[2.1.4] Merge in final changes

- Security fixes
- Version bump and changelog

CHANGELOG.md

@@ -1,5 +1,105 @@
 # CHANGELOG
 
+## 2.1.4 (13 Mar 2013):
+
+- ZF2013-01: Query route (http://framework.zend.com/security/ZF2013-01)
+- ZF2013-02: RNG support (http://framework.zend.com/security/ZF2013-02)
+- ZF2013-03: DB platform quoting (http://framework.zend.com/security/ZF2013-03)
+- 2752: `Zend_Json_Server` to accept null parameters
+  (https://github.com/zendframework/zf2/issues/2752)
+- 3696: `Zend\Json\Server\Server` should allow parameters with NULL values
+  (https://github.com/zendframework/zf2/issues/3696)
+- 3767: Allow NULL parameter values in `Zend/Json/Server`
+  (https://github.com/zendframework/zf2/issues/3767)
+- 3827: Fix mismatches between the PHPDoc and the method signatures
+  (https://github.com/zendframework/zf2/issues/3827)
+- 3840: allow a null page in pages array, to compensate for ZF issue #3823
+  (https://github.com/zendframework/zf2/issues/3840)
+- 3842: Hotfix/zend test improve console usage
+  (https://github.com/zendframework/zf2/issues/3842)
+- 3849: Check if values are set in `Zend\Db\Sql\Insert.php` for prepared
+  statement
+  (https://github.com/zendframework/zf2/issues/3849)
+- 3867: `FileGenerator::setUses()` MUST can take arguments from
+  `FileGenerator::getUses()`
+  (https://github.com/zendframework/zf2/issues/3867)
+- 3868: `ClassGenerator::fromReflection` not generate class properties
+  (https://github.com/zendframework/zf2/issues/3868)
+- 3869: Remove BC break in `Identical` validator
+  (https://github.com/zendframework/zf2/issues/3869)
+- 3871: The method delete on the `RowGateway` now returns the affected rows
+  (https://github.com/zendframework/zf2/issues/3871)
+- 3873: Fixes an issue when binding a model to a form collection element
+  (https://github.com/zendframework/zf2/issues/3873)
+- 3885: Hotfix/add tests console adapter
+  (https://github.com/zendframework/zf2/issues/3885)
+- 3886: Add tests console prompt
+  (https://github.com/zendframework/zf2/issues/3886)
+- 3888: `DefinitionList` `hasMethod` fix
+  (https://github.com/zendframework/zf2/issues/3888)
+- 3907: Add tests console request response
+  (https://github.com/zendframework/zf2/issues/3907)
+- 3916: Fix PUT HTTP method usage with params
+  (https://github.com/zendframework/zf2/issues/3916)
+- 3917: Clean the Console abstract adapter
+  (https://github.com/zendframework/zf2/issues/3917)
+- 3921: [+BUGFIX] Fixed column names bug `Zend\Db\Sql\Select`
+  (https://github.com/zendframework/zf2/issues/3921)
+- 3925: Added view and validator dependency
+  (https://github.com/zendframework/zf2/issues/3925)
+- 3936: Improve the remove of `SendResponseListener`
+  (https://github.com/zendframework/zf2/issues/3936)
+- 3946: Adding config to `openssl_pkey_export()`
+  (https://github.com/zendframework/zf2/issues/3946)
+- 3947: fix exception %s passed variable of 'A service by the name or alias %s'  should be $name
+  (https://github.com/zendframework/zf2/issues/3947)
+- 3948: Bug/merging translator textdomains
+  (https://github.com/zendframework/zf2/issues/3948)
+- 3950: Fix zero value in argument
+  (https://github.com/zendframework/zf2/issues/3950)
+- 3957: [Hotfix] Fixed incorrect `PDO_Oci` platform recognition
+  (https://github.com/zendframework/zf2/issues/3957)
+- 3960: Update toString() to use late static binding for encoding methods
+  (https://github.com/zendframework/zf2/issues/3960)
+- 3964: Fix fluent interface
+  (https://github.com/zendframework/zf2/issues/3964)
+- 3966: Better polyfill support for `Stdlib` and `Session`
+  (https://github.com/zendframework/zf2/issues/3966)
+- 3968: fixed `Exception\InvalidArgumentException` messages in `Zend\Log`
+  (https://github.com/zendframework/zf2/issues/3968)
+- 3971: SessionArrayStorage doesn't preserve `_REQUEST_ACCESS_TIME`
+  (https://github.com/zendframework/zf2/issues/3971)
+- 3973: Documentation improvement `Zend\View\Stream`
+  (https://github.com/zendframework/zf2/issues/3973)
+- 3980: change `HOST_DNS_OR_IPV4_OR_IPV6` to `0x13` for `$validHostTypes`
+  (https://github.com/zendframework/zf2/issues/3980)
+- 3981: Improve exception messages
+  (https://github.com/zendframework/zf2/issues/3981)
+- 3982: Fix `\Zend\Soap\AutoDiscover` constructor
+  (https://github.com/zendframework/zf2/issues/3982)
+- 3984: Update `ArrayStack.php`
+  (https://github.com/zendframework/zf2/issues/3984)
+- 3987: Fix ChromePhp logger interface and debug level
+  (https://github.com/zendframework/zf2/issues/3987)
+- 3988: Fix & Unit test for `preparestatement` notices
+  (https://github.com/zendframework/zf2/issues/3988)
+- 3991: Hotfix/3858 - `findHelper` problem in Navigation Helper
+  (https://github.com/zendframework/zf2/issues/3991)
+- 3993: `SessionArrayStorage` Request Access Time and Storage Initialization
+  (https://github.com/zendframework/zf2/issues/3993)
+- 3997: Allow https on scheme without a hostname
+  (https://github.com/zendframework/zf2/issues/3997)
+- 4001: Fix `ViewFeedStrategyFactory` comment
+  (https://github.com/zendframework/zf2/issues/4001)
+- 4005: Hotfix/case sensitive console
+  (https://github.com/zendframework/zf2/issues/4005)
+- 4007: Pass `ClassGenerator` instance instead of boolean
+  (https://github.com/zendframework/zf2/issues/4007)
+- 4009: Minor if to else if improvement
+  (https://github.com/zendframework/zf2/issues/4009)
+- 4010: Hotfix/zend test with console route
+  (https://github.com/zendframework/zf2/issues/4010)
+
 ## 2.1.3 (21 Feb 2013):
 
 - 3714: Zend\Stdlib\ArrayObject::offsetExists() returning by reference
@@ -568,6 +668,11 @@ For those affected, the following courses of action are possible:
  * Initialize and register a Zend\Session\Storage\SessionStorage object
    explicitly with the session manager instance.
 
+## 2.0.8 (13 Mar 2013):
+
+- ZF2013-01: Query route (http://framework.zend.com/security/ZF2013-01)
+- ZF2013-02: RNG support (http://framework.zend.com/security/ZF2013-02)
+- ZF2013-03: DB platform quoting (http://framework.zend.com/security/ZF2013-03)
 
 ## 2.0.7 (29 Jan 2013):
 

README.md

@@ -5,14 +5,81 @@ Develop: [![Build Status](https://secure.travis-ci.org/zendframework/zf2.png?bra
 
 ## RELEASE INFORMATION
 
-*Zend Framework 2.1.4dev*
+*Zend Framework 2.1.4*
 
 This is the fourth maintenance release for the version 2.1 series.
 
-DD MMM YYYY
+13 Mar 2013
 
 ### UPDATES IN 2.1.4
 
+#### Security fix: Query route
+
+The query route was deprecated, as a replacement exists within the HTTP router
+itself. You can pass a "query" option to the assemble method containing either
+the query string or an array of key-value pairs:
+
+```php
+$url = $router->assemble(array(
+    'name' => 'foo',
+), array(
+    'query' => array(
+        'page' => 3,
+        'sort' => 'DESC',
+    ), 
+    // or: 'query' => 'page=3&sort=DESC'
+));
+
+// via URL helper/plugin:
+$rendererOrController->url('foo', array(), array('query' => $request->getQuery()));
+```
+
+Additionally, the merging of query parameters into the route match was removed
+to avoid potential security issues. Please use the query container of the
+request object instead.
+
+For more information on the security vector, please see
+[ZF2013-01](http://framework.zend.com/security/ZF2013-01).
+
+#### Security fix: Better RNG support
+
+The `Zend\Math\Rand` component generates random bytes using the OpenSSL
+or Mcrypt extensions when available but will otherwise use PHP's
+`mt_rand()` function as a fallback. All outputs from `mt_rand()` are
+predictable for the same PHP process if an attacker can brute force
+the seed - which can be done if the attacker has access to a random number
+generated by `mt_rand` or the session ID (if generated without using additional
+entropy). 
+
+Zend Framework have revised the `Zend\Math\Rand` component to replace the
+current `mt_rand()` fallback for OpenSSL/Mcrypt with Anthony Ferrara's
+[RandomLib](https://github.com/ircmaxell/RandomLib), incorporating an additional
+entropy source based on [source code published by George
+Argyros](https://github.com/GeorgeArgyros/Secure-random-bytes-in-PHP). The new
+fallback collects entropy from numerous sources other than PHP's internal seed
+mechanism and extracts random bytes from the resulting mixed entropy pool.
+
+For more information on this security vector, please see
+[ZF2013-02](http://framework.zend.com/security/ZF2013-02).
+
+#### Security fix: DB platform quoting
+
+Altered `Zend\Db` to throw notices when insecure usage of the following methods
+is called: 
+
+- `Zend\Db\Adapter\Platform\*::quoteValue*()`
+- `Zend\Db\Sql\*::getSqlString*()`
+
+Fixed `Zend\Db` Platform objects to use driver level quoting when provided, and
+throw `E_USER_NOTICE` when not provided.  Added `quoteTrustedValue()` API for
+notice-free value quoting.  Fixed all userland quoting in Platform objects to
+handle a wider array of escapable characters.
+
+For more information on this security vector, please see
+[ZF2013-03](http://framework.zend.com/security/ZF2013-03).
+
+#### Better polyfill support
+
 Better polyfill support in `Zend\Session` and `Zend\Stdlib`. Polyfills
 (version-specific class replacements) have caused some issues in the 2.1 series.
 In particular, users who were not using Composer were unaware/uncertain about

composer.json

@@ -13,11 +13,14 @@
     },
     "require-dev": {
         "doctrine/common": ">=2.1",
+        "ircmaxell/random-lib": "dev-master",
+        "ircmaxell/security-lib": "dev-master",
         "phpunit/PHPUnit": "3.7.*"
     },
     "suggest": {
         "doctrine/common": "Doctrine\\Common >=2.1 for annotation features",
         "ext-intl": "ext/intl for i18n features",
+        "ircmaxell/random-lib": "Fallback random byte generator for Zend\\Math\\Rand if OpenSSL/Mcrypt extensions are unavailable",
         "pecl-weakref": "Implementation of weak references for Zend\\Stdlib\\CallbackHandler",
         "zendframework/zendpdf": "ZendPdf for creating PDF representations of barcodes",
         "zendframework/zendservice-recaptcha": "ZendService\\ReCaptcha for rendering ReCaptchas in Zend\\Captcha and/or Zend\\Form"

library/Zend/Db/Adapter/Adapter.php

@@ -321,23 +321,32 @@ protected function createPlatform($parameters)
             throw new Exception\InvalidArgumentException('A platform could not be determined from the provided configuration');
         }
 
+        // currently only supported by the IbmDb2 & Oracle concrete implementations
         $options = (isset($parameters['platform_options'])) ? $parameters['platform_options'] : array();
 
         switch ($platformName) {
             case 'Mysql':
-                return new Platform\Mysql($options);
+                // mysqli or pdo_mysql driver
+                $driver = ($this->driver instanceof Driver\Mysqli\Mysqli || $this->driver instanceof Driver\Pdo\Pdo) ? $this->driver : null;
+                return new Platform\Mysql($driver);
             case 'SqlServer':
-                return new Platform\SqlServer($options);
+                // PDO is only supported driver for quoting values in this platform
+                return new Platform\SqlServer(($this->driver instanceof Driver\Pdo\Pdo) ? $this->driver : null);
             case 'Oracle':
+                // oracle does not accept a driver as an option, no driver specific quoting available
                 return new Platform\Oracle($options);
             case 'Sqlite':
-                return new Platform\Sqlite($options);
+                // PDO is only supported driver for quoting values in this platform
+                return new Platform\Sqlite(($this->driver instanceof Driver\Pdo\Pdo) ? $this->driver : null);
             case 'Postgresql':
-                return new Platform\Postgresql($options);
+                // pgsql or pdo postgres driver
+                $driver = ($this->driver instanceof Driver\Pgsql\Pgsql || $this->driver instanceof Driver\Pdo\Pdo) ? $this->driver : null;
+                return new Platform\Postgresql($driver);
             case 'IbmDb2':
+                // ibm_db2 driver escaping does not need an action connection
                 return new Platform\IbmDb2($options);
             default:
-                return new Platform\Sql92($options);
+                return new Platform\Sql92();
         }
     }
 

library/Zend/Db/Adapter/Platform/IbmDb2.php

@@ -12,6 +12,8 @@
 class IbmDb2 implements PlatformInterface
 {
 
+    protected $quoteValueAllowed = false;
+
     /**
      * @var bool
      */
@@ -109,7 +111,30 @@ public function getQuoteValueSymbol()
      */
     public function quoteValue($value)
     {
-        return '\'' . str_replace('\'', '\\' . '\'', $value) . '\'';
+        if (function_exists('db2_escape_string')) {
+            return '\'' . db2_escape_string($value) . '\'';
+        }
+        trigger_error(
+            'Attempting to quote a value in ' . __CLASS__ . ' without extension/driver support '
+            . 'can introduce security vulnerabilities in a production environment.'
+        );
+        return '\'' . str_replace("'", "''", $value) . '\'';
+    }
+
+    /**
+     * Quote Trusted Value
+     *
+     * The ability to quote values without notices
+     *
+     * @param $value
+     * @return mixed
+     */
+    public function quoteTrustedValue($value)
+    {
+        if (function_exists('db2_escape_string')) {
+            return '\'' . db2_escape_string($value) . '\'';
+        }
+        return '\'' . str_replace("'", "''", $value) . '\'';
     }
 
     /**
@@ -120,11 +145,15 @@ public function quoteValue($value)
      */
     public function quoteValueList($valueList)
     {
-        $valueList = str_replace('\'', '\\' . '\'', $valueList);
-        if (is_array($valueList)) {
-            $valueList = implode('\', \'', $valueList);
+        if (!is_array($valueList)) {
+            return $this->quoteValue($valueList);
         }
-        return '\'' . $valueList . '\'';
+
+        $value = reset($valueList);
+        do {
+            $valueList[key($valueList)] = $this->quoteValue($value);
+        } while ($value = next($valueList));
+        return implode(', ', $valueList);
     }
 
     /**
@@ -176,4 +205,5 @@ public function quoteIdentifierInFragment($identifier, array $safeWords = array(
 
         return implode('', $parts);
     }
+
 }