annotate CHANGELOG @ 1512:dcc8abbc6dfd

Change cookie signature comparison to resist timing attacks (based on code suggested by Robin Green and Austin Seipp)
author Adam Chlipala <adam@chlipala.net>
date Tue, 19 Jul 2011 09:18:50 -0400 (2011-07-19)
parents dbb461e55eda
children 52fbd8534ef3
rev   line source
adam@1509 1 ========
adam@1509 2 Next
adam@1509 3 ========
adam@1509 4
adam@1509 5 - Start of official tutorial
adam@1509 6 - Compiler support for generating nice tutorial HTML from literate source files
adam@1509 7 - New protocol 'static' for generating static pages
adam@1509 8 - Bug fixes
adam@1509 9
adam@1492 10 ========
adam@1492 11 20110715
adam@1492 12 ========
adam@1492 13
adam@1492 14 - Treat local variables the same as module-level variables, for the purpose of
adam@1492 15 implicit argument insertion
adam@1492 16 - New 'noXsrfProtection' directive for .urp files
adam@1492 17 - Non-debug builds omit source location information in error messages shown to
adam@1492 18 the user (but keep that information in log entries)
adam@1492 19 - Basis.getHeader and Basis.setHeader
adam@1492 20 - Basis.show_css_class
adam@1492 21 - Basis.currentUrlHasQueryString
adam@1492 22 - Make Basis.rand cryptographically secure
adam@1492 23 - Client-side versions of Basis.now and Basis.show_time
adam@1492 24 - Bug fixes
adam@1492 25 - Improvements to auto-configuration and build process (now builds with LLVM's
adam@1492 26 Clang!)
adam@1492 27 - Clarifications in the manual
adam@1492 28
adam@1458 29 ========
adam@1460 30 20110517
adam@1458 31 ========
adam@1458 32
adam@1458 33 - Cygwin compatibility
adam@1458 34 - Compatibility with Gentoo packaging process, including a .ebuild file
adam@1458 35 - Change typing of SQL subqueries, to indicate that they may always return NULL
adam@1458 36 (for no rows)
adam@1458 37 - Syntactic sugar for GROUP BY with variable numbers of columns
adam@1458 38 (using 'tab.{{c}}', where 'c :: {Type}')
adam@1458 39 - 'ALL' for SQL relational operators
adam@1458 40 - Add nullable types to the class for valid operands for SQL arithmetic
adam@1458 41 - 'alt' attribute for <img>
adam@1458 42 - <sup> and <sub> HTML tags
adam@1458 43 - Allow 'debug' and 'naughtyDebug' in client-side code, implemented with 'alert'
adam@1458 44 - Bug fixes and optimization improvements
adam@1458 45
adam@1400 46 ========
adam@1414 47 20110123
adam@1400 48 ========
adam@1400 49
adam@1400 50 - Changes to encoding of SQL aggregate functions: nullable types may be
adam@1400 51 aggregated, and non-COUNT aggregates return nullable results.
adam@1400 52 - SQL subqueries may apply aggregate functions to columns bound in enclosing
adam@1400 53 queries.
adam@1400 54 - Switch from libmhash to OpenSSL.
adam@1400 55 - 'cdataChar', for injecting arbitrary character codes into XML
adam@1400 56 - 'crypt', for access to the standard UNIX password encryption routine
adam@1400 57 - 'readUtc', for parsing time strings in the UTC time zone
adam@1400 58 - Built-in 'time' type now stores microseconds (which for now are only used in
adam@1400 59 connection with Postgres timestamps).
adam@1400 60 - Client-side URL blessing and redirection
adam@1400 61 - 'currentUrlHasPost' function
adam@1400 62 - Transactional 'free' functions now passed an argument indicating whether the
adam@1400 63 runtime system expects to retry the transaction.
adam@1400 64 - Change tasks to allow task kind-specific inputs
adam@1400 65 - Add 'clientLeaves' and 'periodic' task kinds
adam@1400 66 - Support for externally-callable pages, via the 'postBody' and 'queryString'
adam@1400 67 types and the 'effectfulUrl' function
adam@1400 68 - 'minHeap' and 'alwaysInline' .urp options
adam@1400 69 - '-prefix' command-line option
adam@1400 70 - Comments in .urp files (lines starting with '#')
adam@1400 71 - Miscellaneous additions to the standard library
adam@1400 72 - Bug fixes and improvements to type inference and optimization
adam@1400 73
adam@1287 74 ========
adam@1315 75 20101102
adam@1287 76 ========
adam@1287 77
adam@1287 78 - Polymorphic variants (see Basis.variant)
adam@1297 79 - New 'onError' directive for .urp files
adam@1287 80 - (* *) and <!-- --> comments in XML
adam@1297 81 - Basis.classes, Basis.confirm, and Basis.tryDml
adam@1309 82 - New notations ::_ and :::_, for constructor parameters of unknown kind
adam@1297 83 - Invocations like 'urweb foo' will compile foo.ur as a single-file project,
adam@1297 84 even if no foo.urp exists
adam@1309 85 - '-limit' command-line flag and 'limit' .urp directive
adam@1297 86 - Bug fixes and optimization improvements
adam@1287 87
adamc@1259 88 ========
adamc@1273 89 20100603
adamc@1259 90 ========
adamc@1259 91
adamc@1259 92 - Changed URL escaping convention, to avoid confusing proxies.
adamc@1259 93 The new convention is like the normal one, but with '.' instead of '%'.
adamc@1261 94 - Changed JavaScript compilation of recursive functions to use thunks.
adamc@1261 95 This change avoids most costs of functions not referenced on particular
adamc@1261 96 pages, reducing loading time dramatically.
adamc@1273 97 - Support HTTP caching of application-specific JavaScript code
adamc@1273 98 - Bug fixes
adamc@1259 99
adamc@1255 100 ========
adamc@1255 101 20100506
adamc@1255 102 ========
adamc@1255 103
adamc@1255 104 - New experimental checker for information flow and access control policies
adamc@1255 105 (See demo at http://www.impredicative.com/ur/scdv/)
adamc@1255 106
adamc@1197 107 ========
adamc@1197 108 20100401
adamc@1197 109 ========
adamc@1197 110
adamc@1197 111 - Subquery expressions and FROM items
adamc@1197 112 - Low-level support for SELECT with no FROM clause
adamc@1197 113 - Fixes for DBMS-portability of relational operators
adamc@1197 114
adamc@1183 115 ========
adamc@1190 116 20100325
adamc@1183 117 ========
adamc@1183 118
adamc@1188 119 - -verbose flag
adamc@1188 120 - COUNT(col) SQL aggregate function
adamc@1188 121 - 'benignEffectful' and 'safeGet' .urp commands
adamc@1188 122 - Remove Basis.getRequestHeader, since it can be used to circumvent cookie
adamc@1188 123 security
adamc@1190 124 - Rename Top.foldR*X to map*X
adamc@1188 125 - Bug fixes and optimization improvements
adamc@1183 126
adamc@1166 127 ========
adamc@1166 128 20100213
adamc@1166 129 ========
adamc@1166 130
adamc@1166 131 - Improvements to 'configure'; should now fail if any uncommon but required
adamc@1166 132 package is missing
adamc@1166 133 - Other fixes to configuration, build system, and C code portability
adamc@1166 134 - sigfile .urp directive & -sigfile command-line option
adamc@1166 135 - .urp files with no directives no longer need to begin with blank lines.
adamc@1166 136 - Other bug fixes
adamc@1166 137
adamc@1137 138 ========
adamc@1137 139 20100130
adamc@1137 140 ========
adamc@1137 141
adamc@1137 142 - Conversion to an Automake-based build system, for greater portability in
adamc@1137 143 building shared libraries
adamc@1137 144 - -path and -root command-line flags
adamc@1137 145 - Exported page handling functions (i.e., those page-generating functions
adamc@1137 146 appearing in the main module's signature) may now take any number of
adamc@1137 147 arguments, including 0.
adamc@1137 148
adamc@1123 149 ========
adamc@1123 150 20100112
adamc@1123 151 ========
adamc@1123 152
adamc@1123 153 - Basis.serialized type family, for storing more types in the database
adamc@1123 154 - Basis.textBlob, for building blobs from strings
adamc@1123 155 - Basis.debug function, for server-side debug printing
adamc@1123 156 - Bug fixes & optimization improvements
adamc@1123 157
adamc@1065 158 ========
adamc@1103 159 20091230
adamc@1065 160 ========
adamc@1065 161
adamc@1093 162 - Automatic insertion of implicit arguments in more positions
adamc@1065 163 - Reifying expressions as URLs and redirecting to them explicitly
adamc@1070 164 - More syntactic sugar for SQL
adamc@1070 165 - Typing of SQL queries no longer exposes which tables were used in joins but
adamc@1070 166 had none of their fields projected
adamc@1075 167 - Tasks
adamc@1095 168 - Dynamic linking of the runtime system
adamc@1077 169 - Optimization improvements
adamc@1103 170 - Bug fixes
adamc@1065 171
adamc@1050 172 ========
adamc@1056 173 20091203
adamc@1050 174 ========
adamc@1050 175
adamc@1050 176 - Extended cookie interface (breaks backward compatibility for 'setCookie')
adamc@1050 177 - Bug fixes
adamc@1056 178 - Extended UTF-8 characters in HTML
adamc@1050 179
adamc@1043 180 ========
adamc@1043 181 20091124
adamc@1043 182 ========
adamc@1043 183
adamc@1043 184 - Improved Internet Explorer compatibility
adamc@1043 185
adamc@1020 186 ========
adamc@1033 187 20091108
adamc@1020 188 ========
adamc@1020 189
adamc@1020 190 - Bug fixes
adamc@1020 191 - Optimization improvements
adamc@1021 192 - Removed a restriction that prevented some RPCs and calls to sleep or recv
adamc@1021 193 from compiling
adamc@1020 194
adamc@999 195 ========
adamc@999 196 20091012
adamc@999 197 ========
adamc@999 198
adamc@999 199 - Small bug fixes affecting MySQL and SQLite
adamc@999 200
adamc@988 201 ========
adamc@997 202 20091009
adamc@988 203 ========
adamc@988 204
adamc@988 205 - Bug fixes
adamc@988 206 - Improvement to choice of line number to cite in record unification error
adamc@988 207 messages
adamc@994 208 - SELECT DISTINCT
adamc@996 209 - New extra demos: orm1 and versioned1
adamc@988 210
adamc@985 211 ========
adamc@985 212 20090926
adamc@985 213 ========
adamc@985 214
adamc@985 215 - Reimplemented client-side code generation to use an interpreter, rather than
adamc@985 216 compilation to JavaScript; this avoids common browser flaws: lack of
adamc@985 217 optimization of tail calls and occasional bugs in closure handling.
adamc@985 218 - Bug fixes
adamc@985 219
adamc@968 220 ========
adamc@968 221 20090919
adamc@968 222 ========
adamc@968 223
adamc@968 224 - Bug fixes
adamc@968 225 - Optimization improvements
adamc@968 226 - Expanded grid demo in demo/more: optional columns, sorting, filtering,
adamc@968 227 paging, selecting rows, aggregate row
adamc@968 228
adamc@929 229 ========
adamc@929 230 20090912
adamc@929 231 ========
adamc@929 232
adamc@929 233 - Bug fixes
adamc@929 234 - Optimization improvements
adamc@929 235 - New set of extra demos in demo/more
adamc@929 236
adamc@914 237 ========
adamc@914 238 20090825
adamc@914 239 ========
adamc@914 240
adamc@914 241 - Many bug fixes
adamc@914 242 - Remote procedure calls must be marked with the new 'rpc' function.
adamc@914 243 - Some tweaks to enable usage on OSX (suggested by Paul Snively)
adamc@914 244
adamc@897 245 ========
adamc@897 246 20090718
adamc@897 247 ========
adamc@897 248
adamc@897 249 - New application protocols: CGI and FastCGI
adamc@897 250 - New database backends: MySQL and SQLite
adamc@897 251 - More JavaScript events added to tags in standard library
adamc@897 252 - New manual section on using the foreign function interface (FFI)
adamc@897 253
adamc@852 254 ========
adamc@852 255 20090623
adamc@852 256 ========
adamc@852 257
adamc@852 258 - Many bug fixes
adamc@852 259 - Mutually-recursive datatypes
adamc@852 260 - SML-style pattern-matching syntax for "fun", "fn", and local "val"
adamc@852 261 - Backwards-incompatible change to syntax of formal constructor parameters to
adamc@852 262 value-level functions, to support the previous change
adamc@852 263 - Path map support inspired by SML/NJ CM and MLton ML Basis
adamc@852 264 - Start of some new standard library modules
adamc@852 265 - Some improvements to JavaScript runtime, including better error handling
adamc@852 266
adamc@716 267 ========
adamc@790 268 20090505
adamc@716 269 ========
adamc@716 270
adamc@716 271 - Reimplement constructor class resolution to be more general and Prolog-like
adamc@716 272 - SQL table constraints
adamc@770 273 - URLs
adamc@736 274 - Client-side error handling callbacks
adamc@736 275 - CSS
adamc@736 276 - Signing cookie values cryptographically to thwart cross site request forgery
adamc@744 277 - Blobs and HTTP file upload
adamc@752 278 - SQL outer joins
adamc@755 279 - SQL views
adamc@756 280 - Subforms
adamc@768 281 - C and JavaScript FFI
adamc@768 282 - Path rewriting
adamc@716 283
adamc@702 284 ========
adamc@702 285 20090405
adamc@702 286 ========
adamc@702 287
adamc@702 288 - Asynchronous message-passing and the associated server-side client
adamc@702 289 bookkeeping
adamc@702 290 - Reimplement parts of the client-side runtime system to avoid space leaks
adamc@702 291 - spawn and sleep
adamc@702 292 - Expand the constructor class instance rule format
adamc@702 293
adamc@663 294 ========
adamc@663 295 20090312
adamc@663 296 ========
adamc@663 297
adamc@663 298 - Replace type-level "fold" with "map"
adamc@663 299 - Replace expression-level "fold" with folders, defined in Top and
adamc@663 300 supported by some special compiler inference
adamc@663 301 - Replace guarded constructors with guarded types, introduced only by
adamc@663 302 guarded expression abstraction, and with a new explicit application form
adamc@663 303 - Kind polymorphism
adamc@663 304 - Generalize type classes to constructor classes
adamc@663 305 - Initial compilation of client-side code to JavaScript
adamc@663 306 - Initial support for mixed client- and server-side programming (i.e., "AJAX")
adamc@665 307 - src/coq: Coq formalization of a core Ur-like calculus
adamc@663 308
adamc@506 309 ========
adamc@561 310 20081209
adamc@506 311 ========
adamc@506 312
adamc@506 313 - Optimization: Fusing page writes with calls to recursive functions
adamc@523 314 - Optimization of bottleneck compiler phases
adamc@561 315 - Reference manual
adamc@561 316 - SQL arithmetic operators
adamc@506 317
adamc@504 318 ========
adamc@504 319 20081120
adamc@504 320 ========
adamc@504 321
adamc@504 322 - Fix bug that sometimes led to omission of initial "<html>" in pages
adamc@504 323 - Take advantage of nested functions in some demos
adamc@504 324 - "profile" option that may appear in .urp files, to enable gprof profiling
adamc@663 325 - "-guided-demo" option that works like "-demo" but uses less screen space for
adamc@663 326 prose
adamc@504 327
adamc@467 328 ========
adamc@497 329 20081118
adamc@467 330 ========
adamc@467 331
adamc@467 332 - Nested function definitions
adamc@467 333 - Primitive "time" type
adamc@467 334 - Nullable SQL columns (via "option")
adamc@467 335 - Cookies
adamc@663 336 - Compiler: Specialization of functions to known arguments (especially of
adamc@663 337 function type)
adamc@467 338
adamc@435 339 ========
adamc@435 340 20081028
adamc@435 341 ========
adamc@435 342
adamc@435 343 - Add GCCARGS configure option
adamc@435 344
adamc@433 345 ========
adamc@433 346 20081027
adamc@433 347 ========
adamc@433 348
adamc@433 349 - On missing inputs, print an error message, but don't exit the web server.
adamc@434 350 - Remove need for "() <-" notation.
adamc@433 351
adamc@433 352 ========
adamc@433 353 20081026
adamc@433 354 ========
adamc@433 355
adamc@433 356 - Change 'sed' call to work on OSX.
adamc@433 357 - Avoid including or linking libpq files on apps that don't use SQL.