Love Fuel?    Donate

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.
Problem upgrading from v1.1 to v1.2
  • MitchellMitchell
    I've been using v1.1 for a while now and thought I'd experiment with v1.2. The change log states: Security class now requires you to define the security.output_filter application config setting. An exception is thrown if it isn't present. I'm a bit confused by this. I checked my app/config/config.php file and there's an array for 'security' with 'output_filter' => array('Security::htmlentities'), however I get a parsing error: Fuel\Core\FuelException [ Error ]: There is no security.output_filter defined in your application config file Also, if I go to the new V1.2 documentation and look under Core > Security Class, I see no 'output_filter" listed in the configuration parameters. What am I missing?
  • HarroHarro
    I've got this: 
    'security' => array(
 'output_filter'  => array('Security::htmlentities'),
),
    in my config file, and that works fine. Where exactly is this exception generated ( file and line # )? As for the docs, that is clearly an omission that needs to be fixed. I've added it to the todo list for 1.2.1.
  • MitchellMitchell
    My 'security' array is the same as for V1.1. I haven't added any of the new parameters yet.
     /**
  * Security settings
  */
 'security' => array(
  'csrf_autoload'   => false,
  'csrf_token_key'  => 'fuel_csrf_token',
  'csrf_expiration'  => 0,
  'uri_filter'   => array('htmlentities'),

  /**
   * This input filter can be any normal PHP function as well as 'xss_clean'
   *
   * WARNING: Using xss_clean will cause a performance hit.  How much is
   * dependant on how much input data there is.
   */
  'input_filter'   => array(),

  /**
   * This output filter can be any normal PHP function as well as 'xss_clean'
   *
   * WARNING: Using xss_clean will cause a performance hit.  How much is
   * dependant on how much input data there is.
   */
  'output_filter'  => array('Security:htmlentities'),

  /**
   * Whether to automatically filter view data
   */
  'auto_filter_output'  => true,

  /**
   * With output encoding switched on all objects passed will be converted to strings or
   * throw exceptions unless they are instances of the classes in this array.
   */
  'whitelisted_classes' => array(
   'Fuel\\Core\\Response',
   'Fuel\\Core\\View',
   'Fuel\\Core\\ViewModel',
   'Closure',
  )
 ),
    The error is at: COREPATH/classes/security.php @ line 59
    // throw an exception if no the output filter setting is missing from the app config
57        if (\Config::get('security.output_filter', null) === null)
58        {
59            throw new \FuelException('There is no security.output_filter defined in your application config file');
60        }
61    }

  • MitchellMitchell
    Hmm, something else is going on. I traced the _init() function in core/classes/security.php, and it doesn't appear to be correctly reading the app/config/config.php file. For example, I have security.csrf_autoload set to false, yet the _init() function is returning true which is the default. Is there perhaps a significant change in v1.2 that I'm missing?
  • kenjiskenjis
    'output_filter' => array('Security:htmlentities'), Security::htmlentities. Two colones needed.
  • HarroHarro
    Mitchell wrote on Sunday 17th of June 2012:
    Is there perhaps a significant change in v1.2 that I'm missing?
    No, nothing in config.php has been changed between 1.1 and 1.2. The only thing related is that output_filter is now required. But you've got it in there (albeit with a typo like Kenijs pointed out). Can you \Debug::dump(\Config::$items) in the Security class _init() method, so we know for sure there's nothing wrong with your loaded config? You don't have a config.php in your config/<environment> folder that would overwrite stuff in your global config file?
  • MitchellMitchell
    Oops, thanks for pointing out the missing colon. I originally had both colons, but at one point I tried array('htmlentities') and forgot the extra colon when I went back. Anyway, the missing colon didn't make any difference. When I debug \Config::$items in the Security Class _init(), I don't see the security parameters in there. I only see arrays for 'session' and 'db'. So it looks like the config.php file is not being read. I don't have a another config.php file in my config/<environment> folder. BTW, I assume you mean something like config/development?
  • HarroHarro
    Yes, that was what I meant. How old was your previous installation? I mean app and public? The main config file (app/config/config.php) is processed by Fuel's init. Which config it must process is specified by the call to init, which is in your app/bootstrap.php, on the last line. This is the default app bootstrap: 
    <?php

// Load in the Autoloader
require COREPATH.'classes'.DIRECTORY_SEPARATOR.'autoloader.php';
class_alias('Fuel\\Core\\Autoloader', 'Autoloader');

// Bootstrap the framework DO NOT edit this
require COREPATH.'bootstrap.php';


Autoloader::add_classes(array(
 // Add classes you want to override here
 // Example: 'View' => APPPATH.'classes/view.php',
));

// Register the autoloader
Autoloader::register();

/**
 * Your environment.  Can be set to any of the following:
 *
 * Fuel::DEVELOPMENT
 * Fuel::TEST
 * Fuel::STAGE
 * Fuel::PRODUCTION
 */
Fuel::$env = (isset($_SERVER['FUEL_ENV']) ? $_SERVER['FUEL_ENV'] : Fuel::DEVELOPMENT);

// Initialize the framework with the config file.
Fuel::init('config.php');
  • MitchellMitchell
    I'm upgrading from the V1.1 release. I just checked the Fuel::$env variable, and it's set to Fuel::Test ('test'). But are you saying that there's a different config file for each environment? In V1.1, I only have one config.php file in app/config.config.php.
  • HarroHarro
    No, I didn't say that (altough that is perfectly possible). If it's in app/config, it is global for all environments. this line in app/bootstrap.php starts the framework and indicates the config to load: 
    // Initialize the framework with the config file.
Fuel::init('config.php');
    If this is present than I can't conclude other than the config is loaded file (you could check that in the Fuel::init method), but something in your code is resetting/overwriting the config.
  • MitchellMitchell
    Ok, I figured it out. The config.php file was not being loaded due to personal stupidity. There was a missing closing parenthesis for one of the arrays in the config,php file which was preventing the file from being loaded. Strangely, it didn't throw a PHP error or add an entry to the log file. Thanks very much for your help. It got me looking in the right places.
  • horatiohoratio
    I also had this error when upgrading to 1.2 What I thought would be nice is if the default config.php was in core/config, and app/config/config.php just had your own changes. Just like how the other config files are
  • HarroHarro
    There is no default config in core to force you to define your own config. People tend to be lazy and not change any defaults that are set. For the same reason there is no default crypt config. This change is documented in the changelog, as one of the items you should check before upgrading to 1.2.
Add a Comment

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Categories

In this Discussion