» Agavi 1.0.0 beta 7 released!
Agavi 1.0.0 Beta 7
Out of many changes there are two (or actually three) I want to emphasise because they may be backwards compatibility breaks for someone.
Default View Security Fixes
Two separate changes have been made to action’s default view handling to ensure strict security.
To make sure a developer doesn’t use unvalidated input data by mistake global unvalidated request data is locked during action and view execution. However, before 1.0.0 beta 7 it was possible to access the global request data in Action::getDefaultViewName(). This has now been fixed and anyone using the global request will be punished severely with an exception. Mind you, it has always been recommended that no application logic is put into getDefaultView(). It should just return the default view name for the action.
It was also recently discovered that the strict validation mode (default mode in Agavi 1.0) wasn’t working as it is supposed to when an action didn’t provide an execute method for the current request and the default view was used. In this case the request data was given to the view unfiltered which is against the strict validation mode principles.
PHP 5.2.8 Requirement (conditional)
Due to issues with magic quotes in PHP’s earlier versions and the fact that making Agavi bullet proof in all situations is beginning to be a maintenance nightmare it was decided to require PHP 5.2.8 if magic_quotes_gpc is ON. I’ll repeat: Agavi requires PHP 5.2.8 ONLY if magic_quotes_gpc is enabled on your server. If it’s not you can still use Agavi with PHP 5.2.0 or later (5.1.3 with Agavi 0.11).
