Padraic Brady wrote excellent post about his security review of Zend Framework and as a result, security releases of Zend Framework 1.9.7, 1.8.5 and 1.7.9.
As the announcement also indicates, following December’s excitement I spent much of the Christmas and New Year period conducting a security review of the framework. While an ongoing process, the initial review focused on specific areas most likely to deal directly or indirectly with user input and the output of user sourced data. The results of that initial review were reported over the holidays to the Zend team, who patiently put up with my long winded emails and managed not to strangle me…so far. I’m keeping myself holed up in the mountains for now.
He shares his security review experience to tell us about most common types of issues, afected components and new official Security Policy of Zend Framework.
Extend support to the whole of the Atom 1.0 specificationMoving towards Zend Framework 1.10 release more and more new features and components shape up and are being presented by developers and bloggers. Padraic Brady wrote recently about his contribution to Zend_Feed component.
The new kid on the block, to be added in Zend Framework 1.10, is Zend_Feed_Writer. A bit like the older Zend_Feed_Builder classes, its purpose is to generate Atom 1.0 and RSS 2.0 feeds. The difference is that, like its sibling Zend_Feed_Reader, it is standards aware and operates entirely using PHP’s DOM.
Besides developing Zend_Feed_Writer Padraic contributed several interesting enhancements to Zend_Feed_Reader:
- support to the whole of the Atom 1.0 specification
- greater API coverage overall
- Array style access
- Standardise API return types using ArrayObjects
November’s Bug Hunt Days are over. More than 100 bugs were fixed. Fixing that many bugs wouldn’t be fixed without excellent guide about participating in Bug Hunt Days written by Padraic Brady.
Many Zend Framework users fail to realise that the Zend team is comprised of about three individuals. Three people cannot address 1600 issues this side of the 22nd Century and it’s totally unfair to complain about the issue count in this light. They need assistance. They need people to fill in for former component lead developers, inactive developers, and developers who are mysteriously missing in action. But mainly they need more eyes and keyboards to clear issues.
Bug Hunt Day’s goal is to help Zend Framework’s team in fixing as many issues as possible during the event. It is great opportunity for those who want to help developing the framework but can not do it on regular basis. Because such people usually don’t know where to start, whom to ask, how to use provided tools or simply commit the code, Padraic’s guide should be first thing to read before participating in Bug Hunt. Check it out and see that participating in Bug Hunt Days is not that hard.
Pádraic Brady announced on Developer Tutorials site completing Zend_Oauth’s Consumer implementation for the OAuth Core 1.0 Revision A specification. He also present example implementation of Tweeter client using new component.
The OAuth protocol enables websites or applications (Consumers) to access Protected Resources from a web service (Service Provider) via an API, without requiring Users to disclose their Service Provider credentials to the Consumers. More generally, OAuth creates a freely-implementable and generic methodology for API authentication.
Zend_Oauth might be released in Zend Framework 1.10 (due December?) and is already in incubator. See how it works before the official release.
Asynchronous processing should be well known concept for all developers. Although idea is commonly known, you will not find many tasks implementations in PHP. Padraic Brady wants to change it.
Before we run off and implement some examples, we first need a task! Once it’s identified, we then need to separate it from the application so it can be processed as an independent unit of work. To add to this, we should also make sure it’s reusable, essentially returning to our Object Oriented basics.
Padraic already publish two parts of his tutorial: Asynchronous Benefits, Task Identification and Implementation Methods
and Making Zend Framework Applications CLI Accessible and is working on third part. He not only presents and explains his approach but also gives solid theoretical knowledge of the topic.
