mobile support
==============
Zend Framework 1.11 marks the first release with explicit support for
mobile devices, via the new component Zend_Http_UserAgent. This
component was developed by Raphael Carles. Carles is CTO of Interakting,
the digital agency of Business & Decision Group of France. Interakting
employs 150 PHP professionals to build industrial PHP projects, and its
clients include Canal +/Vivendi, BNP Paribas, Samsung France, Ministry
of Education, Alapage (Orange), Orange Tunisia, and many others. As
such, they have extensive experience in supporting mobile devices, and
stepped forward to contribute to Zend Framework, which they leverage in
their projects.
Zend_Http_UserAgent performs two responsibilities:
- User-Agent detection
- Device capabilities detection, based on User-Agent
The component includes a "features" adapter mechanism that allows
developers to tie into different backends for the purpose of discovering
device capabilities. Currently, Zend Framework ships with adapters for
the WURFL (Wireless Universal Resource File) API, Tera-WURFL, and
DeviceAtlas, with more planned for the future.
Luca Passani, author and lead of the WURFL project, has provided an
exemption to Zend Framework to provide a non-GPL adapter accessing the
WURFL PHP API.
Additional hooks into the component are provided via a Zend_Application
resource plugin, and a Zend_View helper, allowing developers the ability
to return output customized for the detected device (e.g., alternate
layouts, alternate images, Flash versus HTML5 support, etc.).
Zend_Cloud: SimpleCloud API
===========================
During ZendCon 2009, Zend announced a prototype of the SimpleCloud API.
This API was to provide hooks into cloud-based document storage, queue
services, and file storage.
Zend Framework 1.11.0 markes the first official, stable release of
Zend_Cloud, Zend Framework's PHP version of the SimpleCloud API. Current
support includes:
- Document Services:
- Amazon SimpleDB
- Windows Azure's Table Storage
- Queue Services:
- Amazon Simple Queue Service (SQS)
- Windows Azure's Queue Service
- All adapters supported by Zend_Queue:
- Zend Platform JobQueue
- Memcacheq
- Relational Database
- ActiveMQ
- Storage Services:
- Amazon Simple Storage Service (S3)
- Windows Azure's Blog Storage
- Nirvanix
- Local filesystem
When using any of the SimpleCloud APIs, your code will be portable
across the various adapters provided, allowing you to pick and choose
your services, as well as try different services until you find one that
suits your application or business needs. Additionally, if you find you
need to code adapter-specific features, you can drop down to the
specific adapter in order to do so.
More adapters will be arriving in the coming months, giving you even
more options!
We thank Wil Sinclair and Stas Malyshev for their assistance in the
initial releases of Zend_Cloud.
Security
========
Several classes in Zend Framework were patched to eliminate the
potential for leaking timing information from the direct comparison of
sensitive data such as plaintext passwords or cryptographic signatures
to user input. These leaks arise from the normal process of comparing
any two strings in PHP. The nature of the leaks is that strings are
often compared byte by byte, with a negative result being returned early
as soon as any set of non-matching bytes is detected. The more bytes
that are equal (starting from the first byte) between both sides of the
comparison, the longer it takes for a final result to be returned. Based
on the time it takes to return a negative or positive result, it is
possible that an attacker could, over many samples of requests, craft a
string that compares positively to another secret string value known
only to a target server simply by guessing the string one byte at a time
and measuring each guess' execution time. This server secret could be a
plaintext password or the correct cryptographic signature of a request
the attacker wants to execute, such as is used in several open protocols
including OpenID and OAuth. This could obviously enable an attacker to
gain sufficient information to perform a secondary attack such as
masquerading as an authenticated user.
This form of attack is known as a Remote Timing Attack. Timing Attacks
have been problematic in the past but to date have been very difficult
to perform remotely over the internet due to the interference of network
jitter which limits their effectiveness in resolving very small timing
differences. While the internet still poses a challenge to performing
successful Timing Attacks against a remote server, the increasing use of
frameworks on local networks and in cloud computing, where network
jitter may be significantly reduced, raises the distinct possibility
that remote Timing Attacks will become feasible against ever smaller
timing information leaks, such as those leaked when comparing any two
strings. As a precaution, the applied changes implement a fixed time
comparison for several classes which would be attractive targets in any
potential remote Timing Attack. A fixed time comparison function does
not leak any timing information useful to an attacker thus proactively
preventing any future vulnerability to these forms of attack.
We thank Pàdraic Brady for his efforts in identifying and patching these
vulnerabilities.
Dojo Support
============
Zend Framework's default Dojo Toolkit version has been bumped to version
1.5.0, which includes the new dojox.mobile component, a simple framework
for client-side mobile applications.
SimpleDB Support
================
Zend Framework has provided support for Amazon's Simple Storage Service
(S3), Simple Queue Service (SQS), and Elastic Cloud Compute (EC2)
platforms for several releases. Zend Framework 1.11.0 adds support for
SimpleDB, Amazon's non-relational document storage database offering.
Support is available for all SimpleDB operations via
Zend_Service_Amazon_SimpleDb.
Zend Framework's SimpleDB adapter was originally written by Wil
Sinclair.
eBay Findings API Support
=========================
eBay has an extensive REST API, allowing developers to build
applications interacting with their extensive data. Zend Framework
1.11.0 includes Zend_Service_Ebay_Findings, which provides complete
support for the eBay Findings API. This API allows developers to query
eBay for details on active auctions, using categories or keywords.
Zend_Service_Ebay was contributed by Renan de Lima, Ramon Henrique
Ornelas, and Don Bosco Nguyen Van Hoi.
MariaDB Compatibility
=====================
Zend_Db's mysql and Pdo_Mysql adapters are fully MariaDB compatible, and
the documentation has been updated to reflect configuration options for
this fork of MySQL.
New Configuration Formats
=========================
Zend_Config has been a quite popular component in Zend Framework, and
has offerred adapters for PHP arrays, XML, and INI configuration files.
Zend Framework 1.11.0 now offers two additional configuration formats:
YAML and JSON.
Zend_Config_Yaml provides a very rudimentary YAML-parser that should
work with most configuration formats. However, it also allows you to
specify an alternate YAML parser if desired, allowing you to lever tools
such as PECL's ext/syck or Symfony's YAML component, sfYaml.
Zend_Config_Json leverages the Zend_Json component, and by extension
ext/json.
Both adapters have support for PHP constants, as well as provide the
ability to write configuration files based on configuration objects.
Stas Malyshev created both adapters for Zend Framework; Zend_Config_Json
also had assistance from Sudheer Satyanarayana.
URL Shortening
==============
Zend_Service_ShortUrl was added for this release. The component provides
a simple interface for use with most URL shortening services, defining
simply the methods "shorten" and "unshorten". Adapters for two services,
http://jdem.cz and
http://tinyurl.com, are provided with this release.
Zend_Service_ShortUrl was contributed by Martin Hujer.
Additional View Helpers
=======================
Several new view helpers are now exposed:
- Zend_View_Helper_UserAgent ties into the Zend_Http_UserAgent
component, detailed above. It gives you access to the UserAgent
instance, allowing you to query for the device and capabilities.
- Zend_View_Helper_TinySrc is an additional portion of Zend Framework's
mobile offering for version 1.11.0. The helper ties into the TinySrc
API, allowing you to a) provide device-specific image sizes and
formats for your site, and b) offload generation of those images to
this third-party service. The helper creates img tags pointing to the
service, and provides options for specifying adaptive sizing and
formats.
- Zend_View_Helper_Gravatar ties into the Gravatar API, allowing you to
provide avatar images for registered users that utilize the Gravatar
service. This helper was contributed by Marcin Morawski.
Les nouveautés de Zend Framework 1.11
Répondre avec citation
Partager