CppCMS 0.99.7 Rleased
Security Bugs:
- Fixed incorrect key parsing caused reduced entropy of AES and HMAC keys
- Fixed incorrect HMAC key definition when using separate keys for CBC and MAC
All users are encouraged to upgrade to latest version, if not possible do following:
Use
session.client.keyorsession.client.key_fileover separatesession.client.cbcandsession.client.hmacorsession.client.cbc_keyandsession.client.hmac_fileNote: if you use
session.client.hmacorsession.client.hmac_fileonly - MAC authentication without encryption then the problem does not affects you.Increase secret key size by at least 1.5 - this is relevant for both encryption and hmac authentication.
New Features:
URL Mapping - the opposite of URL Dispatching is created, now every URL can be easily abstracted from the physical URL,
It allows creating hierarchies of applications and referring each other using named URL.
Caching system:
- Added support of dependent triggers recording using cppcms::triggers_recorder class
- Added cache support at templates level
- Added "tee" filter for better caching support of HTML fragments
Template System
- Provided basic unit-testing
- Provided access too application that renders the view, giving basics for access to many features like sessions, cache and so on.
- Added
<% url ... %>,<% cache ...%>,<% trigger ... %>tags - Improved error reporting
- Added
<%= variable | filters%>style of rendering to allow override reserved words and variables
Updated Message Board example to use url mapping
Boost.Locale features:
- Default locale is UTF-8 on windows
- Support of Gregorian calendar for non-ICU backends
- Support of checking if the time is in daylight savings time to the calendar
- Performance optimization in formatting and collation
Redesigned booster::socket class, split into set of smaller classes according to their roles
Optimization for embedded builds adds support of removing of modules that may be not useful for embedded applications:
- Cache storage, prefork storage, distributed cache storage
- GZip compression
Support of graceful shutdown of fastcgi process by Apache on Windows using libfastcgi waiting style
Improved boost::thread api to support detach member function
Booster: support of timegm, making booster::ptime symmetric.
Bugs:
- Fixed bug #3177531 - invalid port/ip returned in CGI headers when using "list" of apis
- Cleanup of set() property, make sure it is set to false only in cases where it is really needed, and turn it on by default on most widgets Fixing F.R. #3177317
- Changed warning level to -Wall -Wextra, warnings cleanup
- Boost.Locale - workaround of ICU time zone detection bug
- Fixed incorrect rendering of input form when pointer involved
- Fixed issue with urandom device when running with limited user under Windows
- Fixes of MSVC-2005 issues
It is official, Boost.Locale on its way to formal review
Now it is official, Boost.Locale is scheduled for a formal review at April 7-16.
Boost.Locale is important part of CppCMS as was developed for its needs, however I had found that this library was so important and useful that I decided to "Boostify" and make it ready for a formal review for Boost.
What does it provides:
- Message formatting based on gettext dictionaries
- Localized numbers, dates, currency formatting and parsing (and more)
- Collation
- Text manipulations like case handing and Unicode normalization
- Text Boundary analysis
- Support of non-Gregorian calendars like Hebrew calendar.
- And much more
Most of these features are based on the state-of-the-art Unicode library ICU but it also allows to handle many of them using only standard operating system API significantly reducing its size and requirements of external components.
Most important is that is provides platform independent and uniform interface
for C++ localization and internationalization tightly integrated to C++ iostreams
and existing std::locale framework.
The most up-to-date version of the library and documentation would be released soon.
Security Issue Fix Release: 0.99.6 and 0.0.8
This release fixes security issue existing in CppCMS 1.x.x version <= 0.99.5 and CppCMS 0.0.x <= 0.0.7.
The Issue
Who is affected?
Users who use AES encrypted cookies for session data storage
What is the risk
Attackers may create a session data that wasn't generated by the CppCMS application - so basically attacker may change the content of the session to something else. And potentially, for example, gain some rights that he does not have.
What is not exposed
The privacy of the data stored in the session is not affected.
Recommendations
It is recommended to upgrade to latest CppCMS version.
Workaround
If it is not possible and you are using AES encrypted cookies as sessions storage, do one of the following:
- Switch to "hmac" signed cookies if the data that is stored in cookies is not confidential.
- Switch to server side session storage.
Detailed Description
The Problem Description
The redundancy check of AES encrypted session cookies was too weak, allowing attacker to create cookies that would look like valid cookies generated by CppCMS but they would contain an invalid content.
More detailed, the cookies where created as following:
Where k is secret key, P is the encoded data and C the cookies stored at client side.
However this scheme is weak and does not really protect against creation of invalid content. There are known attacks against 
, I assume attacks against the scheme above can be created as well.
The Fix Provided
The cookies data is now encrypted and signed as:
Where MAC is HMAC-SHA1 k1, k2 are keys that are either provided or generated from the source key k as 
Additional Configuration Options (CppCMS 1.x.x)
Added a way to provide explicit MAC and encryption algorithm:
- session.client.hmac - the HMAC algorithm: md5, sha1, sha192, sha256, sha384 and sha512
- session.client.hmac_key - the key for MAC
- session.client.cbc - the encryption algorithm aes, aes128, aes192, aes256
- session.client.cbc_key - the key for encryption algorithm
You may specify only hmac and hmac_key and then the cookies would be only "signed", of you specify cbc and cbc_key they would be also encrypted.
When you use the current method specifying session.client.encryptor with "aes" then HMAC-SHA1 would be used ensure authentication and the MAC and encryption keys would be generated from the provided session.client.key.
You may also store the key in file and use:
session.client.hmac_key_filesession.client.cbc_key_filesession.client.key_file
Instead of
session.client.hmac_keysession.client.cbc_keysession.client.key
The file pointed by this value is a text file that holds hexadecimal representation of the key you need to use.
These keys are read before switching the user and forking allowing to make these keys files to be non-readable in the normal run-time.
CppCMS 0.0.8 AES Encryption
It uses AES128 for secrecy and HMAC-SHA1 for authentication, the keys for each one of them are generated from the single key provided in the configuration file.
Additional Bug Fixes:
- Fixed incorrect url-encoding that also included buffer overflow in CppCMS 1.x.x
- Fixed bas64_urlencode filter.
CppDB changes license.
I had decided to change the license of CppDB (the SQL Connectivity Library) to permissive one.
Now CppDB is dual licensed under Boost Software License or MIT License.
I actually would like to release it under BSL only, but unfortunately the MySQL connector does not have a GPL exception for this license - so if you use GPL MySQL connector with CppDB you should follow the MIT license terms.
This was the step I had planned to do from the beginning as it would bring more potential users for this specific part of CppCMS project and as it would probably allow it being integrated to the Boost project in future.
Due to license change CppDB 0.0.3 was released that has exactly the same code as CppDB 0.0.2 but has BSL/MIT license instead of LGPLv3.
Of course the CppCMS itself remains licensed under LGPLv3 and this is not going to be changed.
CppDB 0.0.2 Released
New Features:
- Performance optimizations in connection opening when using pool.
- Added advanced MySQL options support, patch from Krzysztof (kyku)
Bugs:
- Fixed crash on process shutdown when connections pool is used. The crash was caused by incorrect order of unloading the driver and closing shared object.
- Added missing copy constructor.
- Fixed error reporting in PostgreSQL backend when statement preparation fails.
