrade guide we conclude that With php5.2 and up the following problems may occur:
- E_RECOVERABLE_ERROR may be handled incorrectly by PntErrorHandler
- Error page cause javascript error because it does not do scouting
- Error page displays cause with double slashes
- Testing with php 4.4 shows phpPeanuts triggers many notifications. PhpPeanuts intensively uses variable references. Some form of reference usage triggers notifications in php 4.4 where it did not in 4.3 and 5.0. With respect to references it is like php has broken with the principle of automatic type conversion: whenever a value has to be converted to a reference automatically, notifications are triggered. As a result all conversions have to be made explicit in all phpPeanuts code. When phpPeanuts will be targeting php5 only, we plan to eliminate variable references wherever possible. Until then this issue will not be resolved entirely.
Version 1.1.beta 2
- examples: notifications from getLabel with new objects
- warnings when allow_call_time_pass_reference=Off
Version 1.1 beta 1
- returns class descriptor with lower case name, which causes pnt.db.PntDbClassDescriptor::_getDescribedClassInstanceForData to inifinitely loop recursively (polymorphism support)
- selectwidget does not show selection supplied by url (showed up with creating new object from propertypage)
- Column mappings may not be consequently applied. If you need to set a columnName different to the propertyName on an PropertyDescriptor, test your applications database persistence functionality thoroughly.
- Reference Anomalies: Before the generic workaround was applied, use of references by phpPeanuts occasionally made uninitialized php variables or associations arbitrarily hold values that seemed to come from another variable.
This rarily happened and since the generic workaround it did not happen again until the changes where made to get rid of reference notifications triggered by php5.2. Read How to avoid Reference Anomalies. Do not use phpPeanuts for mission critical applications.
- Several notifications found (and still present) in this beta, as well as minor bug documented here.
- pnt.web.PntSite::getGlobalFilters instantiates filter from evaluating php source from session. Evaluating php source from session apears to be seen as a security hazard
according to www.php.net, annoucement of php version 4.3.10.
Version 1.0a
- The framework still produces a lot of notifications. To allow the developer to test his own code for notifications, the notifications from the framework are suppressed in pnt/unit.
- Column mappings are not consequently applied
- Reference Anomalies: The extensive use of references by phpPeanuts occasionally makes php variables or associations arbitrarily hold values that seem to come from another variable. Workaround is in Release 1.0a. Patch for 1.0 beta available on the forum.
- example3 and above: Country create form makes SaveAction produce "class does not exist: " Warning. (Cause: classPntClassDescritor.php43)
- The framework stores in the session as php code. This appears to be seen as unsecure. This has been resolved in 1.1 beta 2
- did not refer to different application folder if the properties class dir is not the own domainDir.
|
|