• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
CodeIgniter 2.2.5 Released

#1
CodeIgniter 2.2.5 has been released today, and is a security release for the 2.x branch.


Fixed a number of XSS attack vectors in Security Library method xss_clean (thanks to Frans Rosén from Detectify).

Since most have moved on to the development version of 3.0 from the GitHub repo, these fixes only affect sites powered by the legacy version.We felt that sites who were still running 2.x and potentially impacted by the vulnerability warranted an update so the release available for that version line is secure.

You can download v2.2.5 now, and we encourage you to read the full changelog.
James Parry
Project Lead
Reply

#2
thank you so much for doing this. i'm sure i speak for many codeigniter users that we really appreciative these timely updates.

but a quick reality check - most have Not moved on. there are easily thousands of codeigniter 2 applications running now and they are not going to be upgraded to ci 3 anytime soon. the more important the application is to the business or organization - the longer it takes to upgrade to a new version that has breaking changes. thats just the reality for people with budgets and limited time.

it does not mean that you have to continue supporting ci 2 forever, thats not what i'm saying at all. just try and look at it this way -- codeigniter 2 is rock solid. thats why its so popular. because we can concentrate on coding and not migrating to a new version of a framework every six months. but that also means you have to expect it will take longer for the majority of users to migrate.
Reply

#3
(10-08-2015, 02:01 PM)cartalot Wrote: thank you so much for doing this. i'm sure i speak for many codeigniter users that we really appreciative these timely updates.

but a quick reality check - most have Not moved on. there are easily thousands of codeigniter 2 applications running now and they are not going to be upgraded to ci 3 anytime soon. the more important the application is to the business or organization - the longer it takes to upgrade to a new version that has breaking changes. thats just the reality for people with budgets and limited time.

it does not mean that you have to continue supporting ci 2 forever, thats not what i'm saying at all. just try and look at it this way -- codeigniter 2 is rock solid. thats why its so popular. because we can concentrate on coding and not migrating to a new version of a framework every six months. but that also means you have to expect it will take longer for the majority of users to migrate.

The fact that I am telling you this should speak volumes: CodeIgniter 2 is a piece of crap. And that's easily provable - just look at the 3.0.0 changelog, all of those 6 pages of bugfix items are for stuff that is broken in 2.x.

Yes, I know upgrades can be hard to get through, but that's not the case here because CI3 is CI2 "on steroids" and there are hardly any technical obstacles, just lack of motivation. As long as you're looking for excuses not to upgrade, you'll find them simply because that's the point you're trying to prove.
Reply

#4
thanks for the insights, and maybe i should have it made it more clear that i'm using CI 3, but hopefully your pep talk will motivate people on the fence.

yes there are developers working on their own projects and in complete control. but the reality for developers working for a business or non profit -- the developer has to first convince management to upgrade. and upgrading will involve other applications, platforms, etc that are also critical for the business process.

the step of what it takes to convince management to upgrade is often overlooked. for those of you lucky enough not to be in these trenches you might assume it takes one quick meeting where everyone agrees to an obvious conclusion that upgrading is good -- and the developer is immediately given ample time to refactor all the code with no distractions.

the actual reality is it will involve many meetings, budgets, projections, schedules -- while at the same time dealing with all the other business concerns -- BEFORE the upgrade is even on the schedule. and then the upgrade will get rescheduled. and rescheduled. meanwhile the managers you are working with were never clear why the upgrade was so important -- so every meeting you have to explain all over again why it should be on the schedule at all. developers are asking for a clear list of the differences/benefits of codeigniter 2 vs 3 -- not for themselves but because they need something that management can understand and will be compelling enough to convince them to budget for it.

for many developers they will end up working on the upgrade partly on their own time just to get it done. so yes getting ci 2 system updates while all this is all going on is a huge deal for those developers. they aren't going to post and say thanks on this bulletin board but i know they are very appreciative.
Reply

#5
I would add to the mix the fact that we don't have the resources to support 3 versions of the framework simultaneously.

Nothing more will be added to CI2, but I expect that the forums will still provide ongoing support. There are likely to be vulnerabilities reported for CI2 that can only be addressed by using more recent versions of PHP and/or database drivers, which is out of our control.

CI3 will probably have some upgrades, as there are lots of contributions for it. It should be around for a while Smile

CI4 is lurking on the horizon, and that feels like the right place to concentrate our efforts, strategically.

Just in case you were wondering, we have no planned EOL date for CI3, nor any plans for CI5!!
Reply

#6
Honestly, in reporting the need to upgrade from CI2 to CI3 to my supervisor, I focused on the end-of-life and lack of continued security updates as the primary reason for the upgrade. In most environments, security is enough of a priority to break through some of the mess of scheduling issues, but not usually all of them.

When presenting a plan for the upgrade, my first step was actually to add a "compatibility layer" to Bonfire to:
- make it easier to switch between CI2 and CI3 on the same site
- backport some CI3 functionality to CI2
- allow files to use either version's naming conventions (so I had time to change the names of all of the required files)

If there was anything else, I've forgotten at this point, as it has been several months.

Once I had completed that compatibility layer and started testing everything in CI3, I ended up having to add some compatibility functions to port CI2 functionality to CI3 for a couple of things I just wouldn't be able to update in a timely manner.

After that, I basically had a CI3-ready site which was running on CI2, waiting for management approval to switch. I had to do a little pushing (and there was one of those last-minute "Why are we doing this upgrade?" moments), but by putting a system in place which allowed us to implement most of the necessary changes without switching the CI version, and making the switch itself relatively simple, I eliminated most of the resistance in the process. Removal of the CI2 compatibility layer is actually a longer project which is still in-process, though after a couple of months I've managed to remove the biggest, highest-impact pieces.

Of course, it wasn't all smooth sailing, as a couple of things slipped past the tests (big surprise with the size of the site), but, so far, it seems to have worked out.
Reply

#7
@cartalot

I have the comfort of making upgrades at my decision, I don't face the organizational issues you described, anyway I think, they are valid. But the address is wrong, it is not the CI team to engage them. This is why:

1. What happens when there is a critical fix (let us say something about security) that should be applied immediately, and nobody can predict them? Does your management and your clients realize that such things should be done sometimes? If formalities are so strong, do you have procedures about escalation important issues?

2. A quote from here: https://en.wikipedia.org/wiki/DevOps "Funding is typically provided in a waterfall manner, with specific hard dates (months, quarters, fiscal year) and gates, not suitable for a Continuous Delivery model. Funding too should be continuous." Yes, this is hard to be negotiated and achieved, but this is the direction your organization should think about, instead of complaining.
Reply

#8
ok really simple -- there are projects still using CI 2 -- so they appreciate the security upgrades even if they don't post and say thank you.
There are many developers using CI 2 because its very stable and is compatible with older versions of php.
I personally am using CI 3. Codeigniter is free and the CI team is under no obligation to keep supporting CI 2.
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


Users browsing this thread:
1 Guest(s)


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2017 MyBB Group.