Merged Source/Master

CHANGELOG.md

@@ -1,5 +1,105 @@
 # CHANGELOG
 
+## 2.1.4 (13 Mar 2013):
+
+- ZF2013-01: Query route (http://framework.zend.com/security/ZF2013-01)
+- ZF2013-02: RNG support (http://framework.zend.com/security/ZF2013-02)
+- ZF2013-03: DB platform quoting (http://framework.zend.com/security/ZF2013-03)
+- 2752: `Zend_Json_Server` to accept null parameters
+  (https://github.com/zendframework/zf2/issues/2752)
+- 3696: `Zend\Json\Server\Server` should allow parameters with NULL values
+  (https://github.com/zendframework/zf2/issues/3696)
+- 3767: Allow NULL parameter values in `Zend/Json/Server`
+  (https://github.com/zendframework/zf2/issues/3767)
+- 3827: Fix mismatches between the PHPDoc and the method signatures
+  (https://github.com/zendframework/zf2/issues/3827)
+- 3840: allow a null page in pages array, to compensate for ZF issue #3823
+  (https://github.com/zendframework/zf2/issues/3840)
+- 3842: Hotfix/zend test improve console usage
+  (https://github.com/zendframework/zf2/issues/3842)
+- 3849: Check if values are set in `Zend\Db\Sql\Insert.php` for prepared
+  statement
+  (https://github.com/zendframework/zf2/issues/3849)
+- 3867: `FileGenerator::setUses()` MUST can take arguments from
+  `FileGenerator::getUses()`
+  (https://github.com/zendframework/zf2/issues/3867)
+- 3868: `ClassGenerator::fromReflection` not generate class properties
+  (https://github.com/zendframework/zf2/issues/3868)
+- 3869: Remove BC break in `Identical` validator
+  (https://github.com/zendframework/zf2/issues/3869)
+- 3871: The method delete on the `RowGateway` now returns the affected rows
+  (https://github.com/zendframework/zf2/issues/3871)
+- 3873: Fixes an issue when binding a model to a form collection element
+  (https://github.com/zendframework/zf2/issues/3873)
+- 3885: Hotfix/add tests console adapter
+  (https://github.com/zendframework/zf2/issues/3885)
+- 3886: Add tests console prompt
+  (https://github.com/zendframework/zf2/issues/3886)
+- 3888: `DefinitionList` `hasMethod` fix
+  (https://github.com/zendframework/zf2/issues/3888)
+- 3907: Add tests console request response
+  (https://github.com/zendframework/zf2/issues/3907)
+- 3916: Fix PUT HTTP method usage with params
+  (https://github.com/zendframework/zf2/issues/3916)
+- 3917: Clean the Console abstract adapter
+  (https://github.com/zendframework/zf2/issues/3917)
+- 3921: [+BUGFIX] Fixed column names bug `Zend\Db\Sql\Select`
+  (https://github.com/zendframework/zf2/issues/3921)
+- 3925: Added view and validator dependency
+  (https://github.com/zendframework/zf2/issues/3925)
+- 3936: Improve the remove of `SendResponseListener`
+  (https://github.com/zendframework/zf2/issues/3936)
+- 3946: Adding config to `openssl_pkey_export()`
+  (https://github.com/zendframework/zf2/issues/3946)
+- 3947: fix exception %s passed variable of 'A service by the name or alias %s'  should be $name
+  (https://github.com/zendframework/zf2/issues/3947)
+- 3948: Bug/merging translator textdomains
+  (https://github.com/zendframework/zf2/issues/3948)
+- 3950: Fix zero value in argument
+  (https://github.com/zendframework/zf2/issues/3950)
+- 3957: [Hotfix] Fixed incorrect `PDO_Oci` platform recognition
+  (https://github.com/zendframework/zf2/issues/3957)
+- 3960: Update toString() to use late static binding for encoding methods
+  (https://github.com/zendframework/zf2/issues/3960)
+- 3964: Fix fluent interface
+  (https://github.com/zendframework/zf2/issues/3964)
+- 3966: Better polyfill support for `Stdlib` and `Session`
+  (https://github.com/zendframework/zf2/issues/3966)
+- 3968: fixed `Exception\InvalidArgumentException` messages in `Zend\Log`
+  (https://github.com/zendframework/zf2/issues/3968)
+- 3971: SessionArrayStorage doesn't preserve `_REQUEST_ACCESS_TIME`
+  (https://github.com/zendframework/zf2/issues/3971)
+- 3973: Documentation improvement `Zend\View\Stream`
+  (https://github.com/zendframework/zf2/issues/3973)
+- 3980: change `HOST_DNS_OR_IPV4_OR_IPV6` to `0x13` for `$validHostTypes`
+  (https://github.com/zendframework/zf2/issues/3980)
+- 3981: Improve exception messages
+  (https://github.com/zendframework/zf2/issues/3981)
+- 3982: Fix `\Zend\Soap\AutoDiscover` constructor
+  (https://github.com/zendframework/zf2/issues/3982)
+- 3984: Update `ArrayStack.php`
+  (https://github.com/zendframework/zf2/issues/3984)
+- 3987: Fix ChromePhp logger interface and debug level
+  (https://github.com/zendframework/zf2/issues/3987)
+- 3988: Fix & Unit test for `preparestatement` notices
+  (https://github.com/zendframework/zf2/issues/3988)
+- 3991: Hotfix/3858 - `findHelper` problem in Navigation Helper
+  (https://github.com/zendframework/zf2/issues/3991)
+- 3993: `SessionArrayStorage` Request Access Time and Storage Initialization
+  (https://github.com/zendframework/zf2/issues/3993)
+- 3997: Allow https on scheme without a hostname
+  (https://github.com/zendframework/zf2/issues/3997)
+- 4001: Fix `ViewFeedStrategyFactory` comment
+  (https://github.com/zendframework/zf2/issues/4001)
+- 4005: Hotfix/case sensitive console
+  (https://github.com/zendframework/zf2/issues/4005)
+- 4007: Pass `ClassGenerator` instance instead of boolean
+  (https://github.com/zendframework/zf2/issues/4007)
+- 4009: Minor if to else if improvement
+  (https://github.com/zendframework/zf2/issues/4009)
+- 4010: Hotfix/zend test with console route
+  (https://github.com/zendframework/zf2/issues/4010)
+
 ## 2.1.3 (21 Feb 2013):
 
 - 3714: Zend\Stdlib\ArrayObject::offsetExists() returning by reference
@@ -568,6 +668,11 @@ For those affected, the following courses of action are possible:
  * Initialize and register a Zend\Session\Storage\SessionStorage object
    explicitly with the session manager instance.
 
+## 2.0.8 (13 Mar 2013):
+
+- ZF2013-01: Query route (http://framework.zend.com/security/ZF2013-01)
+- ZF2013-02: RNG support (http://framework.zend.com/security/ZF2013-02)
+- ZF2013-03: DB platform quoting (http://framework.zend.com/security/ZF2013-03)
 
 ## 2.0.7 (29 Jan 2013):
 

README.md

@@ -5,33 +5,13 @@ Develop: [![Build Status](https://secure.travis-ci.org/zendframework/zf2.png?bra
 
 ## RELEASE INFORMATION
 
-*Zend Framework 2.1.4dev*
+*Zend Framework 2.1.5dev*
 
-This is the fourth maintenance release for the version 2.1 series.
+This is the fifth maintenance release for the version 2.1 series.
 
 DD MMM YYYY
 
-### UPDATES IN 2.1.4
-
-Better polyfill support in `Zend\Session` and `Zend\Stdlib`. Polyfills
-(version-specific class replacements) have caused some issues in the 2.1 series.
-In particular, users who were not using Composer were unaware/uncertain about
-what extra files needed to be included to load polyfills, and those users who
-were generating classmaps were running into issues since the same class was
-being generated twice.
-
-New polyfill support was created which does the following:
-
-- New, uniquely named classes were created for each polyfill base.
-- A stub class file was created for each class needing polyfill support. A
-  conditional is present in each that uses `class_alias` to alias the appropriate
-  polyfill base as an import. The stub class then extends the base.
-- The `compatibility/autoload.php` files in each component affected was altered
-  to trigger an `E_USER_DEPRECATED` error asking the user to remove the require
-  statement for the file.
-
-The functionality works with both Composer and ZF2's autoloading support, using
-either PSR-0 or classmaps. All typehinting is preserved.
+### UPDATES IN 2.1.5
 
 Please see [CHANGELOG.md](CHANGELOG.md).
 

composer.json

@@ -13,11 +13,14 @@
     },
     "require-dev": {
         "doctrine/common": ">=2.1",
+        "ircmaxell/random-lib": "dev-master",
+        "ircmaxell/security-lib": "dev-master",
         "phpunit/PHPUnit": "3.7.*"
     },
     "suggest": {
         "doctrine/common": "Doctrine\\Common >=2.1 for annotation features",
         "ext-intl": "ext/intl for i18n features",
+        "ircmaxell/random-lib": "Fallback random byte generator for Zend\\Math\\Rand if OpenSSL/Mcrypt extensions are unavailable",
         "pecl-weakref": "Implementation of weak references for Zend\\Stdlib\\CallbackHandler",
         "zendframework/zendpdf": "ZendPdf for creating PDF representations of barcodes",
         "zendframework/zendservice-recaptcha": "ZendService\\ReCaptcha for rendering ReCaptchas in Zend\\Captcha and/or Zend\\Form"

library/Zend/Db/Adapter/Adapter.php

@@ -321,23 +321,32 @@ protected function createPlatform($parameters)
             throw new Exception\InvalidArgumentException('A platform could not be determined from the provided configuration');
         }
 
+        // currently only supported by the IbmDb2 & Oracle concrete implementations
         $options = (isset($parameters['platform_options'])) ? $parameters['platform_options'] : array();
 
         switch ($platformName) {
             case 'Mysql':
-                return new Platform\Mysql($options);
+                // mysqli or pdo_mysql driver
+                $driver = ($this->driver instanceof Driver\Mysqli\Mysqli || $this->driver instanceof Driver\Pdo\Pdo) ? $this->driver : null;
+                return new Platform\Mysql($driver);
             case 'SqlServer':
-                return new Platform\SqlServer($options);
+                // PDO is only supported driver for quoting values in this platform
+                return new Platform\SqlServer(($this->driver instanceof Driver\Pdo\Pdo) ? $this->driver : null);
             case 'Oracle':
+                // oracle does not accept a driver as an option, no driver specific quoting available
                 return new Platform\Oracle($options);
             case 'Sqlite':
-                return new Platform\Sqlite($options);
+                // PDO is only supported driver for quoting values in this platform
+                return new Platform\Sqlite(($this->driver instanceof Driver\Pdo\Pdo) ? $this->driver : null);
             case 'Postgresql':
-                return new Platform\Postgresql($options);
+                // pgsql or pdo postgres driver
+                $driver = ($this->driver instanceof Driver\Pgsql\Pgsql || $this->driver instanceof Driver\Pdo\Pdo) ? $this->driver : null;
+                return new Platform\Postgresql($driver);
             case 'IbmDb2':
+                // ibm_db2 driver escaping does not need an action connection
                 return new Platform\IbmDb2($options);
             default:
-                return new Platform\Sql92($options);
+                return new Platform\Sql92();
         }
     }
 

library/Zend/Db/Adapter/Platform/IbmDb2.php

@@ -12,6 +12,8 @@
 class IbmDb2 implements PlatformInterface
 {
 
+    protected $quoteValueAllowed = false;
+
     /**
      * @var bool
      */
@@ -109,7 +111,30 @@ public function getQuoteValueSymbol()
      */
     public function quoteValue($value)
     {
-        return '\'' . str_replace('\'', '\\' . '\'', $value) . '\'';
+        if (function_exists('db2_escape_string')) {
+            return '\'' . db2_escape_string($value) . '\'';
+        }
+        trigger_error(
+            'Attempting to quote a value in ' . __CLASS__ . ' without extension/driver support '
+            . 'can introduce security vulnerabilities in a production environment.'
+        );
+        return '\'' . str_replace("'", "''", $value) . '\'';
+    }
+
+    /**
+     * Quote Trusted Value
+     *
+     * The ability to quote values without notices
+     *
+     * @param $value
+     * @return mixed
+     */
+    public function quoteTrustedValue($value)
+    {
+        if (function_exists('db2_escape_string')) {
+            return '\'' . db2_escape_string($value) . '\'';
+        }
+        return '\'' . str_replace("'", "''", $value) . '\'';
     }
 
     /**
@@ -120,11 +145,15 @@ public function quoteValue($value)
      */
     public function quoteValueList($valueList)
     {
-        $valueList = str_replace('\'', '\\' . '\'', $valueList);
-        if (is_array($valueList)) {
-            $valueList = implode('\', \'', $valueList);
+        if (!is_array($valueList)) {
+            return $this->quoteValue($valueList);
         }
-        return '\'' . $valueList . '\'';
+
+        $value = reset($valueList);
+        do {
+            $valueList[key($valueList)] = $this->quoteValue($value);
+        } while ($value = next($valueList));
+        return implode(', ', $valueList);
     }
 
     /**
@@ -176,4 +205,5 @@ public function quoteIdentifierInFragment($identifier, array $safeWords = array(
 
         return implode('', $parts);
     }
+
 }

library/Zend/Db/Adapter/Platform/Mysql.php

@@ -9,8 +9,48 @@
 
 namespace Zend\Db\Adapter\Platform;
 
+use Zend\Db\Adapter\Driver\Mysqli;
+use Zend\Db\Adapter\Driver\Pdo;
+use Zend\Db\Adapter\Exception;
+
 class Mysql implements PlatformInterface
 {
+    /** @var \mysqli|\PDO */
+    protected $resource = null;
+
+    public function __construct($driver = null)
+    {
+        if ($driver) {
+            $this->setDriver($driver);
+        }
+    }
+
+    /**
+     * @param \Zend\Db\Adapter\Driver\Mysqli\Mysqli|\Zend\Db\Adapter\Driver\Pdo\Pdo||\mysqli|\PDO $driver
+     * @throws \Zend\Db\Adapter\Exception\InvalidArgumentException
+     * @return $this
+     */
+    public function setDriver($driver)
+    {
+        // handle Zend_Db drivers
+        if ($driver instanceof Mysqli\Mysqli
+            || ($driver instanceof Pdo\Pdo && $driver->getDatabasePlatformName() == 'Mysql')
+        ) {
+            /** @var $driver \Zend\Db\Adapter\Driver\DriverInterface */
+            $this->resource = $driver->getConnection()->getResource();
+            return $this;
+        }
+
+        // handle
+        if ($driver instanceof \mysqli
+            || ($driver instanceof \PDO && $driver->getAttribute(\PDO::ATTR_DRIVER_NAME) == 'mysql')
+        ) {
+            $this->resource = $driver;
+            return $this;
+        }
+
+        throw new Exception\InvalidArgumentException('$driver must be a Mysqli or Mysql PDO Zend\Db\Adapter\Driver, Mysqli instance or MySQL PDO instance');
+    }
 
     /**
      * Get name
@@ -76,7 +116,36 @@ public function getQuoteValueSymbol()
      */
     public function quoteValue($value)
     {
-        return '\'' . str_replace('\'', '\\' . '\'', $value) . '\'';
+        if ($this->resource instanceof \mysqli) {
+            return '\'' . $this->resource->real_escape_string($value) . '\'';
+        }
+        if ($this->resource instanceof \PDO) {
+            return $this->resource->quote($value);
+        }
+        trigger_error(
+            'Attempting to quote a value in ' . __CLASS__ . ' without extension/driver support '
+                . 'can introduce security vulnerabilities in a production environment.'
+        );
+        return '\'' . addcslashes($value, "\x00\n\r\\'\"\x1a") . '\'';
+    }
+
+    /**
+     * Quote Trusted Value
+     *
+     * The ability to quote values without notices
+     *
+     * @param $value
+     * @return mixed
+     */
+    public function quoteTrustedValue($value)
+    {
+        if ($this->resource instanceof \mysqli) {
+            return '\'' . $this->resource->real_escape_string($value) . '\'';
+        }
+        if ($this->resource instanceof \PDO) {
+            return $this->resource->quote($value);
+        }
+        return '\'' . addcslashes($value, "\x00\n\r\\'\"\x1a") . '\'';
     }
 
     /**
@@ -87,11 +156,15 @@ public function quoteValue($value)
      */
     public function quoteValueList($valueList)
     {
-        $valueList = str_replace('\'', '\\' . '\'', $valueList);
-        if (is_array($valueList)) {
-            $valueList = implode('\', \'', $valueList);
+        if (!is_array($valueList)) {
+            return $this->quoteValue($valueList);
         }
-        return '\'' . $valueList . '\'';
+
+        $value = reset($valueList);
+        do {
+            $valueList[key($valueList)] = $this->quoteValue($value);
+        } while ($value = next($valueList));
+        return implode(', ', $valueList);
     }
 
     /**