1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
|
Changes in version 1.3.1
Bug Fixes:
* Readd PEAR support to the package [#30] (Joachim Fritschi)
* fix a __autoload conflicts in the autoloader [#36] (Joachim Fritschi)
* fix PEAR code style errors [25] (Joachim Fritschi)
* properly unset variables during checkAuthenticate[#35] (Joachim Fritschi)
Changes in version 1.3.0
Improvements:
* enable single sign-out when session has already started [#29] (Benvii)
Changes in version 1.3.0RC1
Bug Fixes:
* the saml logout url should be parsed urlencoded [#24] (dlineate)
* fix a proxy mode bug introduced in a previous comitt [#16] (Adam Franco)
* Fix include_path order so that the phpCAS path takes precedence [#13] (Adam Franco)
* fix invalid characters in the php session naming [#17] (Joachim Fritschi)
* fix an initialisation problem introduced in the PGT storage [18] (Daniel Frett)
* make sure the PGTStorage object is initialized if a user is utilizing the createTable method [#4] (Daniel Frett)
* Fix error message in phpCAS::setCacheTimesForAuthRecheck() [PHPCAS-132/#1] (Bradley Froehle)
* Always return attributes in utf8 [PHPCAS-102]
* Fix warning during debugging if debug is set to false [PHPCAS-123] (Sean Watkins)
New Features:
* Add a script to create the PGT db table in proxy mode [#11] (Joachim Fritschi)
* Switch to the Apache License [#5] (Adam Franco, Joachim Fritschi)
* Move to github and add all necessary file to package [#12] (Adam Franco)
* New build process for github [#12] (Adam Franco)
* Update unit tests to work with the lastest phpunit version [PHPCAS-128] (Adam Franco)
* Refacatoring of the protocol decision making to allow validation of proxied usage [PHPCAS-69] (Joachim Fritschi, Adam Franco)
* Rebroadcast of logout and pgtiou to support clustered phpcas [PHPCAS-100] (Matthew Selwood, Adam Franco)
Improvements:
* Improved cookie handling [] (Adam Franco
* Indent, format and user name guidelines of PEAR [#14] (Joachim Fritschi)
* Add a class autoloading feature [PHPCAS-125/#8] (Joachim Fritschi)
* Remove global variables [PHPCAS-126] (Adam Franco)
* Implementation of an exception framework to allow gracefull termination [PHPCAS-109] (Joachim Fritschi)
Security Fixes:
* CVE-2012-1104 validate proxied usage of a service [PHPCAS-69] (Joachim Fritschi, Adam Franco)
* CVE-2012-1105 change the default PGT save path to the session storage path and set proper permissions [#22] (Joachim Fritschi)
Changes in version 1.2.2
Bug Fixes:
* Improve compatibility with php < 5.3 for E_USER_DEPRECATED [PHPCAS-116] (Hugh Eaves)
Changes in version 1.2.2RC1
Bug Fixes:
* CASClient::getURL() cannot be private [PHPCAS-103] (Joachim Fritschi)
* CASClient::getServerServiceValidateURL() doesn't respect existing query strings [PHPCAS-104] (Bradley Froehle, Joachim Fritschi)
* CASClient::retrievePT() must be a public function [PHPCAS-107] (Joachim Fritschi)
* Expose setNoClearTicketsFromUrl() to the client [PHPCAS-108] (Joachim Fritschi)
* Remove the PGT filestorage in xml format that is not implemented [PHPCAS-112] (Joachim Fritschi)
* Fix compatibility of the PGT db storage interface with postgres [PHPCAS-113] (Joachim Fritschi)
Improvement
* Support for proxied POST requests. [PHPCAS-90] (Adam Franco)
* Add missing example for the new pgt-db storage [PHPCAS-101] (Joachim Fritschi)
* CASClient::getServerLoginURL(): Don't cache gateway/renew parameters [PHPCAS-105] (Bradley Froehle)
* fix parsing of cookies with special symbols in their values [PHPCAS-106] (Joachim Fritschi)
* Removal of the debug_backtrace hack for php4 [PHPCAS-110] (Joachim Fritschi)
* Clean up the naming structure of the classes [PHPCAS-111] (Joachim Fritschi)
* Better debug log output format [PHPCAS-114] (Joachim Fritschi)
* Many more examples and one central config. Improved code documentation [PHPCAS-86] (Joachim Fritschi, Adam Franco)
Changes in version 1.2.1
* None
Changes in version 1.2.1RC1
Improvements
* add support for storing PGTs in a database [PHPCAS-94] (Daniel Frett)
Bug Fixes
* phpCAS::setDebug(FALSE) should stop logging [PHPCAS-95] (Joachim Fritschi)
* fix checkAuthenticate return value documentation [PHPCAS-92] (Joachim Fritschi)
* fix PGTStorage contructor name [PHPCAS-93] (Daniel Frett)
* fix the PHPCAS_SERVICE_NOT_AVAILABLE constant [PHPCAS-91] (Daniel Frett)
* fix redirection with multiple proxies in HTTP_X_FORWARDED_HOST [PHPCAS-98] (Joachim Fritschi)
* fix some undefinde variable warnings in debug mode [PHPCAS-96] (Joachim Fritschi)
Changes in version 1.2.0
* None
Changes in version 1.2.0RC2
Improvements
* add callback hooks during authentication and single sign-out [PHPCAS-76] (Adam Franco)
Changes in version 1.2.0RC1
Improvements
* add hasAttribute($key) and getAttribute($key) [PHPCAS-43] (Adam Franco)
* add unit tests for cas 2.0 attribute support [PHPCAS-88] (Adam Franco)
* expose the proxy chain through the phpcas interface [PHPCAS-89] (Adam Franco)
* add deprecation messages to the logout functions with an url parameter [PHPCAS-85] (Joachim Fritschi)
Bug Fixes
* fix public/private modifier for some functions [PHPCAS-87] (Joachim Fritschi)
Changes in version 1.2.0-beta1
Bug Fixes
* fix redirection behind a proxy. [PHPCAS-78] (Alex Barker)
* remove the bogus setCasServerCert() function and clean up the curl ssl settings [PHPCAS-84] (Joachim Fritschi)
Improvements
* mark the logout functions with an url parameter a deprecated [PHPCAS-85] (Joachim Fritschi)
* add public/private modifier for all vars and functions [PHPCAS-77] (Joachim Fritschi)
* add a testing framwork that implement on and offline testing capabilities [PHPCAS-66] (Adam Franco)
* add RFC compliant cookie storage for the proxy() mode. [PHPCAS-54] (Adam Franco)
* removal of the domxml compatibility lib [PHPCAS-72] (Matthew Brooks, Joachim Fritschi)
* add support for attributes for the cas_2.0 protocol [PHPCAS-43] (Joachim Fritschi, Adam Franco)
* removal of unused code and comments [PHPCAS-63] (Joachim Fritschi)
* fix static function warnings for php 5.x [PHPCAS-46] (Joachim Fritschi)
Changes in version 1.1.3
Bug Fixes
* removal of the non functional pgt-db backend [PHPCAS-65] (Joachim Fritschi)
Changes in version 1.1.3RC1
Security Issue
* CVE-2010-3690 phpCAS: XSS during a proxy callback [PHPCAS-80] (Joachim Fritschi)
* CVE-2010-3691 phpCAS: prevent symlink attacks during a proxy callback [PHPCAS-80] (Joachim Fritschi)
* CVE-2010-3692 phpCAS: directory traversal during a proxy callback [PHPCAS-80] (Joachim Fritschi)
Bug Fixes
* fix missing $this in domxml-php4-to-php5 [PHPCAS-73] (Iñaki Arenaza)
* fix broken redirection with safari [PHPCAS-79] (Alex Barker)
* fix missing exit() call during ticket validation [PHPCAS-76] (Igor Blanco,Joachim Fritschi)
* fix a notice because REQUEST_URL is not defined on IIS [PHPCAS-81] (Iñaki Arenaza)
* fix a typo in pgt-db.php [PHPCAS-75] (Julien Cochennec)
Improvements
* upgrade domxml-php4-to-php5 to the newest version [PHPCAS-74] (Joachim Fritschi)
Changes in version 1.1.2
* None
Changes in version 1.1.2RC2
Bug Fixes
* Prevent domxml-php4-to-php5 to be inclueded twice [PHPCAS-48] (Brad Krane)
Changes in version 1.1.2RC1
Security Issue
* Fix a session hijacking hole CVE-2010-2795 [PHPCAS-61] (Joachim Fritschi)
* callbackurl in proxy mode should be urlencoded CVE-2010-2796 [PHPCAS-67] (Joachim Fritschi)
Improvement
* Debuglog contains phpCAS version information [PHPCAS-62] (Joachim Fritschi)
Bug Fixes
* Fix warnings for SAML responses without attributes [PHPCAS-59] (Joachim Fritschi)
* Fix duplicate SAML debug output [PHPCAS-64] (Joachim Fritschi)
* Providing a new ST/PT/SA during an authenticated session will be ignored
and a warning will be issued to the debug log. [PHPCAS-61] (Joachim Fritschi)
* fix 2 undefinded variable notices in serviceWeb() [PHPCAS-68] (Joachim Fritschi)
Changes in version 1.1.1
Improvement
* On Single Sign Out destroy any existing application session before deleting the phpcas session [PHPCAS-58] (Joachim Fritschi)
Changes in version 1.1.1RC2
Bug fixes
* Fix bug in handling urls containing parameters without values [PHPCAS-57] (Joe Lencioni)
* New XSS patch for PHPCAS-52 that was undone in r48507 [PHPCAS-57] (Joachim Fritschi)
Changes in version 1.1.1RC1
Bug fixes
* Fix bug in restoring an existing session [PHPCAS-55] (Joachim Fritschi)
Changes in version 1.1.0
Improvement
* Replace deprecated split() with explode(). [PHPCAS-42] (Joe Lencioni)
Changes in version 1.1.0RC8
Bug fixes
* Add additional comments regarding the use of serviceValidate and proxyValdiate [PHPCAS-44] (Joachim Fritschi)
* Revert all changes made to the ticket parsing in r47347 r48210 [PHPCAS-44] (Joachim Fritschi)
* Fix warning when destroying uninitialized session [PHPCAS-53] (Yann Richard,Joachim Fritschi)
Changes in version 1.1.0RC7
Security fixes
* Fix XSS Vulnerability. Sanatize parameters before using the url submitted by a client [PHPCAS-52] (Joachim Fritschi)
Changes in version 1.1.0RC6
Bug fixes
* restore any possible old session before renaming the session [PHPCAS-50] (Joachim Fritschi)
Changes in version 1.1.0RC5
Bug fixes
* fixed don't destroy existing sessions unless needed, more debug output [PHPCAS-50] (Joachim Fritschi)
Changes in version 1.1.0RC4
Bug fixes
* fixed use PHP4 functions to parse saml11 attributes [PHPCAS-51] (Joachim Fritschi)
Changes in version 1.1.0RC3
Bug fixes
* added a check for missing params [PHPCAS-42] (Joachim Fritschi)
Changes in version 1.1.0RC2
New features
* added custom validation Urls [PHPCAS-45] (Joachim Fritschi).
Bug fixes
* fixed PGT DB storage parameter list [PHPCAS-47] (Paul Merchant, Jr.)
* fixed parsing of STs [PHPCAS-44] (Joachim Fritschi)
* fixed session initialisation [PHPCAS-50] (Joachim Fritschi)
* fixed urls with than one query parameter [PHPCAS-42] (Caio Chassot)
Changes in version 1.1.0RC1
New features
* added SAML support [PHPCAS-40] (Brian Long and Matthias Crauwels).
Bug fixes
* fixed invalid validation URLs [PHPCAS-39] (Alex Danieli).
* removed old PHP4 references [PHPCAS-41] (Yann Richard).
* fixed curl options [PHPCAS-38] (Andy Cowling).
Improvement
* added accept IP addresses for allowed clients [PHPCAS-37] (Arunas Stockus)
Changes in version 1.0.2RC1
Bug fixes
* fix redirections masking error messages [PHPCAS-36] (Olivier Berger)
* fixed validatePGT() failing on phpCAS::traceBegin() with newer domxml-php4-to-php5.php [PHPCAS-35] (Olivier Berger)
* Fixed missing exit() at end of callback() method [PHPCAS-34] (Olivier Berger)
* Update included domxml-php4-php5.php to most recent version now under LGPL [PHPCAS-30] (Olivier Berger)
* fixed empty $target_service in CAS_Client:serviceMail [PHPCAS-22] (Julien Marchal).
Changes in version 1.0.1
Bug fixes
* fixed PEAR base install directory [PHPCAS-28] (Brett Bieber).
* fixed illegal characters in session id [PHPCAS-29] (Michael Ströder, Brett Bieber).
* fixed refresh with ticket causes authentication failure [related to PHPCAS-27] (Brett Bieber).
* fixed conflict with custom session handlers [PHPCAS-26] (Martin Gonzalez).
Changes in version 1.0.0
New features
* phpCAS is now PEAR-installable (Brett Bieber).
* added method handleLogoutRequests() to handle logout requests incoming from the CAS server (Julien Marchal and Pascal Aubry, requested by Craig Andrews).
* added methods setHttpProxy(), setNetworkInterface() and setExtraCurlOptions() (Stéphane Gully).
Enhancements
* removed undesirable notice (Glennie Vignarajah).
* removed PEAR DB dependency when storing PGTs to the filesytem (Stéphane Gully).
Changes in version 0.6.0
New features
* added methods setCasServerCert() and setCasServerCaCert() to authenticate the CAS server, and method setNoCasServerValidation() to skip the SSL checks (Pascal Aubry, requested by Andrew Petro).
* Added spanish and catalan translations (Ivan Garcia).
Bug fix
* fixed PGT storage path on Windows (Olivier Thebault).
Changes in version 0.5.1
New features
* restored method isAuthenticated() (Julien Marchal).
Changes in version 0.5.0
New features
* added japanese translation (Noriyuki Fukuoka).
* added german translation (Henrik Genssen).
* phpCAS now works for CAS v3 proxy tickets (Matt Zukowski).
* phpCAS now also works with lighttpd (Marvin Addison)
Bug fixes
* fixed method setHTMLFooter() (Noriyuki Fukuoka).
* fixed method setHTMLHeader() (Xavier Castanho).
* fixed method isHttps() (Henrik Genssen).
* fixed method PGTStorageDB() (Ray Lambe).
* encode all the parameters, not only '&' characters (Matthew Debus).
* fixed ST proxy tickets (Julien Marchal).
Changes in version 0.4.23
Enhancement
* removed notice messages (David Lowry).
Changes in version 0.4.22
Bug fix
* added default value for parameter gateway in methods setServerLoginUrl() and redirectToCas() (Velpi).
New Feature
* added method isSessionAuthenticated() (Brendan Arnold).
Other change
* removed the call to error_reporting() to allow the configuration of error reporting at server level (Pascal Aubry, requested by Sylvain Derosiaux).
Changes in version 0.4.21
Bug fix
* some URLs were ill-formed in some rare circumstances (Jérôme Andrieux).
New Feature
* added methods setServerLoginURL() and setServerLogoutURL() (Wyman Chan).
Changes in version 0.4.20
New feature
* phpCAS::checkAuthentication() implements the gateway feature of CAS (Pascal Aubry, requested by Romuald Lorthioir).
Other change
* phpCAS::authenticateIfNeeded() was renamed phpCAS::forceAuthentication() (Pascal Aubry).
Changes in version 0.4.19
New features
* the service URL for the CAs server can be fixed with method phpCAS::setFixedServiceURL (Julien Marchal).
* the callback URL used to receive PGTs can be fixed with method phpCAS::setFixedCallbackURL() (Julien Marchal).
* added a CAS_Client wrapper to class phpCAS for method retrievePGT() (Julien Marchal).
Changes in version 0.4.18
Bug fixes
* debugging information was missing (Alexandre Boisseau).
* used an undefined variable in pgt-file.php (Alexandre Boisseau).
Changes in version 0.4.17
Enhancement
* made phpCAS PHP5 compliant (Vangelis Haniotakis).
Changes in version 0.4.16
Enhancement
* added the possibility not to start the session management (Vangelis Haniotakis).
Changes in version 0.4.15
Enhancement
* added a hack to make phpCAS work with IIS (Vangelis Haniotakis).
Changes in version 0.4.14
Enhancement
* a URL can be given to the CAS server on logout (Sébastien Gougeon and Yann Richard).
Changes in version 0.4.13
Bug fix
* Removed infinite loop in debug mode (Robert Legros).
Changes in version 0.4.12
Enhancement
* phpCAS now works even if the web server does not set SERVER_NAME, by relying on HTTP_HOST (Terence Chiu).
Changes in version 0.4.11
Bug fix
* A typo prevented ticket validation to work correctly (Robert Legros).
Changes in version 0.4.10
Enhancement
* phpCAS was previously working with PHP >= 4.3.0. A debug_backtrace() wrapper was added and get_elements_by_tagname() calls were modified to make phpCAS work with phpCAS >= 4.2.2 (Robert Legros).
Changes in version 0.4.9
New features
* Added greek translation (Haniotakis Vangelis).
Changes in version 0.4.8
Enhancements
* PEAR's DB.php inclusion is done only if a DB class was not already included. This eases the integration into some stand-alone tools that already include DB.php, like Tikiwiki (Pascal Aubry, requested by Terence Chiu).
Changes in version 0.4.7
Enhancements
* PHP session is now destroyed when using the phpCAS::logout() method (Pascal Aubry, requested by Ruben Recaba).
* Call getenv() whenever possible instead of directly dealing with environment variables (with $_ENV['xxx']), as $_ENV is not available par default on some Windows systems (Pascal Aubry).
* Set error reporting level to E_ALL ~ E_NOTICE (Pascal Aubry).
* Added the release number in the name of the main directory of the zip distribution file (Pascal Aubry, requested by Vincent Mathieu).
* Explicitly set certificate control to get round with different curl default configurations (Wyman Chan).
Changes in version 0.4.6
Security bug fix
* Credentials given to HTTP realms were given in the service URLs to the CAS server (Julien Marchal).
Enhancements
* phpCAS now works behind an Apache reverse proxy (Julien Marchal).
Changes in version 0.4.5
Enhancements
* Developer releasing is now made by ant (Pascal Aubry).
Bug fixes
* CAS/PGTStorage files have been renamed to fit to Windows case insensitivity (Pascal Aubry);
* %TMP% and %TEMP% environment variables are now taken into account to set the location of the log file (Pascal Aubry).
Changes in version 0.4.4
Enhancement
* ticket retrieval and validation is now made with curl (Pascal Aubry).
Changes in version 0.4.3
Bug fix
* phpCAS was not exiting right after redirecting in callback mode (Julien Marchal)
Changes in version 0.4.2
New features
* Authentication checking is not necessarily redirecting to the CAS server (introduced phpCAS::isAuthenticated()) (Pascal Aubry)
* phpCAS can now be used to access IMAP/POP3/NNTP services (cf phpCAS::serviceMail()) (Pascal Aubry)
Enhancements
* debugging informations has been improved and is now send to a separate file (/tmp/phpCAS.log by default, can be changed by phpCAS::setDebug()) (Pascal Aubry)
Changes
* phpCAS::authenticate() is replaced by phpCAS::authenticateIfNeeded() (semantics unchanged) (Pascal Aubry)
* phpCAS::service() is replaced by phpCAS::serviceWeb() (semantics unchanged) (Pascal Aubry)
* phpCAS::setDebug() accepts FALSE (to stop debugging) or the name of a file (to log informations) (Pascal Aubry)
Changes in version 0.4.1
New features
* Sessionning between CAS proxies and services (Pascal Aubry)
Changes in version 0.4
New features
* CAS proxies can be chained (Pascal Aubry)
* improved error printing and debugging (introduced phpCAS::error()) (Pascal Aubry)
Enhancements
* proxy parameter removed from phpCAS::client() and introduced phpCAS::proxy() (Pascal Aubry)
* moved history from CAS/doc.php to history.php (create_version script updated accordingly) (Pascal Aubry)
* improved type-checking and controls for phpCAS methods (Pascal Aubry)
Changes in version 0.3.2
New features
* CAS proxies now work with HTTP (HTTPS only used for callbacks) (Pascal Aubry)
Changes in version 0.3.1
Bug fixes
* syntax error in CAS/Client.php (Julien Marchal)
Changes in version 0.3
New features
* CAS proxies are now supported (but no PGT retrieving for proxied client) (Pascal Aubry)
* introduced phpCAS container (Pascal Aubry)
Bug fixes
* CAS_LANG_DEFAULT is now taken into account (Pascal Aubry)
TODO
* support for PGT storage to databases (Pascal Aubry)
* PGT retrieving for proxied clients (Pascal Aubry)
Version 0.2
Features (Pascal Aubry)
* `Basic' (1.0) CAS mechanism supported (CAS proxies not implemented)
* Support for CAS versions 1.0 and 2.0 URL's
* Debug mode
* Customization of all output pages
* Internationalization (english and french, looking for translators...)
|
