3.4.24 (18 May 2017)
* Elements without a namespace (such as div) are no longer unified with
elements with the empty namespace (such as |div). This unification didn't
match the results returned by is-superselector(), and was not guaranteed to
be valid.
=== raindrops 0.18.0 / 2017-03-23 02:44 UTC
The most notable feature of this release is the addition of
FreeBSD and OpenBSD TCP_INFO support. This includes the
Raindrops::TCP for portably mapping TCP state names to
platform-dependent numeric values:
https://bogomips.org/raindrops/Raindrops.html#TCP
Thanks to Jeremy Evans and Simon Eskildsen on the
unicorn-public@bogomips.org mailing list for inspiring
these changes to raindrops.
There's also a few internal cleanups, and documentation
improvements, including some fixes to the largely-forgotten
Raindrops::Aggreage::PMQ class:
https://bogomips.org/raindrops/Raindrops/Aggregate/PMQ.html
20 changes since 0.17.0:
test_inet_diag_socket: fix Fixnum deprecation warning
TODO: add item for IPv6 breakage
ext: fix documentation for C ext-defined classes
TCP_Info: custom documentation for #get!
TypedData C-API conversion
test_watcher: disable test correctly when aggregate is missing
tcp_info: support this struct under FreeBSD
define Raindrops::TCP hash for TCP states
linux_inet_diag: reduce stack usage and simplify
avoid reading errno repeatedly
aggregate/pmq: avoid false sharing of lock buffers
aggregate/pmq: remove io-extra requirement
aggregate/pmq: avoid File#stat allocation
Merge remote-tracking branch 'origin/freebsd'
Merge remote-tracking branch 'origin/aggregate-pmq'
doc: remove private email support address
doc: update location of TCP_INFO-related stuff
build: avoid olddoc for building the RubyGem
doc: document Raindrops::TCP hash
aggregate/pmq: update version numbers for Ruby and Linux
* Switch to standard-editon to managed-edition since official distfile
is managed-edition for now.
* The bugfix release fixes an incompatibility with Symfony 3.3.
0.14.1.1 (2017-05-16)
* Fix unexpected Tilt behavior
0.14.1 (2017-05-16)
* FIX syntax error in ActiveRecord tasks (@sue445)
* NEW use hamlit if available in Gemfile
0.14.0.2 (2017-05-08)
* FIX#2132 use Sinatra2 IndifferentHash if available
## 2.0.0 / 2017-04-10
* Use Mustermann for patterns #1086 by Konstantin Haase
* Server now provides `-q` flag for quiet mode, which disables start/stop messages #1153 by Vasiliy.
* Session middleware can now be specified with `:session_store` setting #1161 by Jordan Owens.
* `APP_ENV` is now preferred and recommended over `RACK_ENV` for setting environment #984 by Damien Mathieu.
* Add Reel support #793 by Patricio Mac Adden.
* Make route params available during error handling #895 by Jeremy Evans.
* Unify `not_found` and `error` 404 behavior #896 by Jeremy Evans.
* Enable Ruby 2.3 `frozen_string_literal` feature #1076 by Vladimir Kochnev.
* Add Sinatra::ShowExceptions::TEMPLATE and patched Rack::ShowExceptions to prefer Sinatra template by Zachary Scott.
* Sinatra::Runner is used internally for integration tests #840 by Nick Sutterer.
* Fix case-sensitivity issue in `uri` method #889 by rennex.
* Use `Rack::Utils.status_code` to allow `status` helper to use symbol as well as numeric codes #968 by Tobias H. Michaelsen.
* Improved error handling for invalid params through Rack #1070 by Jordan Owens.
* Ensure template is cached only once #1021 by Patrik Rak.
* Rack middleware is initialized at server runtime rather than after receiving first request #1205 by Itamar Turner-Trauring.
* Improve Session Secret documentation to encourage better security practices #1218 by Glenn Rempe
* Exposed global and per-route options for Mustermann route parsing #1233 by Mike Pastore
* Use same `session_secret` for classic and modular apps in development #1245 by Marcus Stollsteimer
* Make authenticity token length a fixed value of 32 #1181 by Jordan Owens
* Modernize Rack::Protection::ContentSecurityPolicy with CSP Level 2 and 3 Directives #1202 by Glenn Rempe
* Adds preload option to Rack:Protection:StrictTransport #1209 by Ed Robinson
* Improve BadRequest logic. Raise and handle exceptions if status is 400 #1212 by Mike Pastore
* Make Rack::Test a development dependency #1232 by Mike Pastore
* Capture exception messages of raised NotFound and BadRequest #1210 by Mike Pastore
* Add explicit set method to contrib/cookies to override cookie settings #1240 by Andrew Allen
* Avoid executing filters even if prefix matches with other namespace #1253 by namusyaka
* Make `#has_key?` also indifferent in access, can accept String or Symbol #1262 by John Hope
* Add `allow_if` option to bypass json csrf protection #1265 by Jordan Owens
* rack-protection: Bundle StrictTransport, CookieTossing, and CSP #1267 by Mike Pastore
* Add `:strict_paths` option for managing trailing slashes #1273 by namusyaka
* Add full IndifferentHash implementation to params #1279 by Mike Pastore
Welcome to Mustermann. Mustermann is your personal string matching expert.
As an expert in the field of strings and patterns, Mustermann keeps its
runtime dependencies to a minimum and is fully covered with specs and
documentation.
Given a string pattern, Mustermann will turn it into an object that behaves
like a regular expression and has comparable performance characteristics.
No its own changes but here is related changes from Sinatra's changes.
* Modernize Rack::Protection::ContentSecurityPolicy with CSP Level 2 and 3
Directives #1202 by Glenn Rempe
* Adds preload option to Rack:Protection:StrictTransport #1209 by Ed Robinson
* rack-protection: Bundle StrictTransport, CookieTossing, and CSP #1267 by
Mike Pastore
pkgsrc change: depends on ruby-rack16 instead of ruby-rack.
# Version 2.14.0
Release date: 2017-05-01
### Added
* "threadsafe" mode that allows per-session configuration
* `:type` filter added to the `:fillable_field` selector
* Proxy methods when using RSpec for `all`/`within` that call either the
Capybara::DSL or RSpec matchers depending on arguments passed
* Support for the new errors in selenium-webdriver 3.4
### Fixed
* Element#inspect doesn't raise an error on obsolete elements
* Setting a contenteditable element with Selenium and Chrome 59
* Workaround a hang while setting the window size when using geckodriver 0.16
and Firefox 53
* Clicking on url with a blank href goes to the current url when using the
RackTest driver
1.6.8
* prevent exception caused by a race condition on multi-threaded server
like Puma.
* Handle NULL byte in multipart file name.
1.6.7
* Ensure env values are ASCII 8BIT encoded.
1.6.8
* Fix mistake in encoding change.
Django 1.11.2 adds a minor feature and fixes several bugs in 1.11.1. Also, the latest string translations from Transifex are incorporated.
Minor feature:
* The new LiveServerTestCase.port attribute reallows the use case of binding to a specific port following the bind to port zero change in Django 1.11.
Bugfixes:
* Added detection for GDAL 2.1 and 2.0, and removed detection for unsupported versions 1.7 and 1.8.
* Changed contrib.gis to raise ImproperlyConfigured rather than GDALException if gdal isn’t installed, to allow third-party apps to catch that exception.
* Fixed django.utils.http.is_safe_url() crash on invalid IPv6 URLs.
* Fixed regression causing pickling of model fields to crash.
* Fixed django.contrib.auth.authenticate() when multiple authentication backends don’t accept a positional request argument.
* Fixed introspection of index field ordering on PostgreSQL.
* Fixed a regression where Model._state.adding wasn’t set correctly on multi-table inheritance parent models after saving a child model.
* Allowed DjangoJSONEncoder to serialize django.utils.deprecation.CallableBool.
* Relaxed the validation added in Django 1.11 of the fields in the defaults argument of QuerySet.get_or_create() and update_or_create() to reallow settable model properties.
* Fixed MultipleObjectMixin.paginate_queryset() crash on Python 2 if the InvalidPage message contains non-ASCII.
* Prevented Subquery from adding an unnecessary CAST which resulted in invalid SQL.
* Corrected detection of GDAL 2.1 on Windows.
* Made date-based generic views return a 404 rather than crash when given an out of range date.
* Fixed a regression where file_move_safe() crashed when moving files to a CIFS mount.
* Moved the ImageField file extension validation added in Django 1.11 from the model field to the form field to reallow the use case of storing images without an extension
--------------
- Fix regression: Pull request ``892`` prevented Werkzeug from correctly
logging the IP of a remote client behind a reverse proxy, even when using
`ProxyFix`.
- Fix a bug in `safe_join` on Windows.
Insufficient redirect validation in the HTTP class. Reported by Ronni
Skansing.
Improper handling of post meta data values in the XML-RPC API. Reported by
Sam Thomas.
Lack of capability checks for post meta data in the XML-RPC API. Reported
by Ben Bidner of the WordPress Security Team.
A Cross Site Request Forgery (CSRF) vulnerability was discovered in the
filesystem credentials dialog. Reported by Yorick Koster.
A cross-site scripting (XSS) vulnerability was discovered when attempting
to upload very large files. Reported by Ronni Skansing.
A cross-site scripting (XSS) vulnerability was discovered related to the
Customizer. Reported by Weston Ruter of the WordPress Security Team.
2.97 Thu May 18 2017
- Change internal module name HTML::Template::DEFAULT to
HTML::Template::DEF to avoid conflict with
HTML::Template::Default. [Sam Tregar]
2.96 Thu May 18 2017
- Fixed typos in documentation [David Steinbrunner, Steve Kemp]
- Added CGI.pm as a dependency, needed now that it's no longer in core.
[Martin McGrath, Steve Bertrand]
pkgsrc change:
* Now support php71 using security/php-pecl-mcrypt package.
5.7.5.7 April 28th, 2016
New Features
* Nice column view for thumbnail image browsing (Thanks MrKarlDilkington)
* Added Max Width as an option to the Image Slider block (thanks cryophallion)
* Added configuration option concrete.misc.require_version_comments (defaulted
off) to enable the requiring of version comments (thanks mlocati)
Other improvements and bug fixes are too many to write here, please refer release note: https://documentation.concrete5.org/developers/background/version-history/5757-release-notes.
5.7.5.8 May 23, 2016
* German, Japanese and Russian languages are now included
* Image Slider Bug Fixes
* Using blank alt tags in Image Slider, Image and Content blocks if no alt is
provided, rather than the HtmlObject default ¡È#¡É ones.
5.7.5.9 July 25, 2016
New Features
* Rescan files through the file manager now scans 5 at a time, works through
the queue.
* Added option to ignore page permissions to the Page List block
* Dutch language is now included (Thank you Ramonleenders)
Other improvements and bug fixes are too many to write here, please refer release note: https://documentation.concrete5.org/developers/background/version-history/5759-release-notes.
5.7.5.10 December 1, 2016
* Minor bug fixes
* Fixed insecure use of non-random str_shuffle when creating user tokens
* Improvements to update process for version 8.
5.7.5.11 December 7, 2016
Bug Fixes
* Works again properly on PHP 5.3.
* Fixed bug that made upgrading impossible on PHP < 5.5.9.
* Fixed page not found error when clicking on a topic list to filter the page
list in the blog.
* Controller bug fixes and security updates.
5.7.5.12
Bug Fixes
* Fixed bug with Environment Information not working on PHP below 5.4.
5.7.5.13 December 16, 2016
Bug Fixes
* Once again, Environment Information is now available in the Dashboard.
libnghttp2
Previously, if libnghttp2 received an invalid header field, it is just ignored, and is treated like it was never happened. This release changes this behaviour, and now libnghttp2 treats an incoming invalid header field as error, and resets the stream with PROTOCOL_ERROR.
nghttp2_on_invalid_frame_callback is now called if validation of altsvc header field fails.
nghttpx
nghttpx now verifies that OCSP response received from a program specified by --fetch-ocsp-response-file. The validation can be turned off by using --no-verify-ocsp option. In this validation, it makes sure that the OCSP response is targeted to the expected certificate. This is important because we pass the file path to the external program (see --fetch-ocsp-response-file), and if the file is replaced because of renewal, and nghttpx has not reloaded its configuration, the certificate nghttpx has loaded and the one included in the file differ. Verifying the OCSP response detects this, and avoids to send wrong OCSP response.
