| 1 |
Revision history for Perl extension CBOR::XS |
| 2 |
|
| 3 |
TODO: pack_keys? |
| 4 |
TODO: document encode_cbor_sharing? |
| 5 |
TODO: weaken cyclic structures? |
| 6 |
TODO: large negative integers |
| 7 |
|
| 8 |
1.7 Tue Jun 27 04:02:23 CEST 2017 |
| 9 |
- SECURITY FIX: fix two bugs found by american fuzzy lop, |
| 10 |
upgrade is advised if you accept data from untrusted |
| 11 |
sources. |
| 12 |
- an out-of bound sharedref or stringref index could cause an |
| 13 |
out of bounds access - might be exploitable. |
| 14 |
- a decoding error during indefinite array or hash decoding |
| 15 |
could cause an endless loop. |
| 16 |
|
| 17 |
1.6 Wed Dec 7 15:13:23 CET 2016 |
| 18 |
- greatly expand the SECURITY IMPLICATIONS and similar sections. |
| 19 |
- new constructor new_safe, to create a secure CBOR::XS object. |
| 20 |
- new option forbid_objects, to disallow serialisation. |
| 21 |
- new CBOR::XS::safe_filter functionality. |
| 22 |
- fix a crash when decoding a cyclic data structure using |
| 23 |
stringref/pack_strings when allow_cycles is disabled. |
| 24 |
- fix a crash when decoding hash keys with length >= 2**31. |
| 25 |
- avoid unreasonably long decoding times for certain |
| 26 |
types of (corrupt) cbor texts. |
| 27 |
- support arrays and hashes with >= 2**31 members. |
| 28 |
- avoid overflow on pointer arithmetic when checking whether enough |
| 29 |
data is available. |
| 30 |
- fix a memory leak that occured when decoding failed while decoding |
| 31 |
a tagged value. |
| 32 |
- do not leak the partially constructed result when stringifying |
| 33 |
a hash key throws an exception. |
| 34 |
- various code size and efficiency optimizations (reduced code |
| 35 |
from 42 to 40kB on my system, despite the new features). |
| 36 |
|
| 37 |
1.5 Wed Apr 27 11:38:39 CEST 2016 |
| 38 |
- Math::BigFloat madness workaround, see |
| 39 |
http://blog.schmorp.de/2016-04-23-mathbigfloat-maintainer-fail.html |
| 40 |
(bugreport by zdm@softvisio.net). |
| 41 |
- add text_keys and text_strings options to force CBOR text encoding |
| 42 |
for perl hash keys or all strings, as a result of discussions |
| 43 |
with Fredrik Ljunggren. |
| 44 |
- implement support for arbitrary-exponent numbers (see |
| 45 |
http://peteroupc.github.io/CBOR/bigfrac.html, tags 264 and 265) |
| 46 |
for both en- and decoding. |
| 47 |
- implement support for rational numbers (see |
| 48 |
http://peteroupc.github.io/CBOR/rational.html, tag 30) for both |
| 49 |
en- and decoding. |
| 50 |
- the above effectively implements all registered CBOR extensions |
| 51 |
in a sensible manner. |
| 52 |
- remove some weird dead code that was duplicated (%FILTER). |
| 53 |
- add t/58_hv.t, which tests hashes and the new text_* flags. |
| 54 |
hashes apparently were not encoded at all in any of the existing |
| 55 |
tests. |
| 56 |
- document Math::BigFloat base-2 performance/crash issues. |
| 57 |
- use stability canary. |
| 58 |
|
| 59 |
1.41 Thu 25 Feb 15:22:03 CET 2016 |
| 60 |
- avoid perl panics on nested FREEZE/THAW calls (testcase by |
| 61 |
Victor Efimov). |
| 62 |
|
| 63 |
1.4 Mon Feb 8 05:10:15 CET 2016 |
| 64 |
- buffer overflow fix: a fast path during decoding did not check |
| 65 |
remaining length when decoding hash keys, found by fuzzing. |
| 66 |
This can potentially leak information in the error message |
| 67 |
or crash the process. |
| 68 |
- use C style { 0 } struct initializer. |
| 69 |
- upgrade libecb. |
| 70 |
|
| 71 |
1.3 Mon Apr 27 22:21:04 CEST 2015 |
| 72 |
- the incremental parser didn't properly parse tagged values |
| 73 |
(testcase by Mons Anderson). |
| 74 |
- slightly speed up encoding of plain (nonmagical) arrays. |
| 75 |
- try to clarify further that effectively all 32 bit architectures |
| 76 |
have 64 bit integer support. |
| 77 |
- upgrade libecb. |
| 78 |
|
| 79 |
1.26 Sat Oct 25 08:35:44 CEST 2014 |
| 80 |
- update the t/57_incr.t subtest that would rely on 64 bit ints. |
| 81 |
- disable t/50_rfc.t test that fails because of broken data::dumper. |
| 82 |
|
| 83 |
1.25 Sun Jan 5 15:19:14 CET 2014 |
| 84 |
- map key decoding was pretty much botched due to the recent cleanups. |
| 85 |
- work around Time::Piece->epoch returning a string value, avoid encoding |
| 86 |
this as a tag 1 string. |
| 87 |
- enable more testcases in t/50_rfc.t, now that they work :) |
| 88 |
|
| 89 |
1.2 Tue Dec 10 22:06:42 CET 2013 |
| 90 |
- implement an incremental decoder. |
| 91 |
|
| 92 |
1.12 Tue Dec 3 11:23:22 CET 2013 |
| 93 |
- work around broken Time::Piece (in old versions of the module, %z doesn't |
| 94 |
work as documented, gives different results on different platforms(!)). |
| 95 |
|
| 96 |
1.11 Sun Dec 1 18:00:00 CET 2013 |
| 97 |
- new setting: validate_utf8, for when you can't trust your cbor data. |
| 98 |
- do not leak memory on decoding errors, when allow_cycles is enabled. |
| 99 |
- add default filters for tags 0 and 1, using Time::Piece. |
| 100 |
- more tests added. |
| 101 |
|
| 102 |
1.1 Sat Nov 30 19:14:27 CET 2013 |
| 103 |
- INCOMPATIBLE CHANGE: new decoder setting: allow_cyclic, needed to decode |
| 104 |
cyclic data structures (to avoid memleaks in unsuspecting code). |
| 105 |
- no longer "share" references that aren't, i.e. true/false/null/error/tagged. |
| 106 |
- fix stringref w.r.t. indefinite-length strings. |
| 107 |
- verify indefinite-length string chunk types. |
| 108 |
- do not allow extremely large arrays - assume an array element |
| 109 |
requires at least one CBOR byte, to avoid memory exhaustion attacks. |
| 110 |
- major code overhaul. |
| 111 |
|
| 112 |
1.0 Thu Nov 28 16:43:31 CET 2013 |
| 113 |
- use the now official tag values for extensions. remove the |
| 114 |
experimental notice. it's the real thing now, with real bugs. |
| 115 |
- renamed allow_stringref to pack_strings. |
| 116 |
- port to perl <= 5.16. |
| 117 |
- slightly improve the documentation. |
| 118 |
|
| 119 |
0.09 Fri Nov 22 16:54:18 CET 2013 |
| 120 |
- bignum/bigfloat/decimal support. |
| 121 |
- uri support. |
| 122 |
- tag filter functions support for decoding. |
| 123 |
- do not support reference-to-1/0/undef anymore, you need to use |
| 124 |
the Types::Serialiser objects now. |
| 125 |
- experimental sharable extension support (http://cbor.schmorp.de/value-sharing). |
| 126 |
- experimental stringref extension support (http://cbor.schmorp.de/stringref). |
| 127 |
- implement indirection tag (http://cbor.schmorp.de/indirection). |
| 128 |
|
| 129 |
0.08 Wed Oct 30 11:10:43 CET 2013 |
| 130 |
- defused another too fragile test. |
| 131 |
|
| 132 |
0.07 Tue Oct 29 23:04:07 CET 2013 |
| 133 |
- don't crash in decode when silly values are passed in. |
| 134 |
- considerably speed up map decoding when map keys |
| 135 |
are utf-8 or byte strings. |
| 136 |
- raising an exception in THAW should now work without |
| 137 |
leaking. |
| 138 |
|
| 139 |
0.06 Tue Oct 29 16:56:07 CET 2013 |
| 140 |
- do not leak when deserialiasing via THAW. |
| 141 |
- implement and document CBOR::XS creation/access/mutate |
| 142 |
methods. |
| 143 |
|
| 144 |
0.05 Mon Oct 28 22:27:47 CET 2013 |
| 145 |
- do not leak hash keys on decoding. |
| 146 |
|
| 147 |
0.04 Sun Oct 27 23:47:47 CET 2013 |
| 148 |
- implement TO_CBOR/FREEZE/THAW serialisation protocols. |
| 149 |
- requested perl-object and generic-object tags from iana. |
| 150 |
- switched to Types::Serialiser for true, false and error. |
| 151 |
- disabled some fragile tests (thanks, andk). |
| 152 |
|
| 153 |
0.03 Sun Oct 27 00:28:41 CEST 2013 |
| 154 |
- improve 32 bit platform compatibility. |
| 155 |
- take more advantage of ecb.h. |
| 156 |
- preliminary and bare-bones tagged support. |
| 157 |
- improved docs. |
| 158 |
|
| 159 |
0.02 Sat Oct 26 13:08:05 CEST 2013 |
| 160 |
- no aborts left. |
| 161 |
- add $CBOR::XS::MAGIC. |
| 162 |
- preliminary tagged decoding to arrayref. |
| 163 |
- indefinite encoding fixed. |
| 164 |
- half float decoding implemented. |
| 165 |
- t/50_rfc.t adds test vectors from the rfc, which |
| 166 |
are checked as applicable. |
| 167 |
|
| 168 |
0.01 Fri Oct 25 21:39:56 CEST 2013 |
| 169 |
- original version; cloned from JSON-XS |
| 170 |
|
