[ViewVC] Contents of: cvs/CBOR-XS/Changes

Revision history for Perl extension CBOR::XS

TODO: pack_keys?
TODO: document encode_cbor_sharing?
TODO: weaken cyclic structures?
TODO: large negative integers
TODO: type cast tests.
TODO: possibly implement https://peteroupc.github.io/CBOR/extended.html, but NaNs are nonportable. rely on libecb?
TODO: https://github.com/svaarala/cbor-specs/blob/master/cbor-nonutf8-string-tags.rst, but maybe that is overkill?
TODO: as_bool, also in Types::Serialiser?

1.81 Mon Nov 30 19:29:33 CET 2020
        - cast funbctions were broken due to last-minute renaming. thats
          what you egt for not havign a tessuite.
        - Math::BigInt and Math::BigFloat are pretty broken (again),
          so disable some tests. (try printing the bigfloat
          799999999999999999998E99999999999999999998).

1.8  Sun Nov 29 22:35:13 CET 2020
        - experimental support for some type casts, as well as embedding
          raw cbor data.

1.71 Thu Nov 15 20:52:13 CET 2018
        - work around what smells like a perl bug w.r.t. exceptions
          thrown in callbacks.
        - update libecb.

1.7  Tue Jun 27 04:02:23 CEST 2017
        - SECURITY FIX: fix two bugs found by american fuzzy lop,
          upgrade is advised if you accept data from untrusted
          sources.
        - an out-of bound sharedref or stringref index could cause an
          out of bounds access - might be exploitable.
        - a decoding error during indefinite array or hash decoding
          could cause an endless loop.

1.6  Wed Dec  7 15:13:23 CET 2016
        - greatly expand the SECURITY IMPLICATIONS and similar sections.
        - new constructor new_safe, to create a secure CBOR::XS object.
        - new option forbid_objects, to disallow serialisation.
        - new CBOR::XS::safe_filter functionality.
        - fix a crash when decoding a cyclic data structure using
          stringref/pack_strings when allow_cycles is disabled.
        - fix a crash when decoding hash keys with length >= 2**31.
        - avoid unreasonably long decoding times for certain
          types of (corrupt) cbor texts.
        - support arrays and hashes with >= 2**31 members.
        - avoid overflow on pointer arithmetic when checking whether enough
          data is available.
        - fix a memory leak that occured when decoding failed while decoding
          a tagged value.
        - do not leak the partially constructed result when stringifying
          a hash key throws an exception.
        - various code size and efficiency optimizations (reduced code
          from 42 to 40kB on my system, despite the new features).

1.5  Wed Apr 27 11:38:39 CEST 2016
        - Math::BigFloat madness workaround, see
          http://blog.schmorp.de/2016-04-23-mathbigfloat-maintainer-fail.html
          (bugreport by zdm@softvisio.net).
        - add text_keys and text_strings options to force CBOR text encoding
          for perl hash keys or all strings, as a result of discussions
          with Fredrik Ljunggren.
        - implement support for arbitrary-exponent numbers (see
          http://peteroupc.github.io/CBOR/bigfrac.html, tags 264 and 265)
          for both en- and decoding.
        - implement support for rational numbers (see
          http://peteroupc.github.io/CBOR/rational.html, tag 30) for both
          en- and decoding.
        - the above effectively implements all registered CBOR extensions
          in a sensible manner.
        - remove some weird dead code that was duplicated (%FILTER).
        - add t/58_hv.t, which tests hashes and the new text_* flags.
          hashes apparently were not encoded at all in any of the existing
          tests.
        - document Math::BigFloat base-2 performance/crash issues.
        - use stability canary.

1.41 Thu 25 Feb 15:22:03 CET 2016
        - avoid perl panics on nested FREEZE/THAW calls (testcase by
          Victor Efimov).

1.4  Mon Feb  8 05:10:15 CET 2016
        - buffer overflow fix: a fast path during decoding did not check
          remaining length when decoding hash keys, found by fuzzing.
          This can potentially leak information in the error message
          or crash the process.
        - use C style { 0 } struct initializer.
        - upgrade libecb.

1.3  Mon Apr 27 22:21:04 CEST 2015
        - the incremental parser didn't properly parse tagged values
          (testcase by Mons Anderson).
        - slightly speed up encoding of plain (nonmagical) arrays.
        - try to clarify further that effectively all 32 bit architectures
          have 64 bit integer support.
        - upgrade libecb.

1.26 Sat Oct 25 08:35:44 CEST 2014
        - update the t/57_incr.t subtest that would rely on 64 bit ints.
        - disable t/50_rfc.t test that fails because of broken data::dumper.

1.25 Sun Jan  5 15:19:14 CET 2014
        - map key decoding was pretty much botched due to the recent cleanups.
        - work around Time::Piece->epoch returning a string value, avoid encoding
          this as a tag 1 string.
        - enable more testcases in t/50_rfc.t, now that they work :)

1.2  Tue Dec 10 22:06:42 CET 2013
        - implement an incremental decoder.

1.12 Tue Dec  3 11:23:22 CET 2013
        - work around broken Time::Piece (in old versions of the module, %z doesn't
          work as documented, gives different results on different platforms(!)).

1.11 Sun Dec  1 18:00:00 CET 2013
        - new setting: validate_utf8, for when you can't trust your cbor data.
        - do not leak memory on decoding errors, when allow_cycles is enabled.
        - add default filters for tags 0 and 1, using Time::Piece.
        - more tests added.

1.1  Sat Nov 30 19:14:27 CET 2013
        - INCOMPATIBLE CHANGE: new decoder setting: allow_cyclic, needed to decode
          cyclic data structures (to avoid memleaks in unsuspecting code).
        - no longer "share" references that aren't, i.e. true/false/null/error/tagged.
        - fix stringref w.r.t. indefinite-length strings.
        - verify indefinite-length string chunk types.
        - do not allow extremely large arrays - assume an array element
          requires at least one CBOR byte, to avoid memory exhaustion attacks.
        - major code overhaul.

1.0  Thu Nov 28 16:43:31 CET 2013
        - use the now official tag values for extensions. remove the
          experimental notice. it's the real thing now, with real bugs.
        - renamed allow_stringref to pack_strings.
        - port to perl <= 5.16.
        - slightly improve the documentation.

0.09  Fri Nov 22 16:54:18 CET 2013
        - bignum/bigfloat/decimal support.
        - uri support.
        - tag filter functions support for decoding.
        - do not support reference-to-1/0/undef anymore, you need to use
          the Types::Serialiser objects now.
        - experimental sharable extension support (http://cbor.schmorp.de/value-sharing).
        - experimental stringref extension support (http://cbor.schmorp.de/stringref).
        - implement indirection tag (http://cbor.schmorp.de/indirection).

0.08  Wed Oct 30 11:10:43 CET 2013
        - defused another too fragile test.

0.07  Tue Oct 29 23:04:07 CET 2013
        - don't crash in decode when silly values are passed in.
        - considerably speed up map decoding when map keys
          are utf-8 or byte strings.
        - raising an exception in THAW should now work without
          leaking.

0.06  Tue Oct 29 16:56:07 CET 2013
        - do not leak when deserialiasing via THAW.
        - implement and document CBOR::XS creation/access/mutate
          methods.

0.05  Mon Oct 28 22:27:47 CET 2013
        - do not leak hash keys on decoding.

0.04  Sun Oct 27 23:47:47 CET 2013
        - implement TO_CBOR/FREEZE/THAW serialisation protocols.
        - requested perl-object and generic-object tags from iana.
        - switched to Types::Serialiser for true, false and error.
        - disabled some fragile tests (thanks, andk).

0.03  Sun Oct 27 00:28:41 CEST 2013
        - improve 32 bit platform compatibility.
        - take more advantage of ecb.h.
        - preliminary and bare-bones tagged support.
        - improved docs.

0.02  Sat Oct 26 13:08:05 CEST 2013
        - no aborts left.
        - add $CBOR::XS::MAGIC.
        - preliminary tagged decoding to arrayref.
        - indefinite encoding fixed.
        - half float decoding implemented.
        - t/50_rfc.t adds test vectors from the rfc, which
          are checked as applicable.

0.01  Fri Oct 25 21:39:56 CEST 2013
        - original version; cloned from JSON-XS

Revision:	1.83
Committed:	Mon Nov 30 20:38:25 2020 UTC (3 years, 5 months ago) by root
Branch:	MAIN
Changes since 1.82:	+1 -0 lines
Log Message:	* empty log message *
#	Content
1	Revision history for Perl extension CBOR::XS
2
3	TODO: pack_keys?
4	TODO: document encode_cbor_sharing?
5	TODO: weaken cyclic structures?
6	TODO: large negative integers
7	TODO: type cast tests.
8	TODO: possibly implement https://peteroupc.github.io/CBOR/extended.html, but NaNs are nonportable. rely on libecb?
9	TODO: https://github.com/svaarala/cbor-specs/blob/master/cbor-nonutf8-string-tags.rst, but maybe that is overkill?
10	TODO: as_bool, also in Types::Serialiser?
11
12	1.81 Mon Nov 30 19:29:33 CET 2020
13	- cast funbctions were broken due to last-minute renaming. thats
14	what you egt for not havign a tessuite.
15	- Math::BigInt and Math::BigFloat are pretty broken (again),
16	so disable some tests. (try printing the bigfloat
17	799999999999999999998E99999999999999999998).
18
19	1.8 Sun Nov 29 22:35:13 CET 2020
20	- experimental support for some type casts, as well as embedding
21	raw cbor data.
22
23	1.71 Thu Nov 15 20:52:13 CET 2018
24	- work around what smells like a perl bug w.r.t. exceptions
25	thrown in callbacks.
26	- update libecb.
27
28	1.7 Tue Jun 27 04:02:23 CEST 2017
29	- SECURITY FIX: fix two bugs found by american fuzzy lop,
30	upgrade is advised if you accept data from untrusted
31	sources.
32	- an out-of bound sharedref or stringref index could cause an
33	out of bounds access - might be exploitable.
34	- a decoding error during indefinite array or hash decoding
35	could cause an endless loop.
36
37	1.6 Wed Dec 7 15:13:23 CET 2016
38	- greatly expand the SECURITY IMPLICATIONS and similar sections.
39	- new constructor new_safe, to create a secure CBOR::XS object.
40	- new option forbid_objects, to disallow serialisation.
41	- new CBOR::XS::safe_filter functionality.
42	- fix a crash when decoding a cyclic data structure using
43	stringref/pack_strings when allow_cycles is disabled.
44	- fix a crash when decoding hash keys with length >= 2**31.
45	- avoid unreasonably long decoding times for certain
46	types of (corrupt) cbor texts.
47	- support arrays and hashes with >= 2**31 members.
48	- avoid overflow on pointer arithmetic when checking whether enough
49	data is available.
50	- fix a memory leak that occured when decoding failed while decoding
51	a tagged value.
52	- do not leak the partially constructed result when stringifying
53	a hash key throws an exception.
54	- various code size and efficiency optimizations (reduced code
55	from 42 to 40kB on my system, despite the new features).
56
57	1.5 Wed Apr 27 11:38:39 CEST 2016
58	- Math::BigFloat madness workaround, see
59	http://blog.schmorp.de/2016-04-23-mathbigfloat-maintainer-fail.html
60	(bugreport by zdm@softvisio.net).
61	- add text_keys and text_strings options to force CBOR text encoding
62	for perl hash keys or all strings, as a result of discussions
63	with Fredrik Ljunggren.
64	- implement support for arbitrary-exponent numbers (see
65	http://peteroupc.github.io/CBOR/bigfrac.html, tags 264 and 265)
66	for both en- and decoding.
67	- implement support for rational numbers (see
68	http://peteroupc.github.io/CBOR/rational.html, tag 30) for both
69	en- and decoding.
70	- the above effectively implements all registered CBOR extensions
71	in a sensible manner.
72	- remove some weird dead code that was duplicated (%FILTER).
73	- add t/58_hv.t, which tests hashes and the new text_* flags.
74	hashes apparently were not encoded at all in any of the existing
75	tests.
76	- document Math::BigFloat base-2 performance/crash issues.
77	- use stability canary.
78
79	1.41 Thu 25 Feb 15:22:03 CET 2016
80	- avoid perl panics on nested FREEZE/THAW calls (testcase by
81	Victor Efimov).
82
83	1.4 Mon Feb 8 05:10:15 CET 2016
84	- buffer overflow fix: a fast path during decoding did not check
85	remaining length when decoding hash keys, found by fuzzing.
86	This can potentially leak information in the error message
87	or crash the process.
88	- use C style { 0 } struct initializer.
89	- upgrade libecb.
90
91	1.3 Mon Apr 27 22:21:04 CEST 2015
92	- the incremental parser didn't properly parse tagged values
93	(testcase by Mons Anderson).
94	- slightly speed up encoding of plain (nonmagical) arrays.
95	- try to clarify further that effectively all 32 bit architectures
96	have 64 bit integer support.
97	- upgrade libecb.
98
99	1.26 Sat Oct 25 08:35:44 CEST 2014
100	- update the t/57_incr.t subtest that would rely on 64 bit ints.
101	- disable t/50_rfc.t test that fails because of broken data::dumper.
102
103	1.25 Sun Jan 5 15:19:14 CET 2014
104	- map key decoding was pretty much botched due to the recent cleanups.
105	- work around Time::Piece->epoch returning a string value, avoid encoding
106	this as a tag 1 string.
107	- enable more testcases in t/50_rfc.t, now that they work :)
108
109	1.2 Tue Dec 10 22:06:42 CET 2013
110	- implement an incremental decoder.
111
112	1.12 Tue Dec 3 11:23:22 CET 2013
113	- work around broken Time::Piece (in old versions of the module, %z doesn't
114	work as documented, gives different results on different platforms(!)).
115
116	1.11 Sun Dec 1 18:00:00 CET 2013
117	- new setting: validate_utf8, for when you can't trust your cbor data.
118	- do not leak memory on decoding errors, when allow_cycles is enabled.
119	- add default filters for tags 0 and 1, using Time::Piece.
120	- more tests added.
121
122	1.1 Sat Nov 30 19:14:27 CET 2013
123	- INCOMPATIBLE CHANGE: new decoder setting: allow_cyclic, needed to decode
124	cyclic data structures (to avoid memleaks in unsuspecting code).
125	- no longer "share" references that aren't, i.e. true/false/null/error/tagged.
126	- fix stringref w.r.t. indefinite-length strings.
127	- verify indefinite-length string chunk types.
128	- do not allow extremely large arrays - assume an array element
129	requires at least one CBOR byte, to avoid memory exhaustion attacks.
130	- major code overhaul.
131
132	1.0 Thu Nov 28 16:43:31 CET 2013
133	- use the now official tag values for extensions. remove the
134	experimental notice. it's the real thing now, with real bugs.
135	- renamed allow_stringref to pack_strings.
136	- port to perl <= 5.16.
137	- slightly improve the documentation.
138
139	0.09 Fri Nov 22 16:54:18 CET 2013
140	- bignum/bigfloat/decimal support.
141	- uri support.
142	- tag filter functions support for decoding.
143	- do not support reference-to-1/0/undef anymore, you need to use
144	the Types::Serialiser objects now.
145	- experimental sharable extension support (http://cbor.schmorp.de/value-sharing).
146	- experimental stringref extension support (http://cbor.schmorp.de/stringref).
147	- implement indirection tag (http://cbor.schmorp.de/indirection).
148
149	0.08 Wed Oct 30 11:10:43 CET 2013
150	- defused another too fragile test.
151
152	0.07 Tue Oct 29 23:04:07 CET 2013
153	- don't crash in decode when silly values are passed in.
154	- considerably speed up map decoding when map keys
155	are utf-8 or byte strings.
156	- raising an exception in THAW should now work without
157	leaking.
158
159	0.06 Tue Oct 29 16:56:07 CET 2013
160	- do not leak when deserialiasing via THAW.
161	- implement and document CBOR::XS creation/access/mutate
162	methods.
163
164	0.05 Mon Oct 28 22:27:47 CET 2013
165	- do not leak hash keys on decoding.
166
167	0.04 Sun Oct 27 23:47:47 CET 2013
168	- implement TO_CBOR/FREEZE/THAW serialisation protocols.
169	- requested perl-object and generic-object tags from iana.
170	- switched to Types::Serialiser for true, false and error.
171	- disabled some fragile tests (thanks, andk).
172
173	0.03 Sun Oct 27 00:28:41 CEST 2013
174	- improve 32 bit platform compatibility.
175	- take more advantage of ecb.h.
176	- preliminary and bare-bones tagged support.
177	- improved docs.
178
179	0.02 Sat Oct 26 13:08:05 CEST 2013
180	- no aborts left.
181	- add $CBOR::XS::MAGIC.
182	- preliminary tagged decoding to arrayref.
183	- indefinite encoding fixed.
184	- half float decoding implemented.
185	- t/50_rfc.t adds test vectors from the rfc, which
186	are checked as applicable.
187
188	0.01 Fri Oct 25 21:39:56 CEST 2013
189	- original version; cloned from JSON-XS
190