Path to this page:
Subject: CVS commit: pkgsrc/www/p5-CGI-Session
From: Ulrich Habel
Date: 2008-07-18 11:43:35
Message id: 20080718094335.C036A175D0@cvs.netbsd.org
Log Message:
- updated to 4.35
ChangeLog:
4.34 - Sunday, July 13, 2008
* SECURITY: Patch CGI::Session::Driver::file to stop \ and / characters \
being used in
session ids and hence in file names. These characters, possibly \
combined with '..',
could have been used to access files outside the designated session \
file directory.
Reported by TAN Chew Keong of vuln.sg.
* FIX: Patch CGI::Session to propagate error upwards when _load_pluggables() \
fails.
See RT#37628 and http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=490198.
* INTERNAL: Ship a machine-readable version of this file under the name \
Changelog.ini.
The latter file is generated by ini.report.pl, which is shipped with \
Module::Metadata::Changes.
The reason Changelog.ini does not contain a separate section for each \
version in this file
is that some of the versions documented below have no datestamp, and \
ini.report.pl does not create
fake datestamps.
4.33 - Monday, July 7, 2008
* FIX: Patch CGI::Session::Driver::mysql to replace 'REPLACE INTO ...' with
'INSERT INTO ... ON DUPLICATE KEY UPDATE ...'. See RT#37069.
Thanks to Steve Kirkup for the patch. I (Ron) installed MySQL V \
5.0.51a for testing.
Note: \
http://dev.mysql.com/doc/refman/5.0/en/releasenotes-cs-5-0-45.html and similar \
docs
list various MySQL errors fixed recently for the above new syntax. \
Also, the new version
is now much more like the Postgres code, which is another reason it \
has been adopted.
* FIX: t/mysql.t used to test setting the global variable \
$CGI::Session::MySQL::TABLE_NAME.
The test for this (in t/mysql.t) was introduced in V 4.00_09.
However, since V 4.29_1, changes to CGI::Session::Driver's new() \
method mean
this way of setting the session table's name no longer works, and so \
the variable
$CGI::Session::MySQL::TABLE_NAME is now not used. Hence it has been \
removed.
Code in CGI::Session::Driver::DBI used to set $class::TABLE_NAME for \
all database drivers.
This code has also been removed. Moral: Don't use global variables.
Call $session = CGI::Session -> new(..., ..., (TableName => \
'new_name'}) or,
after creating the object, call $session -> table_name('new_name').
To retrieve the name, call $name = $session -> table_name().
4.32 - Tuesday, June 17, 2008
* FIX: Packaging of 4.31 release was botched.
4.31 - Tuesday, June 10, 2008
* FIX: Patch CGI::Session::Driver::DBI to check that the DBI handle still \
exists before trying
to ping it. This handles the case where the DBI object is destroyed \
before the session object.
See RT#35925.
* FIX: Patch CGI::Session::Driver::DBI's remove() which still hard-coded the \
column name 'id' instead
of using the new feature which allows the user to specify the name of \
the column. See RT#36235.
* FIX: Patch POD yet again to emphasize that an explicit call to destroy() \
should be followed by
explicit call to flush(), in particular in the case where the program \
is not exiting and
hence auto-flushing is not activated. Sections patched are 'A Warning \
about Auto-flushing'
and the docs for delete(). See RT#34668.
4.30 - Friday, April 25, 2008
* FIX: Patch POD for CGI::Session in various places, to emphasize even more \
that auto-flushing is
unreliable, and that flush() should always be called explicitly \
before the program exits.
The changes are a new section just after SYNOPSIS and DESCRIPTION, \
and the PODs for flush(),
and delete(). See RT#17299 and RT#34668
* NEW: Add t/new_with_undef.t and t/load_with_undef.t to explicitly \
demonstrate the effects of
calling new() and load() with various types of undefined or fake \
parameters. See RT#34668
* FIX: Patch POD for new() and load() to clarify the result of calling these \
with undef, or with
an initialized CGI object with an undefined or fake CGISESSID. See \
RT#34668.
Specifically: You are strongly advised to run the old-fashioned
'make test TEST_FILES=t/new_with_undef.t TEST_VERBOSE=1' or the \
new-fangled
'prove -v t/new_with_undef.t', for both new*.t and load*.t, and \
examine the output
* FIX: Patch POD in various tiny ways to improve the grammar
4.29_2 - Thursday, March 27, 2008
* FIX: stop ExtUtils::MakeMaker trying to create Build.PL (Ron Savage)
* FIX: Disable trying to use utf8 in tests. (Ron Savage) Ref RT#21981, RT#28516
4.29_1 - Saturday, March 15, 2008
Special Thanks to Ron Savage who did the bulk of the work to put this \
release together.
* FIX: Patch CGI::Session to fix RT#29138 (Patch by Barry Friedman)
* NEW: Add a note to CGI::Session's POD referring to utf8 problems, and \
include references
to RT#21981 (Reported by erwan) and RT#28516 (Reported by jasoncrowther)
* FIX: Patch CGI::Session::Driver::DBI.pm to fix RT#24601 (Patch by latypoff)
* FIX: Patch CGI::Session::Driver::DBI.pm to fix RT#24355 (Reported by \
fenlisesi, patch by Ron Savage)
* NEW: Add t/bug24285.t to ensure session data files are created properly when \
the user specifies a
directory other than /tmp (Reported by William Pearson RT#24285, \
patch by Ron Savage)
* FIX: Patch t/ip_matches.t and t/bug21592.t to remove test files left in \
/tmp, to fix RT#29969
(Reported by ANDK, patch by Ron Savage)
* FIX: Patch POD for CGI::Session::Driver::file to clarify how to use the \
option to change the
file name pattern used to created session files (Report by appleaday \
RT#33635,
patch by Ron Savage)
* FIX: Patch CGI::Session::Driver::sqlite to add sub DESTROY to fix RT#32932
(Patch by Alexander Batyrshin, corrected by Ron Savage)
* FIX: Remove CGI::Session::Seralize::json and t/g4_dbfile_json.t until such \
time as this code
can be made to work reliably. Both JSON::Syck and JSON::XS have been \
tried, and in both
cases t/g4_dbfile_json.t dies horribly (but differently). Patch POD \
for CGI::Session to
remove references to JSON. RT#25325 (Reported by bkw, patch by Ron Savage)
* NEW: Patch CGI::Session's POD and load() to allow the session/cookie name \
default of CGISESSID
to be overridden. (Patch by Lee Carmichael RT#33437, reformatted by \
Ron Savage). Lee has
also patched t/name.t to test the new functionality
* NEW: Split CGI::Session::Serialize::yaml out into its own distro. Get it \
hot from CPAN!
* NEW: Add Build.PL for Module::Build users. This also requires adding \
PL_FILES => {}
to Makefile.PL to beat ExtUtils::MakeMaker over the head, otherwise \
it executes
'perl Build.PL Build'
* NEW: Support specification of both the id column name and the a_session \
column name in the
sessions table, by extending the options acceptable in \
CGI::Session->new(..,..,{here}).
Allow: {TableName => 'session', IdColName => 'my_id', \
DataColName => 'my_data'}.
Default: {TableName => 'sessions', IdColName => 'id', \
DataColName => 'a_session'}.
Allow any 1, 2 or 3 of these options. Missing keys default as specified.
(Patch by Chris RT#2224. Implemented differently by Ron Savage). \
Supported drivers:
o MySQL (native to CGI::Session)
o ODBC (separate distro, CGI::Session::Driver::odbc V 1.01)
o Oracle (separate distro, CGI::Session::Driver::oracle V 1.01)
o Postgres (native)
o SQLite (native)
Files: