Releases: lift/framework
Lift 2.6.3: Security Release
Lift 2.6 was found to be using an outdated version of Apache Commons
FileUpload, which had an unpatched DoS vulnerability.
Lift 2.6.3 bumps the dependency to the latest version, 1.3.1, which fixes
this vulnerability. Additionally, if you're using sbt, you can directly depend
on commons-fileupload
1.3.1 to evict the Lift dependency. The versions
are compatible with respect to Lift's usage.
Lift 2.5.4: Security Release
Lift 2.5 was found to be using an outdated version of Apache Commons
FileUpload, which had an unpatched DoS vulnerability.
Lift 2.5.4 bumps the dependency to the latest version, 1.3.1, which fixes
this vulnerability. Additionally, if you're using sbt, you can directly depend
on commons-fileupload
1.3.1 to evict the Lift dependency without upgrading
Lift. The versions are compatible with respect to Lift's usage.
Lift Framework 3.0-M6
This release features a good bit of cleanup from the previous one. It's been a busy
few months for the committers so the work is mostly in targeted improvements and
bug fixes:
Improvements
- (#1706) Thanks to @chriswebster, an up to 90% performance increase in JSON
serialization forlift-json
! - (#1693)
ParamFailure
now behaves more correctly with~>
. That operator, when
used on aFailure
, returns aParamFailure
with the passed parameter, while
preserving the rest of the originalFailure
's information. Before, invoking~>
with
a parameter on aParamFailure
would replace the existing parameter with the new
one, thus losing the previous parameter altogether. Now, we produce a copy of the
ParamFailure
with the new parameter, but we chain the previousParamFailure
to it so that it the original parameter is still accessible. - (#1698) Lift 3 sessions allow an actor proxy for client code to be created via
serverActorForClient
. This release includes some new setup configuration
when creating those actors, like providing setup and teardown functions as well
as ways to convert from application messages into client JS content. - (#1701) There is now a
LiftRules.attributeForRemovedEventAttributes
. When
Lift strips event-related attributes (e.g.onclick
,onsubmit
, etc), if this rule is
set to aString
, it will tag the element whose event attributes were removed
with the attributes that were removed. For example, setting it toSome("data-lift-removed-attributes")
might result in adata-lift-removed-attributes="onclick onmouseover"
attribute
in your HTML if that element had its click and mouseover event handlers moved
into page-specific JS. This allows you to make styling decisions based on these
attributes, if you want to. See the rule documentation for more. - (#1705) Until now,
jsonCall
would fail silently on both client and server if the
submitted data from the client wasn't valid JSON. Now, it will log (at anERROR
log level) on the server if invalid JSON is sent. Whether this log info will be printed
or not is configurable using usual logger configuration. - (#1709) You can now register to find out when a function owner no longer has
available functions bound in a session. Function owners typically (though not always)
correspond to server-side functions bound or a page rendering (e.g., form fields).
These usually expire ~2 minutes after the user is no longer on the page, but until
now there was no way to find out that a given page was no longer “in scope”. In
certain cases, that could be interesting to clean up page-related temporary assets
or resource allocations. We now provideLiftSession.onFunctionOwnersRemoved
,
which can be set during application startup so that any new sessions can register
those listeners. @andreak posted an excellent example of how they are using this
on the mailing list.
Bug Fixes
- (#1694) When generating post-page JavaScript (mostly used by Wiring), there
were some cases where null pointer exceptions could be thrown. These should
be gone. - (#1692) When binding
onclick
to an element that had anhref
, the new code
that extracts event handlers into page-specific JS was failing to bind the click
handler. This is now fixed, as is a related bug where elements that didn't need
handlers still had a random id assigned to them. - (#1677) When sending messages to comet actors before they are created (via
LiftSession.sendCometActorMessage
), they would arrive in reverse order.
This is now fixed, and the first message sent usingsendCometActorMessage
arrives first. - (#1703) When we moved away from
bind
, the CSS bindings inProtoUser
that checked password changes were incorrect, in that they never saw the
user having submitted two versions of the same password. This is now fixed,
and the change password stuff provided byProtoUser
is now correct.
Lift 2.5.3: Security Release
Lift 2.5.1 was found to be vulnerable to XML External Entity attacks,
which can leak private files through your application when parsing certain
types of XML. In the process of communicating the vulnerability to Typesafe,
they referred us to a more-restricted version of XML parsing used to prevent
additional vulnerabilities like the billion laughs vulnerability and its sibling
quadratic blowup vulnerability.
Lift 2.5.2 fixed the XXE attacks, but Lift 2.5.3 was released to shore up the
additional vulnerabilities we were made aware of. This is done by disabling
inline DTDs altogether. We also enable secure processing, which adds restrictions
to supporting parsers to prevent denial-of-service style attacks on XML parsing.
Anyone who switched to use net.liftweb.util.Helpers.secureXML
will automatically
get these additional protections.
To do this, Lift 2.5.3 depends on Apache Xerces version 2.11. Some concerns
have been brought up about this additional dependency and how it may interact
with other XML parsing that may occur in the application; please provide feedback
on the mailing list if you run into any issues related to this new dependency.
Lift 3.0-M5-1: Security Snapshot Release
Lift 3.0-SNAPSHOT was found to be vulnerable to XML External Entity attacks,
which can leak private files through your application when parsing certain
types of XML. In the process of communicating the vulnerability to Typesafe,
they referred us to a more-restricted version of XML parsing used to prevent
additional vulnerabilities like the billion laughs vulnerability and its sibling
quadratic blowup vulnerability.
Lift 3.0-M5 fixed the XXE attacks, but Lift 3.0-M5-1 was released to shore up the
additional vulnerabilities we were made aware of. This is done by disabling
inline DTDs altogether. We also enable secure processing, which adds restrictions
to supporting parsers to prevent denial-of-service style attacks on XML parsing.
Anyone who switched to use net.liftweb.util.Helpers.secureXML
will automatically
get these additional protections.
To do this, Lift 3.0-M5-1 depends on Apache Xerces version 2.11. Some concerns
have been brought up about this additional dependency and how it may interact
with other XML parsing that may occur in the application; please provide feedback
on the mailing list if you run into any issues related to this new dependency.
Lift 3.0-M4-1: Security Milestone Release
Lift 3.0-M3 was found to be vulnerable to XML External Entity attacks,
which can leak private files through your application when parsing certain
types of XML. In the process of communicating the vulnerability to Typesafe,
they referred us to a more-restricted version of XML parsing used to prevent
additional vulnerabilities like the billion laughs vulnerability and its sibling
quadratic blowup vulnerability.
Lift 3.0-M4 fixed the XXE attacks, but Lift 3.0-M4-1 was released to shore up the
additional vulnerabilities we were made aware of. This is done by disabling
inline DTDs altogether. We also enable secure processing, which adds restrictions
to supporting parsers to prevent denial-of-service style attacks on XML parsing.
Anyone who switched to use net.liftweb.util.Helpers.secureXML
will automatically
get these additional protections.
To do this, Lift 3.0-M4-1 depends on Apache Xerces version 2.11. Some concerns
have been brought up about this additional dependency and how it may interact
with other XML parsing that may occur in the application; please provide feedback
on the mailing list if you run into any issues related to this new dependency.
Lift 2.6.2: Security Release
Lift 2.6 was found to be vulnerable to XML External Entity attacks,
which can leak private files through your application when parsing certain
types of XML. In the process of communicating the vulnerability to Typesafe,
they referred us to a more-restricted version of XML parsing used to prevent
additional vulnerabilities like the billion laughs vulnerability and its sibling
quadratic blowup vulnerability.
Lift 2.6.1 fixed the XXE attacks, but Lift 2.6.2 was released to shore up the
additional vulnerabilities we were made aware of. This is done by disabling
inline DTDs altogether. We also enable secure processing, which adds restrictions
to supporting parsers to prevent denial-of-service style attacks on XML parsing.
Anyone who switched to use net.liftweb.util.Helpers.secureXML
will automatically
get these additional protections.
To do this, Lift 2.6.2 depends on Apache Xerces version 2.11. Some concerns
have been brought up about this additional dependency and how it may interact
with other XML parsing that may occur in the application; please provide feedback
on the mailing list if you run into any issues related to this new dependency.
Lift 3.0-M5: Security Snapshot Release
Lift 3.0-SNAPSHOT was found to be vulnerable to XML External Entity attacks,
which can leak private files through your application when parsing certain
types of XML.
Lift 3.0-M5 introduces net.liftweb.util.Helpers.secureXML
, an analogous object to
Scala's scala.xml.XML
that is secured against XXE attacks by disabling external
entities in doctypes. If you are parsing untrusted user-provided XML using
scala.xml.XML
, it is recommended that you switch to secureXML
instead.
Lift 3.0-M5 was rapidly superseded by Lift 3.0-M5-1, which secures the secureXML
object against a few additional XML-based attacks.
Lift 3.0-M4: Security Milestone Release
Lift 3.0-M3 was found to be vulnerable to XML External Entity attacks,
which can leak private files through your application when parsing certain
types of XML.
Lift 3.0-M4 introduces net.liftweb.util.Helpers.secureXML
, an analogous object to
Scala's scala.xml.XML
that is secured against XXE attacks by disabling external
entities in doctypes. If you are parsing untrusted user-provided XML using
scala.xml.XML
, it is recommended that you switch to secureXML
instead.
Lift 3.0-M4 was rapidly superseded by Lift 3.0-M4-1, which secures the secureXML
object against a few additional XML-based attacks.
Lift 2.6.1: Security Release
Lift 2.6 was found to be vulnerable to XML External Entity attacks,
which can leak private files through your application when parsing certain
types of XML.
Lift 2.6.1 introduces net.liftweb.util.Helpers.secureXML
, an analogous object to
Scala's scala.xml.XML
that is secured against XXE attacks by disabling external
entities in doctypes. If you are parsing untrusted user-provided XML using
scala.xml.XML
, it is recommended that you switch to secureXML
instead.
Lift 2.6.1 was rapidly superseded by Lift 2.6.2, which secures the secureXML
object against a few additional XML-based attacks.