In the previous 1.5 status update I wrote we’d work on input/output sanitisation and validation until we got it right as the security and stability implications for not getting it right would be too large. We worked on it since then and now it’s done. What has happened since the last post:
- Input/output pathways have been simplified
- Input/output sanitisation and validation is done
- Much code and program flow has been cleaned up and simplified
- The database abstraction layer moved from MDB2 to PDO; PDO is well-maintained and a part of the standard PHP package, moving to PDO removed a server-side dependency for FileSender
- We now use mostly prepared statements for database interaction, which we understand to be best current security practice
- PDO has been tested with MySQL and Postgresql
- All pages are now W3C compliant
We had a developers conference call today where we discussed the path towards 1.5. There’s a small thing to do with the exact handling of pause/resume we will work on this week to make sure it behaves well enough. As there is a chance for changes in that functionality toimpact program flow we’re a bit careful there. Next week we’ll check whether we’re happy and if we are, plan the 1.5 beta release date. A code security audit will be executed after the 1.5 beta is available.
The major changes moving towards 1.5 compared with 1.1 will then be:
- support for multiple languages in the web UI
- database abstraction with PDO
- 1.5 will be the foundation we can develop new features like multi-file-upload, client-side encryption etc.