forked from simpleid/simpleid
-
Notifications
You must be signed in to change notification settings - Fork 0
/
CHANGELOG.txt
323 lines (245 loc) · 9.4 KB
/
CHANGELOG.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
SimpleID 1.0.3 - 2020-09-21
---------------------------
- Security enhancements:
* #23 Configuration can now be in a separate conf directory
- Bug fixes:
* #35 Fix undefined index error in discovery.inc.php
SimpleID 1.0.2 - 2016-12-27
---------------------------
- Bug fixes:
* #158 Incorrect handling of fsock-based HTTP requests
SimpleID 1.0.1 - 2016-03-26
---------------------------
- Bug fixes:
* #154 Duplicate random_bytes() function as it is now also a native
function in PHP7
* #155 Infinite loop in cache.inc if a particular cache type has not been
created
SimpleID 1.0
------------
- Security enhancements:
* #149 Add PBKDF2 to available password hashing algorithms to improve
hashing security
* #150 Changed hash string comparison function to mitigate against
timing attacks
SimpleID 0.9.1
--------------
- Bug fixes:
* #147 Incorrect update_access_check warning when upgrading
* #148 Identity files with certlogin can now be symlinked from the
identities directory
SimpleID 0.9
------------
- Security enhancements:
* #9 Changed file extensions from .inc to .php
* #69 #71 Require HTTPS for login pages
* #100 Restricted path and added http_only flag for session cookies
* #101 Implemented HTTP strict transport security header
* #130 Added support for TOTP one-time passwords
- Improvements to identity files:
* #21 Allow non-MD5 hash algorithms and salted passwords
* #137 Identity files can now be symlinked from the identities
directory
- Improvements to user interface:
* #93 #106 Localization support
* #103 Enhanced simpleweb error pages
* #138 Refactored style sheets for better mobile device support
- New extension:
* #85 certauth extension for authentication using client SSL
certificates
- Improvements to SimpleID internals:
* #58 #72 Dropped support for PHP 4 and fixed up PHP syntax
warnings
* #110 Refactored authentication system to allow for custom authentication
extensions
* #131 Refactored cache system to improve performance
* #132 Refactored "remember me" cookies
SimpleID 0.8.5
--------------
- Bug fixes:
* #129 Fixed bug introduced in 0.8.4 regarding Warning if
suhosin.get.max_value_length configuration setting is too low
* #134 PHP syntax warnings under PHP 5.3
SimpleID 0.8.4
--------------
- Bug fixes:
* #123 Updated user interface to reflect change in SimpleID web site URL
* #125 Fixed line ending (CRLF vs LF) bug introduced when migrating from
SVN to Git
* #122 Fixed PEAR package not loading PEAR_Config
* #133 Fixed bug in bignum.inc where bignum_new() was returning $false
instead of false
- Improvements to SimpleID internals:
* #129 Warning if suhosin.get.max_value_length configuration setting
is too low
SimpleID 0.8.3
--------------
- Bug fixes:
* #119 Remove XRDS-Simple Type element from template.xtpl for Blogger
interoperability
SimpleID 0.8.2
--------------
- Bug fixes:
* #104 Detect missing PHP extensions
* #105 Incorrect CSS property in simpleid.css
* #108 Incorrect footer links
* #109 Incorrect processing of HTTP requests and responses when used with
SAPI CGI
* #112 Incorrect reference to html/consent.js in page.inc
- Improvements to user interface:
* #111 Replaced packaged version of jQuery with CDN version
SimpleID 0.8.1
--------------
- Bug fixes:
* #77 Incorrect detection of register_globals PHP configuration variable
* #86 PHP syntax warnings in filesystem.store.inc
* #88 Updated URL to Simple Registration Extension specification in
example.identity.dist
* #91 Missing parameters in simpleid_checkid_error()
* #92 Corrected path handling in simpleweb
* #98 Missing global variable in simpleid_openid_consent()
- Improvements to user interface:
* #94 Switch redirects from form-based to HTTP header-based
- Improvements to the PAPE extension
* #95 Added private personal identifiers
SimpleID 0.8
------------
- Improved OpenID specification compliance:
* Added read-only support for attribute exchange extension
* Addes support for provider authentication policy extension
- Improvements to user interfaces:
* #14 Added support for clean URLs
* #18 Improved comformance to HTML specifications in user interface
* #19 For OpenID immediate requests, assertion will not fail simply because
return_to has not been verified
* #23 Optional support for browsers to save SimpleID passwords
- Improvements to SimpleID internals:
* Refactored function names
* Refactored function layout in discovery.inc and openid.inc
* Opened up identity store code to allow support for non filesystem based
identity files
* Improved source code documentation
SimpleID 0.7.6
--------------
- Fixed directory traversal vulnerability SA-2011-1
(http://simpleid.sourceforge.net/advisories/sa-2011-1)
SimpleID 0.7.5
--------------
- Bug fixes:
* #61 PHP safe mode causing curl configuration issues
* #64 Issue with URL parsing under Simpleweb framework
SimpleID 0.7.4
--------------
- Fixed incorrect implementation of fix for PHP's handling of HTTP parameters.
SimpleID 0.7.3
--------------
- Bug fixes:
* #47 PHP syntax warnings in discovery.inc.
* #48 PHP syntax warnings in user.inc.
* #50 Fix for PHP's handling of HTTP parameters.
SimpleID 0.7.2
--------------
- Bug fixes:
* #40 PHP syntax warnings in simpleweb.inc.
* #42 PHP syntax warnings in index.php.
SimpleID 0.7.1
--------------
- Bug fixes:
* Incorrect specification for expiry time for auto login.
* Fixed verification of credentials under legacy authentication.
* Fixed incorrect signing of Simple Registration Extension response.
* Fixed Javascript for digest authentication.
* Used Javascript instead of forms for page redirection for better HTTPS
user experience.
SimpleID 0.7
------------
- Improved OpenID specification compliance:
* Added additional return_to verification using discovery.
* Fixed support for SHA256.
* Fixed indirect message URL encoding.
* Fixed filtering of extension-specific parameters.
* Fixed XRDS document for SimpleID.
- Preliminary implementation of the OpenID User Interface extension.
- Added support for GMP for improved performance for arbitary precision
arithmetic operations.
- Improved user interface:
* Separated Dashboard, My Profile and My Sites pages.
* Added "log in as different user" functionality.
* CSS improvements.
* Added framekiller code.
* Support for nicer URLs via mod_rewrite.
- Enhanced detection of SSL/TLS for user login page.
- Implemented flexible persistent storage system to store user data.
- Improved extension framework: major refactoring of hooks available to be
utilised by extensions.
- Improved URL routing framework: included simpleweb.inc.
- Added upgrade script.
- Enhanced logging of status and errors.
- Enhanced code documentation.
SimpleID 0.6.5
--------------
- Bug fixes:
* Fixed XSS vulnerability in user login page.
* Fixed XRDS-Location HTTP header.
SimpleID 0.6.4
--------------
- Fixed user interface bug on trusted sites page (disable Submit button when
there are no trusted sites).
SimpleID 0.6.3
--------------
- Fixed session_type verification response when using OpenID 1.1 associations.
SimpleID 0.6.2
--------------
- Fixed session_type verification issue when using OpenID 1.1 associations.
SimpleID 0.6.1
--------------
- Fixed return_to verification issue when using OpenID 1.1 (legacy handling of
nonce parameter).
SimpleID 0.6
------------
- Bug fixes:
* Fixed syntax errors in openid.inc.
* Fixed incorrect error authentication response.
- Implemented digest authentication for user login (security enhancements).
- Implemented persistent login
- Enhanced form security:
* Added form token verification.
* Enhanced encoding of HTML special characters.
- Improved compliance against OpenID specifications:
* Added return_to verification.
- Changed extension of extensions from .inc to .extension.inc.
- Enhanced code documentation.
SimpleID 0.5.1
--------------
- Bug fixes:
* Removed remnants of maths question (removed in SimpleID 0.5) from user.inc
- Included Simple Registration Extension by default
SimpleID 0.5
------------
- Bug fixes:
* Removed XSS vulnerabilities
* Fixed incorrect processing of Simple Registration Extension parameters
* Fixed URL for identifier selection.
- The identifier variable is now optional in identity files. SimpleID automatically
assigns an identifier to all identities where this is not specified.
- Log in security improvements:
* Removed requirement to complete a maths question to log in.
* Added nonce check into login page to detect repeat attacks.
- Improved compliance against OpenID specifications:
* Enhanced support for OpenID 2.0.
* Enhanced checking of request parameters.
* Added support for discovery of SimpleID services via XRDS.
- Support for SHA256 where this is compiled into PHP.
- Added default profile page and XRDS document for each user.
SimpleID 0.2.1
--------------
- Bug fixes:
* Removed incorrect and legacy handling of nonce parameter in OpenID 1.1
authentication responses
SimpleID 0.2
------------
- Bug fixes:
* Fixed template compile error in Simple Registration Extension.
SimpleID 0.1
------------
- Initial release