PHPDeveloper.org

CodeIgniter Blog: CodeIgniter 1.6.3 Maintenance and Security Release

Fri, 27 Jun 2008 09:34:52 -0500

The CodeIgniter framework has made a new release today, 1.6.3, containing updates to fix a few bugs and address some security concerns.

We are happy to release CodeIgniter version 1.6.3 today. Version 1.6.3 is primarily a maintenance release, with a variety of bug fixes and some refinement to existing features (with a few new ones tossed in for good measure). Details of course can be found in the Change Log.

The release also fixes a potential cross-site scripting issue that, while it hasn't been reported as used yet, could still have some bad consequences if found and abused. You can grab this latest version from the CodeIgniter downloads page.

Matthew Turland's Blog: Watch Your Include Path

Thu, 27 Mar 2008 10:24:38 -0500

Matthew Turland is looking to "save you some grief" by pointing out an issue he recently had trouble with and eventually found out was a bug in PHP.

It's pretty rare that I encounter a bug in the software I run that hampers my ability to work or my server environment's ability to function normally. However, I encountered one last week that has taken me and several Rackspace support technicians nearly a week to figure out, namely PHP bug #43677.

The issue was that PHP seemed to be "forgetting" the include_path in the current script (not Apache). The bug has been found in PHP 5.2.5 (and possible in all of the 5.2.x releases as well). The problem has been fixed in the latest CVS version and a patch has been created for those that want to correct the problem right away.

Demian Turner's Blog: Seagull 0.6.4 Release (fixes Security Isse from 0.6.3)

Fri, 25 Jan 2008 10:32:00 -0600

Demian Turner has posted about the latest version of the Seagull framework (0.6.3) and an update to correct a remote file disclosure issue (up to version 0.6.4).

Well it took a bit of time but after quite a few months a new release of Seagull is finally out, 0.6.3 (0.6.4). Things have been keeping pretty busy with the startup I'm working on, but it's been a great opportunity to refine some features of the framework and optimize the performance. The early indications are good, after less than 10 weeks of going live Kindo users are creating up to 20k profiles/day and the server load is staying comfortably below 0.5.

The update is a different download that helps correct an issue with the framework allowing user-inputted values from the GET string. Be sure and update your version to keep this security issue under wraps.

Dave Dash's Blog: Fixing Broken PATH_INFO

Thu, 24 Jan 2008 10:21:00 -0600

Dave Dash has posted about a method he developed, using a custom prepend file, to correctly obtain the PATH_INFO information for his server.

symfony and other applications rely on the server's PATH_INFO being set properly. Unfortunately, I use a nonstandard server that doesn't natively support CGI [...] but I can't figure out how to do a urldecode in my configuration.

To get around the issue, he created a file he prepended to each request (via auto_prepend_file) that took the value and urldecoded it to put it in another $_SERVER value.