Changelog v1.7.2

Harro Verton edited this page Jul 11, 2014 · 28 revisions

This keeps track of important changes to the 1.x branch.

When you decide to upgrade to a new version, pay attention to the changes documented in this changelog, and the upgrade procedures documented.

Important fixes, changes, notes. Read them carefully.


As of 1.7.2, the Viewmodel class is deprecated, and replaced by the Presenter class. Functionality has remained largely the same, and a Viewmodel alias is present to maintain backward compatibility.

It has proven difficult to explain what a Viewmodel is and does, and why you should use it. Also having a classes/view and a views folder was very confusing for a lot of people. It is also a step closer to Fuel v2, there this class is also called Presenter.

Backward compatibility notes


As a result of the security issue mentioned below, the auto-format of the response in the Request_Curl class is now disabled by default, as it is possible for a malicious site to construct a response of a specific reponse type that can lead to code execution. This means that if you use Request_Curl, you have to either enable this manually in your code (ONLY if you absolutely trust the site you connect to!), or add code to validate the response before you process it.


The validation rule required rule no longer treats an input value false as a value, so passing this value will now trigger a validation error.


The PDO driver now returns the error code of the underlying database driver back as the error code in the Database_Exception, instead of the PDO error code. This allows you to act on specific platform errors.

It also means you loose access to the original generic PDO error code, which you can work around by retrieving the current PDO database connection (through the connection() method on the database object) and call PDO's errorCode() method to retrieve the original generic PDO error code.

Removed code (because it was deprecated in v1.7.1 or earlier)


Security related


There was one security advisory issued for 1.7.1, which also impact all previous versions from 1.1 onwards (see The issue is mitigated in 1.7.2, it is strongly advised that you upgrade as soon as possible, or alternatively follow the advice in the advisory.


A potentional vulnerability was discovered in the way column name quoting was done. This has been fixed. This means that coding SQL functions manually was something you could get away with earlier now require you to use DB::expr() to encapsulate the function.

// old code, no longer works
$result = DB::select("LOWER \"field\")")->from($table)->execute();

// has to be replaced by
$result = DB::select(DB::Expr("LOWER \"field\")"))->from($table)->execute();

Error messages are now escaped, to prevent a possible XSS through the generated error. Note that it is best practice not to display error messages in a production environment, so the possible risk for XSS is deemed to be very low.

System changes

  • A possible XSS vulnerabity in the Profiler output has been fixed.
  • The import() function can now also import third-party classes in APPPATH/vendor.
  • When using multiple DB connections, the profiler now shows the connection used for the query.
  • The Profiler now html encodes the output to avoid incorrect handling of the ampersand.
  • The internal Markdown class has been removed, and replaced by the Composer library.
  • Some methods were still defined as private. This has been changed to protected to allow extension.
  • Fully namespaced controllers are now supported. Now you can use class names like Controller\Foo\Bar, Controller_Foo_Bar, or Controller\Foo_Bar.
  • The Database layer now has support for nested transactions, either through native SQL support, or via SAVEPOINTS.
  • The Agent class has been switched back to the original URL's.
  • Saving a Lang or Config file will now flush the APC and/or Opcode cache.
  • Double quotes inside an HTML tag attribute value are now escaped.
  • Debug logging has been added to the Session classes to aid in debugging session loss.
  • GZIP compression is now automatically disabled if the client indicates it doesn't support it.
  • Unit tests have been adapted where needed to support PHPUnit 4.
  • The html_tag helper function now generates compliant HTML.
  • Several pieces of file handling code has been modified to handle Windows file paths better.
  • The Autoloader now thows an exception if the class file can be found, but it doesn't contain the class expected.
  • The Autoloader now supports loading Traits.
  • The shutdown handler now logs any error if it fails to shutdown properly.
  • The included PHPSecLib version has been upgraded to the July 1st version of the php5 branch.
  • Unit testing now has support for AspectMock.
  • An entry to the phpunit xml has been added to run tests in modules.

Specific classes

  • Agent: Now correctly uses the defined browser agent instead of the system one.
  • Arr: New keyval_to_assoc() method converts key-value pairs into an associative array.
  • Arr: When passing an object as key to get(), it is now cast to string.
  • Asset: Has a new config option "always_resolve", which will do local asset resolving even for absolute URL's.
  • Cache: A check is added to avoid possible deadlocks with using files for caching.
  • Cache: Now has a driver for Xcache (
  • Cli: Backtrace output has been rewritten to make it more readable on the commandline.
  • Cli: Now has the option to disable output colouring.
  • Cli: New methods stdout and stderr allow you to redirect them to file.
  • Config: When saving a config file, the configured permission mask is now applied.
  • Controller_Hybrid: Now correctly handles returned array responses.
  • Controller_Rest: When no data is returned, "204 NO CONTENT" status is set.
  • Controller_Rest: Better support for Digest authentication.
  • Controller_Rest: The option to specify the return format in the URL now actually works.
  • Database: The PDO driver will now add the charset to the DSN if not specified.
  • Database: The MySQL drivers no longer use the "AUTOCOMMIT" value, which interferes with table locking.
  • Database: Insert now has the options to define multiple value sets, to insert multiple rows at once.
  • Database: Quoted strings can now passed to methods without requiring DB::expr().
  • DBUtil: Default values are now correctly quoted, instead of escaped.
  • DBUtil: Make sure the COMMENT keyword appears before AFTER and BEFORE.
  • DBUtil: Now allows you to set a specific DB connection to operate on.
  • Fieldset: field() without parameter will now correctly return all defined fieldset fields.
  • Fieldset: Now has a delete() method to remove an existing field from the fieldset.
  • Fieldset_Field: set_fieldset() now allows you to move a Field to a different fieldset.
  • File: download() now has the option to delete the file after download is completed.
  • File: New file_exists() method that will honour the defined Area.
  • File: Fixed possible infinite recursion in delete_dir().
  • File: Download now supports the option to select "inline" or "attachment" disposition.
  • Form: If no action is specified to open(), the current URI will be used.
  • Format: CSV conversion methods now have separate config for import and export of CSV data.
  • Format: Improved CSV parsing, to support non-standards formats created by Microsoft applications.
  • Format: CSV files without headers can now be imported.
  • Format: to_csv() now allows you to define custom headers.
  • Format: Incorrect handling of empty XML tags has been fixed.
  • FTP: Fixed directory recursion in delete_dir().
  • Inflector: The separator of friendly_title() is now configurable.
  • Input: Added better support for NGINX.
  • Lang: If multiple languages are defined, the lang files are now loaded in the correct order.
  • Log: New log_filename config key allows you to override the generated log file name.
  • Model_Crud: Can now correctly handle properties with a null value.
  • Mongo_Db: like() method now correctly uses it's wildcard parameters.
  • Mongo_Db: New method list_collections().
  • Pagination: Logic has been completely rewritten to fix all bugs.
  • Pagination: You can now define an offset to shift the active page in the navigation block left or right.
  • Session: set_flash() now correctly resets the state when setting an existing expired flash value.
  • Session: Deleting a session cookie now takes the configured path and domain into account.
  • Session: Now has emulation of $_SESSION, to support external code using this to access session data.
  • Str: The truncate method now correctly handles multibyte strings.
  • Uri: An empty URI string is valid input for Uri::create().
  • Uri: Uri suffixing has been rewritten to accept new long TLD names.
  • Validation: valid_string now allows you to test for "slash" and "backslash".
  • Validation: New valid_collection rule allows you to check against a predefined list of values.
  • Validation: The required rule no longer treats false as a value.
  • Viewmodel: Now has the option to unset a variable set on it.


  • Auth: The included ORM User model now supports both Ormauth and Simpleauth.
  • Auth: Ormgroup's member() method now correctly checks for group membership.
  • Auth: Calculating effective user permissions in Ormauth has been fixed.
  • Auth: Opauth: if no nickname is returned by the provider, try to find a match on email address.
  • Auth: Ormauth now supports database selection and DB's replication features.
  • Email: Recepient names are now quoted to support comma's in the name.
  • Email: New Mailgun driver to support sending email through Mailgun's email service.
  • Email: SMTP driver now only authenicates ones per connection, to facilitate bulk email.
  • Email: Added the option to strip or leave HTML comments in the HTML message body.
  • Email: New Mandrill driver to support sending email through Mandrill's email service.
  • Email: SMTP driver now supports STARTTLS for secure email. Used for example by Google mail.
  • Email: Now has a config option to automatically correct relative protocol URI's in HTML bodies.
  • Oil: oil server now has inline help.
  • Oil: Authentication in generated Admin controllers has been fixed.
  • Oil: Added the --module argument to add module support to the code generation commands.
  • Oil: Scaffolding templates are updated for Boostrap 3.
  • Oil: oil test now supports the PHPunit argument --testsuite.
  • Oil: oil test now supports the PHPunit argument --debug.
  • Oil: oil generate model now can generate ORM temporal or nestedset models.
  • Oil: the --with-viewmodel switch has been renamed to --with-presenter.
  • Oil: when refine calls an unknown command, it now lists the ones defined in the Task.
  • Oil: Generated view code now works properly cross platform and cross OS.
  • Orm: to_array now also also exports EAV value pairs.
  • Orm: The before_save observer is now called before the object is checked for changes.
  • Orm: New enable_event and disable_event methods for enabling/disabling observer events.
  • Orm: Fixed Soft_Delete::purge, now it actually deletes the purged records.
  • Orm: You can now pass custom data when forging an ORM object.
  • Orm: Observer_Slug now has a configurable separator.
  • Orm: Observer_Slug now allows you to generate duplicate slugs, or to assign slugs manually.
  • Orm: Fixed validation of new objects, now all fields are correctly validated.
  • Orm: There is now support for DB::expr() in ORM select().
  • Orm: There is now support for select('*').
  • Orm: You can now add custom sanitation code to a model (used when a model object is passed to a View).
  • Parser: Twig driver now support Input::post, Session::get and Auth::check.
  • Parser: Smarty driver how has the same Fuel interface plugins as Twig.
  • Parser: Now supports the "Lex" parser (
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.