| 1 | Revision history for Perl extension CBOR::XS |
1 | Revision history for Perl extension CBOR::XS |
| 2 | |
2 | |
| 3 | TODO: pack_keys? |
3 | TODO: pack_keys? |
| 4 | TODO: document encode_cbor_sharing? |
4 | TODO: document encode_cbor_sharing? |
| 5 | TODO: weaken cyclic structures? |
5 | TODO: weaken cyclic structures? |
| 6 | TODO: allowed_classes or so? |
|
|
| 7 | TODO: large negative integers |
6 | TODO: large negative integers |
| 8 | TODO: russian guy test case exception |
7 | |
| 9 | TODO: allow_objects |
8 | 1.7 Tue Jun 27 04:02:23 CEST 2017 |
| 10 | 1.6 |
9 | - SECURITY FIX: fix two bugs found by american fuzzy lop, |
| 11 | - point out security implications of having unsafe THAW |
10 | upgrade is advised if you accept data from untrusted |
| 12 | function/methods in your process. |
11 | sources. |
|
|
12 | - an out-of bound sharedref or stringref index could cause an |
|
|
13 | out of bounds access - might be exploitable. |
|
|
14 | - a decoding error during indefinite array or hash decoding |
|
|
15 | could cause an endless loop. |
|
|
16 | |
|
|
17 | 1.6 Wed Dec 7 15:13:23 CET 2016 |
|
|
18 | - greatly expand the SECURITY IMPLICATIONS and similar sections. |
|
|
19 | - new constructor new_safe, to create a secure CBOR::XS object. |
|
|
20 | - new option forbid_objects, to disallow serialisation. |
|
|
21 | - new CBOR::XS::safe_filter functionality. |
| 13 | - fix a crash when decoding a cyclic data structure using |
22 | - fix a crash when decoding a cyclic data structure using |
| 14 | stringref/pack_strings when allow_cycles is disabled. |
23 | stringref/pack_strings when allow_cycles is disabled. |
| 15 | - fix a crash when decoding hash keys with length >= 2**31. |
24 | - fix a crash when decoding hash keys with length >= 2**31. |
| 16 | - avoid unreasonably long decoding times for certain |
25 | - avoid unreasonably long decoding times for certain |
| 17 | types of data corruption. |
26 | types of (corrupt) cbor texts. |
| 18 | - support arrays and hashes with >= 2**31 members. |
27 | - support arrays and hashes with >= 2**31 members. |
| 19 | - avoid overflow on pointer arithmetic when checking whether enough |
28 | - avoid overflow on pointer arithmetic when checking whether enough |
| 20 | data is available. |
29 | data is available. |
| 21 | - fix a memory leak that occured when decoding failed while decoding |
30 | - fix a memory leak that occured when decoding failed while decoding |
| 22 | a tagged value. |
31 | a tagged value. |
| 23 | - do not leak the partially constructed result when stringifying |
32 | - do not leak the partially constructed result when stringifying |
| 24 | a hash key throws an exception. |
33 | a hash key throws an exception. |
| 25 | - various code size and efficiency optimizations. |
34 | - various code size and efficiency optimizations (reduced code |
|
|
35 | from 42 to 40kB on my system, despite the new features). |
| 26 | |
36 | |
| 27 | 1.5 Wed Apr 27 11:38:39 CEST 2016 |
37 | 1.5 Wed Apr 27 11:38:39 CEST 2016 |
| 28 | - Math::BigFloat madness workaround, see |
38 | - Math::BigFloat madness workaround, see |
| 29 | http://blog.schmorp.de/2016-04-23-mathbigfloat-maintainer-fail.html |
39 | http://blog.schmorp.de/2016-04-23-mathbigfloat-maintainer-fail.html |
| 30 | (bugreport by zdm@softvisio.net). |
40 | (bugreport by zdm@softvisio.net). |
