This is our third maintenance release of Apigility, and the first containing security fixes; read on for more information.
We were notified by Stefano Torresi of a potential security vector in
ZF\Apigility\DbConnectedResource. While the
create() method of that class pulls data from the composed input filter, if present, the
update() methods were not, making it possible for an attacker to send unwanted data to the API service.
We have updated the class to pull from the composed input filter, if present, for each of the
If you use DB-Connected REST resources in Apigility, we strongly recommend updating immediately. You can do so by running
composer update inside your application.
We were notified that the logic for finding a Composer executable in zf-deploy would fail in some situations. A fix was contributed that better resolves the path to the executable, particularly in situations where a
composer.phar must first be downloaded.
Additionally, in reviewing this fix, Enrico Zimuel noted that we needed test coverage for most of the ZFDeploy functionality; we now have a comprehensive set of tests, all passing!
Kaloyan Raev noted that the HTML documentation does not render properly under Internet Explorer, due to the order in which media type selectors are matched. A swap in the order fixes the situation, and continues to work as expected under other browsers.
Many thanks to Stefano Torresi for working with us on the DB-Connected security issue, to Kaloyan Raev for his assistance with zf-deploy and the documentation, and to Enrico Zimuel, for the huge amount of testing he added to zf-deploy!