The Zend Framework community is pleased to announce the immediate availability of Zend Framework 2.2.1! Packages and installation instructions are available at:

This is the first monthly maintenance release in the 2.2 series.

Changelog

This release features almost 70 changes, ranging from minor typographical issues to changes to allow easier utilisation of new features introduced in 2.2 (e.g., you can now actually select the new TranslatorAwareTreeRouteStack as a router via configuration). The full changelog for 2.2.1 is available:

Thank You!

I'd like to thank everyone who provided issue reports, typo fixes, maintenance improvements, bugfixes, and documentation improvements; your efforts make the framework increasingly better!

Roadmap

Maintenance releases happen monthly on the third Wednesday. Version 2.3.0 is tentatively scheduled for the end of August.

The Zend Framework community is pleased to announce the immediate availability of Zend Framework 2.2.0! Packages and installation instructions are available at:

This is the first stable release in the 2.2 series.

Usability and Consistency

The primary focus of the 2.2 release has been usability and consistency, primarily with regard to creation and configuration of services such as hydrators, input filters, logs, DB connections, cache objects, translators, and forms.

Most of these services now have what are known as "Abstract Factories" that are either registered by default, or can be added quickly to your application configuration. Abstract factories are used by the service manager when you have multiple services that follow the same instantiation pattern, but which have different names. The typical pattern the new abstract factories follow is to use key/configuration pairs under a common top-level configuration key to describe the instances desired:


<?php
'log' => array(
    'Application\Log' => array(
        'writers' => array(
            array(
                'name'     => 'stream',
                'priority' => 1000,
                'options'  => array(
                    'stream' => 'data/logs/app.log',
                ),
            ),
        ),
    ),
),

The above creates a logger named "Application\Log" which you can retrieve directly from the service manager. If you wanted to have additional loggers, you could do so by adding additional entries under the "log" heading, each named, and each providing configuration for a logger.

Besides the logger abstract factory illustrated above, the following components each have abstract factories now, too, using the configuration keys noted:

  • Zend\Cache: "caches" configuration section, allowing multiple named cache storage objects.
  • Zend\Db: "adapters" subkey of the "db" configuration section; this abstract factory allows you to finally have multiple named DB adapter instances, effectively allowing for read-only and write-only connections.
  • Zend\Form: "forms" configuration section (which makes use of several old and new plugin managers, as noted below).

A number of new plugin managers were also added. Plugin managers are specialized service manager instances used by objects that will be consuming many different related object instances, often based on runtime conditions. As examples, view helpers and controller plugins are mediated by plugin managers.

The new plugin manager instances include:

  • Zend\Stdlib\Hydrator\HydratorPluginManager, for retrieving hydrator instances. This allows re-use of individual hydrators, and coupled with the forms abstract factory, allows usage of custom hydrators across your form instances.
  • Zend\InputFilter\InputFilterPluginManager, for retrieving (configurable) input filter instances. This allows re-use of input filters, as well as ensures that all input instances are provided with custom validators and/or filters (from the existing validator and filter plugin managers). The forms abstract factory makes use of this, which allows us to finally tie together the various plugin managers to create fully configurable and custom forms.

Finally, a couple new service factories were created. Service factories usually have a 1:1 relationship between the named service and the instance provided, and are ideal for situations where you only need one instance of a given service type. In the case of the new factories for 2.2, these include translators and sessions.

Data Definition Language Abstraction

Zend Framework 2.2 also offers initial support in Zend\Db for dynamic DDL queries. DDL, for Data Definition Language, is a subset of SQL that comprises different commands for building RDBMS data structures like tables, columns, constraints, indexes, views, triggers and the like.

Initial support is limited to creating tables with SQL92 data-types, and some specialization for MySQL support. Here is an example of CREATE TABLE statement:


<?php
    use Zend\Db\Sql\Sql;
    use Zend\Db\Sql\Ddl;

    $t = new Ddl\CreateTable();
    $t->setTable('bar');
    $t->addColumn(new Ddl\Column\Integer(
        'id', 
        12, 
        true, 
        null,
        ['auto_increment' => true, 'comment' => 'Some comment']
    ));
    $t->addColumn(new Ddl\Column\Varchar('name', 255));
    $t->addColumn(new Ddl\Column\Char('foo', 20));
    $t->addConstraint(new Ddl\Constraint\PrimaryKey('id'));
    $t->addConstraint(new Ddl\Constraint\UniqueKey(
        ['name', 'foo'],
        'my_unique_key'
    ));

    $sql = new Sql($adapter);
    echo $sql->getSqlStringForSqlObject($t);

Once this table is created, it can then be altered:


<?php
    $t = new Ddl\AlterTable('bar');
    $t->changeColumn('name', new Ddl\Column\Varchar('new_name', 50));
    $t->addColumn(new Ddl\Column\Varchar('another', 255));
    $t->addColumn(new Ddl\Column\Varchar('other_id', 255));
    $t->dropColumn('foo');
    $t->addConstraint(new Ddl\Constraint\ForeignKey(
        'my_fk', 'other_id', 'other_table', 'id', 'CASCADE', 'CASCADE'
    ));
    $t->dropConstraint('my_index');
    echo $sql->getSqlStringForSqlObject($t);

Or even dropped:


<?php
    $dt = new Ddl\DropTable('bar');
    echo $sql->getSqlStringForSqlObject($dt);

What can this be used for?

That is where you come in. This particular feature was asked for numerous times during ZF1 development. We'd like to see what kind of ZF2 modules can be created with this base infrastructure. Migration assistant? ORM database creation tool? Advanced CMS? Let us know; we'll be adding more vendor specific support over the 2.2 to 2.3 timeline.

New Service Wrappers

Zend Framework has a long history of providing API wrappers; in fact, they were a prominent part of the initial pre-release! The tradition continues in ZF2, though each API wrapper now has its own repository.

Alongside the 2.2.0 release, we're also providing initial beta releases of two new service components: ZendService_Api and ZendService_OpenStack.

ZendService_Api

This is an HTTP microframework for consuming generic API calls in PHP. This framework can be used to create PHP libraries that consume specific HTTP APIs using either a simple configuration array or files. This project uses the Zend\Http\Client component of Zend Framework 2. Enrico has blogged about the component previously.

ZendService_OpenStack

We began the development of a new library to support the last API version of OpenStack. The goal of this component is to simplify the usage of OpenStack in PHP, providing a simple object oriented interface to its API services. This component is based on ZendService_Api, giving us a flexible way to update the HTTP specification with the future API versions.

ZFTool Diagnostic Features

Artur Bodera (aka Thinkscape) provided a new diagnostics feature for ZFTool. Using this feature, we can allow the execution of customized diagnostics tests in ZF2 projects, including testing for the required PHP version, testing for specific PHP extensions, testing for specific ZF2 modules, testing for specific PHP INI settings, and more; read the documentation to get an idea of the variety of tests available.

Moreover, with the collaboration of the LiipMonitor project, we decided to create common interfaces for performing diagnostic tests in PHP applications. An initial draft is available in the ZendDiagnostic repository.

The diagnostics feature is available in the latest version of ZFTool.

Hydrator Improvements

As noted earlier, Zend\Stdlib\Hydrator now has a plugin manager you can compose into your objects for managing hydrator instances. However, beyond that, we also now have an "Aggregate Hydrator", which allows you to provide specialized mapping of your object types to hydrators via an event-based system.

Why is this exciting? Many of our users utilize Doctrine as an Object Relational Mapping (ORM) system. Oftentimes, the entities that you work with will also form a hierarchical structure. The Aggregate Hydrator allows allows you to attach a single hydrator to the parent object, and ensure that all child and descendant objects are either hydrated or extracted according to their type.

Reducing Dependencies

We have started work on a new story for the framework: reducing dependencies for individual components. We have received feedback from a number of developers and organizations indicating that even though each component can be installed individually, the number of dependencies most components mark as required leads to a situation where they feel they must choose whether or not they adopt the framework, versus adopting just the component. While of course we'd like them to adopt the framework, we'd rather they get a taste for it, if you will.

While this story is primarily slated for 2.3, we have made our first steps in 2.2, with the Zend\Feed and Zend\Validator components.

Zend\Validator removed its dependency on the i18n component. We achieved this by creating Separated Interfaces for the translator. Considering translation was only enabled if you explicitly injected a translator, this was a natural course of action. (It also introduced a minor backwards compatibility break; see below for more information.)

For Zend\Feed, many "required" dependencies were actually optional already, and we could mark them as such. There were two that were not, however, and which required similar treatment as Zend\Validator in creating separated interfaces: the service manager (used for extension management) and HTTP (for fetching remote feeds with the reader). Interfaces were developed for each of these, and Zend\Feed now has only two required dependencies. A nice side benefit is that you can now use third-party HTTP clients with Zend\Feed\Reader!

Migration Notes

While we have worked hard to keep code backwards compatible (BC), there are a few noteworth changes that may affect your code.

  • Zend\Validator no longer directly consumes a Zend\I18n\Translator\Translator instance; instead, you must either implement Zend\Validator\Translator\TranslatorInterface or use Zend\Mvc\I18n\Translator. In most cases, this change should be transparent, as validator instances managed by the ValidatorPluginManager will already be using the correct instance.
  • In 2.1.5, a BC break was accidently introduced into Zend\Navigation in order to enable a feature: MVC pages were altered to always use route match values when available when generating URIs. 2.2.0 was modified to add a flag to enable this behavior on demand, but defaults to the original behavior, which does not pass the route match values to the pages. If you relied on this behavior in 2.1.5, add the following option to your individual MVC page definitions:

    
    <?php
    'use_route_match' => true,

Other Notable Improvements

  • Authentication: The DB adapter now supports non-RDBMS credential validation.
  • Cache: New storage backend: Redis.
  • Code: The ClassGenerator now has a removeMethod() method.
  • Console: Incremental improvements to layout and colorization of banners and usage messages; fixes for how literal and non-literal matches are returned.
  • Filter: New DateTimeFormatter filter.
  • Form: Many incremental improvements to selected elements; new FormAbstractServiceFactory for defining form services; minor improvements to make the form component work with the DI service factory.
  • InputFilter: new CollectionInputFilter for working with form Collections; new InputFilterPluginManager providing integration and services for the ServiceManager.
  • I18n: We removed ext/intl as a hard requirement, and made it only a suggested requirement; the Translator has an optional dependency on the EventManager, providing the ability to tie into "missing message" and "missing translations" events; new country-specific PhoneNumber validator.
  • ModuleManager: Now allows passing actual Module instances (not just names).
  • Navigation: Incremental improvements, particularly to URL generation.
  • MVC: You can now configure the initial set of MVC event listeners in the configuration file; the MVC stack now detects generic HTTP responses when detecting event short circuiting; the default ExceptionStrategy now allows returning JSON; opt-in translatable segment routing; many incremental improvements to the AbstractRestfulController to make it more configurable and extensible; the Forward plugin was refactored to no longer require a ServiceLocatorAware controller, and instead receive the ControllerManager via its factory.
  • Paginator: Support for TableGateway objects.
  • ServiceManager: Incremental improvements; performance optimizations; delegate factories, which provide a way to write factories for objects that replace a service with a decorator; "lazy" factories, allowing the ability to delay factory creation invocation until the moment of first use.
  • Stdlib: Addition of a HydratorAwareInterface; creation of a HydratorPluginManager.
  • SOAP: Major refactor of WSDL generation to make it more maintainable.
  • Validator: New Brazilian IBAN format for IBAN validator; validators now only return unique error messages; improved Maestro detection in CreditCard validator.
  • Version: use the ZF website API for finding the latest version, instead of GitHub.
  • View: Many incremental improvements, primarily to helpers; deprecation of the Placeholder Registry and removal of it from the implemented placeholder system; new explicit factory classes for helpers that have collaborators (making them easier to override/replace).

Changelog

Greater than 150 patches were applied for 2.2.0.

Other Announcements

Over a month ago, we migrated Zend Framework 1 to GitHub. At that time, we also migrated active issues created since 1.12.0 to the GitHub issue tracker, and marked our self-hosted issue tracker read-only. We have decided to turn off that issue tracker, but still retain the original issues at their original locations for purposes of history and transparency. You can find information on the change on our issues landing page.

Thank You!

Please join me in thanking everyone who provided new features and code improvements for the 2.2.0 release! We had a huge leap forward in usability of many components, and a number of key new features that make developing applications simpler. We'll be continuing on these themes for the next release as well.

Roadmap

Maintenance releases are scheduled for the third Wednesday of each month; expect 2.2.1 on 19 June 2013. Minor releases are scheduled roughly every quarter; look for 2.3 sometime around mid-August or early September. Proposals and ideas for stories will be presented on the zf-contributors mailing list; subscribe by sending an email to zf-contributors-subscribe [at] lists.zend.com if you are interested in assisting with its development.

The Zend Framework community is pleased to announce the immediate availability of Zend Framework 2.2.0rc3! Packages and installation instructions are available at:

This is a release candidate. It is not the final release, and while stability is generally considered good, there may still be issues to resolve between now and the stable release. Use in production with caution.

DO please test your applications on this RC, as we would like to ensure that it remains backwards compatible, and that the migration path is smooth.

Changes in this version

Please see our post for 2.2.0rc1 and our post for 2.2.0rc2 for a list of changes. In addition to those changes, the following have been made:

  • A late addition of Zend\Stdlib\Hydrator\Aggregate was made. This functionality allows the ability to map hydrators to objects via events, and generally streamlines the process of having a single hydrator for a hierarchy of objects. Read more in the AggregateHydrator documentation.

  • Improvements were made to Zend\Di to make it work better with the various "Aware" interfaces that have proliferated throughout the framework, eliminating issues where the component would attempt to instantiate an interface.

Changelog

Almost 200 patches were applied for 2.2.0. We will not release a full changelog until we create the stable release. In the meantime, you can view a full set of patches applied for 2.2.0 in the 2.2.0 milestone on GitHub:

Thank You!

Please join me in thanking everyone who provided new features and code improvements for this upcoming 2.2.0 release!

Roadmap

This is the third release candidate. At this time, we anticipate a stable release sometime mid-week next week.

Over the next few days, we will be expanding on documentation, and fixing any critical issues brought to our attention; we do not anticipate many, if any, critical issues at this time, however.

Again, DO please test your applications on this RC, as we would like to ensure that it remains backwards compatible, and that the migration path is smooth.

The Zend Framework community is pleased to announce the immediate availability of Zend Framework 2.2.0rc2! Packages and installation instructions are available at:

This is a release candidate. It is not the final release, and while stability is generally considered good, there may still be issues to resolve between now and the stable release. Use in production with caution.

DO please test your applications on this RC, as we would like to ensure that it remains backwards compatible, and that the migration path is smooth.

Changes in this version

Please see our post for 2.2.0rc1 for a list of changes. In addition to those changes, the following have been made:

  • A late change was made to eliminate and/or make optional several dependencies in Zend\Feed and Zend\Validator. While these are generally backwards compatible, we need to note that you can no longer directly use Zend\I18n\Translator\Translator with validators; instead, you must use Zend\Mvc\I18n\Translator. In most cases, this will not present an issue, as the translator object is generally injected via the ValidatorPluginManager, which has already been updated to inject the correct translator object.

    If you were manually injecting your validators with a translator object, please note that you must now use Zend\Mvc\I18n\Translator.

    The changes have some immediate benefits: you can now use Zend\Feed with third-party HTTP clients!

Changelog

Almost 200 patches were applied for 2.2.0. We will not release a full changelog until we create the stable release. In the meantime, you can view a full set of patches applied for 2.2.0 in the 2.2.0 milestone on GitHub:

Thank You!

Please join me in thanking everyone who provided new features and code improvements for this upcoming 2.2.0 release!

Roadmap

We plan to release additional RCs every 3-5 days until we feel the 2.2.0 release is generally stable; we anticipate a stable release sometime next week.

During the RC period, we will be expanding on documentation, and fixing any critical issues brought to our attention.

Again, DO please test your applications on this RC, as we would like to ensure that it remains backwards compatible, and that the migration path is smooth.

The Zend Framework community is pleased to announce the immediate availability of Zend Framework 2.2.0rc1! Packages and installation instructions are available at:

This is a release candidate. It is not the final release, and while stability is generally considered good, there may still be issues to resolve between now and the stable release. Use in production with caution.

DO please test your applications on this RC, as we would like to ensure that it remains backwards compatible, and that the migration path is smooth.

Changes in this version

  • Addition of many more plugin managers and abstract service factories. In order to simplify usage of the ServiceManager as an Inversion of Control container, as well as to provide more flexibility in and consistency in how various framework components are consumed, a number of plugin managers and service factories were created and enabled.

    Among the various plugin managers created are Translator loader manager, a Hydrator plugin manager (allowing named hydrator instances), and an InputFilter manager.

    New factories include a Translator service factory, and factories for both the Session configuration and SessionManager.

    New abstract factories include one for the DB component (allowing you to manage multiple named adapters), Loggers (for having multiple Logger instances), Cache storage (for managing multiple cache backends), and Forms (which makes use of the existing FormElementsPluginManager, as well as the new Hydrator and InputFilter plugin managers).

  • Data Definition Language (DDL) support in Zend\Db. DDL provides the ability to create, alter, and drop tables in a relational database system. Zend\Db now offers abstraction around DDL, and specifically MySQL and ANSI SQL-92; we will gradually add this capability for the other database vendors we support.

  • Authentication: The DB adapter now supports non-RDBMS credential validation.
  • Cache: New storage backend: Redis.
  • Code: The ClassGenerator now has a removeMethod() method.
  • Console: Incremental improvements to layout and colorization of banners and usage messages; fixes for how literal and non-literal matches are returned.
  • DB: New DDL support (noted earlier); many incremental improvements.
  • Filter: New DateTimeFormatter filter.
  • Form: Many incremental improvements to selected elements; new FormAbstractServiceFactory for defining form services; minor improvements to make the form component work with the DI service factory.
  • InputFilter: new CollectionInputFilter for working with form Collections; new InputFilterPluginManager providing integration and services for the ServiceManager.
  • I18n: We removed ext/intl as a hard requirement, and made it only a suggested requirement; the Translator has an optional dependency on the EventManager, providing the ability to tie into "missing message" and "missing translations" events; new country-specific PhoneNumber validator.
  • ModuleManager: Now allows passing actual Module instances (not just names).
  • Navigation: Incremental improvements, particularly to URL generation.
  • MVC: You can now configure the initial set of MVC event listeners in the configuration file; the MVC stack now detects generic HTTP responses when detecting event short circuiting; the default ExceptionStrategy now allows returning JSON; opt-in translatable segment routing; many incremental improvements to the AbstractRestfulController to make it more configurable and extensible; the Forward plugin was refactored to no longer require a ServiceLocatorAware controller, and instead receive the ControllerManager via its factory.
  • Paginator: Support for TableGateway objects.
  • ServiceManager: Incremental improvements; performance optimizations; delegate factories, which provide a way to write factories for objects that replace a service with a decorator; "lazy" factories, allowing the ability to delay factory creation invocation until the moment of first use.
  • Stdlib: Addition of a HydratorAwareInterface; creation of a HydratorPluginManager.
  • SOAP: Major refactor of WSDL generation to make it more maintainable.
  • Validator: New Brazilian IBAN format for IBAN validator; validators now only return unique error messages; improved Maestro detection in CreditCard validator.
  • Version: use the ZF website API for finding the latest version, instead of GitHub.
  • View: Many incremental improvements, primarily to helpers; deprecation of the Placeholder Registry and removal of it from the implemented placeholder system; new explicit factory classes for helpers that have collaborators (making them easier to override/replace).

Changelog

Almost 200 patches were applied for 2.2.0. We will not release a full changelog until we create the stable release. In the meantime, you can view a full set of patches applied for 2.2.0 in the 2.2.0 milestone on GitHub:

Other Announcements

Around a month ago, we migrated Zend Framework 1 to GitHub. At that time, we also migrated active issues created since 1.12.0 to the GitHub issue tracker, and marked our self-hosted issue tracker read-only. We have decided to turn off that issue tracker, but still retain the original issues at their original locations for purposes of history and transparency. You can find information on the change on our issues landing page.

Thank You!

Please join me in thanking everyone who provided new features and code improvements for this upcoming 2.2.0 release!

Roadmap

We plan to release additional RCs every 3-5 days until we feel the 2.2.0 release is generally stable; we anticipate a stable release in the next 2-3 weeks.

During the RC period, we will be expanding on documentation, and fixing any critical issues brought to our attention.

Again, DO please test your applications on this RC, as we would like to ensure that it remains backwards compatible, and that the migration path is smooth.

The Zend Framework community is pleased to announce the immediate availability of Zend Framework 2.1.5! Packages and installation instructions are available at:

This is a monthly maintenance release.

Notable changes

2.1.5 is a monthly maintenance release, and the bulk of issues resolved were primarily centered around code maintainability - docblocks typos were corrected, internal variables renamed more semantically, etc. However, a few changes are notable:

Manual improvements

Last month, we held our first documentation hunt, resulting in a lot of documentation improvements.

Additionally, we began an effort to provide Zend Framework 1 -> Zend Framework 2 migration information. A preview is available on readthedocs.org.

Changelog

Almost 100 patches were applied to the ZF2 codebase, and dozens to the documentation. The full changelog for 2.1.5 is available:

Thank You!

I'd like to thank everyone who provided issue reports, typo fixes, maintenance improvements, bugfixes, and documentation improvements; your efforts make the framework increasingly better!

Roadmap

Maintenance releases happen monthly on the third Wednesday. Version 2.2.0 will release in the first half of May, with the first release candidate dropping during the week of 29 April - 3 May 2013.

ZF2013-03: Potential SQL injection due to execution of platform-specific SQL containing interpolations

The Zend\Db component in Zend Framework 2 provides platform abstraction, which is used in particular for SQL abstraction. Two methods defined in the platform interface, quoteValue() and quoteValueList(), allow users to manually quote values for creating SQL statements; these are in turn consumed by aspects of the SQL abstraction platform, including Zend\Db\Sql\Sql::getSqlStringForSqlObject(), and the getSqlString() method provided in a number of classes in the Zend\Db\Sql namespace.

While these methods are primarily intended for debugging and logging purposes, developers can use them to produce SQL that is then passed to the driver to execute. Due to a flaw in how the quoteValue() and quoteValueList() methods were written, this can lead to potential SQL injection.

The offending code is located in any of the Zend\Db\Adapter\Platform* objects, particularly the quoteValue() and quoteValueList() methods. These methods did not take into account most of the possible escapable characters that would need to be escaped when attempting to create a quoted value for interpolation into a SQL string. Moreover, these methods did value quoting without extension level coordination which, when available, takes character-sets into account when quoting.

Action Taken

We have made the following changes to the Platform objects:

  • Platform objects now accept the Driver as an optional parameter. This allows quoteValue() to use the driver level quoting/escaping mechanism to provide an "as safe as possible" value.
  • If a driver level quoting/escaping function is not available, the Platform object will throw an E_USER_NOTICE.
  • A new API was introduced for the use cases that need quoting without the possibility of a warning being triggered: Zend\Db\Adapter\Platform\PlatformInterface::quoteTrustedValue().

Recommendations

You are only affected by this as an issue if you directly consume one of the following API's in your code, and execute the results with your database adapter:

  • Zend\Db\Adapter\Platform*::quoteValue()
  • Zend\Db\Adapter\Platform*::quoteValueList()
  • Zend\Db\Sql\Sql->getSqlStringForSqlObject()
  • Zend\Db\Sql\Select->getSqlString()
  • Zend\Db\Sql\Insert->getSqlString()
  • Zend\Db\Sql\Update->getSqlString()
  • Zend\Db\Sql\Delete->getSqlString()

ZF2's Zend\Db and other components that utilize Zend\Db never directly rely on interpolation of values into SQL strings. This means that unless you find any of the above calls in your code, or any code that effectively calls quoteValue(), this issue does not affect you.

If you do, however, we recommend immediately upgrading to either version 2.0.8 or 2.1.4.

While this advice can be found in many places, it is always worth repeating: you should never rely on interpolation of values into SQL strings; always use prepared statements / parameterization / extension specific value binding.

Other Information

Acknowledgments

The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:

  • Axel Helmert for alerting us to the issue
  • Ralph Schindler for implementing a solution

Reporting Potential Security Issues

If you have encountered a potential security vulnerability in Zend Framework, please report it to us at zf-security@zend.com. We will work with you to verify the vulnerability and patch it.

When reporting issues, please provide the following information:

  • Component(s) affected
  • A description indicating how to reproduce the issue
  • A summary of the security vulnerability and impact

We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect Zend Framework users and provides them with a chance to upgrade and/or update in order to protect their applications.

For sensitive email communications, please use our PGP key.

Policy

Zend Framework takes security seriously. If we verify a reported security vulnerability, our policy is:

  • We will patch the current release branch, as well as the immediate prior minor release branch.
  • After patching the release branches, we will immediately issue new security fix releases for each patched release branch.
  • A security advisory will be released on the Zend Framework site detailing the vulnerability, as well as recommendations for end-users to protect themselves. Security advisories will be listed at http://framework.zend.com/security/advisories, as well as via a feed (which is also present in the website head for easy feed discovery)

ZF2013-02: Potential Information Disclosure and Insufficient Entropy vulnerabilities in Zend\Math\Rand and Zend\Validate\Csrf Components

In Zend Framework 2, the Zend\Math\Rand component generates random bytes using the OpenSSL or Mcrypt extensions when available but will otherwise use PHP's mt_rand() function as a fallback. All outputs from mt_rand() are predictable for the same PHP process if an attacker can brute force the seed used by the Marsenne-Twister algorithm in a Seed Recovery Attack. This attack can be successfully applied with minimum effort if the attacker has access to either a random number from mt_rand() or a Session ID generated without using additional entropy. This makes mt_rand() unsuitable for generating non-trivial random bytes since it has Insufficient Entropy to protect against brute force attacks on the seed.

The Zend\Validate\Csrf component generates CSRF tokens by SHA1 hashing a salt, random number possibly generated using mt_rand() and a form name. Where the salt is known, an attacker can brute force the SHA1 hash with minimum effort to discover the random number when mt_rand() is utilised as a fallback to the OpenSSL and Mcrypt extensions. This constitutes an Information Disclosure where the recovered random number may itself be brute forced to recover the seed value and predict the output of other mt_rand() calls for the same PHP process. This may potentially lead to vulnerabilities in areas of an application where mt_rand() calls exist beyond the scope of Zend Framework.

Action Taken

Zend Framework have revised the Zend\Math\Rand component to replace the current mt_rand() fallback for OpenSSL/Mcrypt with Anthony Ferrara's RandomLib, incorporating an additional entropy source based on source code published by George Argyros. The new fallback collects entropy from numerous sources other than PHP's internal seed mechanism and extracts random bytes from the resulting mixed entropy pool.

Recommendations

If you are using either Zend\Math\Rand or Zend\Validate\Csrf, do not have either the OpenSSL or Mcrypt extensions installed in PHP, and are on a non-Unix-like system, we recommend upgrading immediately to version 2.0.8 or 2.1.4.

Other Information

Acknowledgments

The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:

  • Pádraic Brady for identifying and reporting the issue, as well as providing a patch to resolve the issue
  • Enrico Zimuel for collaborating on and reviewing the solution

Reporting Potential Security Issues

If you have encountered a potential security vulnerability in Zend Framework, please report it to us at zf-security@zend.com. We will work with you to verify the vulnerability and patch it.

When reporting issues, please provide the following information:

  • Component(s) affected
  • A description indicating how to reproduce the issue
  • A summary of the security vulnerability and impact

We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect Zend Framework users and provides them with a chance to upgrade and/or update in order to protect their applications.

For sensitive email communications, please use our PGP key.

Policy

Zend Framework takes security seriously. If we verify a reported security vulnerability, our policy is:

  • We will patch the current release branch, as well as the immediate prior minor release branch.
  • After patching the release branches, we will immediately issue new security fix releases for each patched release branch.
  • A security advisory will be released on the Zend Framework site detailing the vulnerability, as well as recommendations for end-users to protect themselves. Security advisories will be listed at http://framework.zend.com/security/advisories, as well as via a feed (which is also present in the website head for easy feed discovery)

ZF2013-01: Route Parameter Injection Via Query String in Zend\Mvc

In Zend Framework 2, Zend\Mvc\Router\Http\Query is used primarily to allow appending query strings to URLs when assembled. However, due to the fact that it captures any query parameters into the RouteMatch, and the fact that RouteMatch parameters are merged with any parent routes, this can lead to overriding already captured routing parameters, bypassing constraints defined in the parents.

As an example, consider the following route definition:

array(
    'user' => array(
        'type' => 'segment',
        'options' => array(
            'route' => '/user/:key',
            'defaults' => array(
                'controller' => 'UserController',
                'action'     => 'show-action',
            ),
            'constraints' => array(
                'key' => '[a-z0-9]+',
            ),
        ),
        'child_routes' => array(
            'query' => array('type' => 'query'),
        ),
    ),
)

If the request URI was /user/foo/?controller=SecretController&key=invalid_value, the RouteMatch returned after routing would contain the following:

array(
    'controller' => 'SecretController',
    'action'     => 'show-action',
    'key'        => 'invalid_value',
)

This would lead to execution of a different controller than intended, with a value for the key parameter that bypassed the constraints outlined in the parent route.

Action Taken

Zend Framework 2.1 introduced changes to the router implementation that now allows passing both query string values and fragment values during URI assembly, effectively obsoleting the original use case of the Query route. As an example, you can now do the following:

$url = $router->assemble(array(
    'name' => 'foo',
), array(
    'query' => array(
        'page' => 3,
        'sort' => 'DESC',
    ), 
    // or: 'query' => 'page=3&sort=DESC'
));

// via URL helper/plugin:
$rendererOrController->url('foo', array(), array('query' => $request->getQuery()));

As such, for versions 2.0.8 and 2.1.4, we have marked Zend\Mvc\Router\Http\Query deprecated. Additionally, we have modified the code in its match() method to no longer pass the query parameters to the RouteMatch, eliminating the possibility of route parameter injection entirely.

Recommendations

If you are using the Query route in Zend Framework 2, we recommend upgrading to Zend Framework 2.0.8 or 2.1.4 immediately.

Other Information

Acknowledgments

The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:

  • codemagician for alerting us to the issue
  • Ben Scholzen for providing the solution

Reporting Potential Security Issues

If you have encountered a potential security vulnerability in Zend Framework, please report it to us at zf-security@zend.com. We will work with you to verify the vulnerability and patch it.

When reporting issues, please provide the following information:

  • Component(s) affected
  • A description indicating how to reproduce the issue
  • A summary of the security vulnerability and impact

We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect Zend Framework users and provides them with a chance to upgrade and/or update in order to protect their applications.

For sensitive email communications, please use our PGP key.

Policy

Zend Framework takes security seriously. If we verify a reported security vulnerability, our policy is:

  • We will patch the current release branch, as well as the immediate prior minor release branch.
  • After patching the release branches, we will immediately issue new security fix releases for each patched release branch.
  • A security advisory will be released on the Zend Framework site detailing the vulnerability, as well as recommendations for end-users to protect themselves. Security advisories will be listed at http://framework.zend.com/security/advisories, as well as via a feed (which is also present in the website head for easy feed discovery)

ZF2012-05: Potential XML eXternal Entity injection vectors in Zend Framework 1 Zend_Feed component

Zend_Feed_Rss and Zend_Feed_Atom were found to contain potential XML eXternal Entity (XXE) vectors due to insecure usage of PHP's DOM extension. External entities could be specified by adding a specific DOCTYPE element to feeds; exploiting this vulnerability could coerce opening arbitrary files and/or TCP connections.

A similar issue was fixed for 1.11.13 and 1.12.0, in the Zend_Feed::import() factory method; however, the reporter of the issue discovered that the individual classes contained similar functionality in their constructors which remained vulnerable.

Action Taken

A patch was applied that removes the XXE vector by calling libxml_disable_entity_loader() before attempting to parse the feed via DOMDocument::loadXML().

Recommendations

If you are using any of the components listed, and, in particular, were directly instantiating them, we recommend upgrading to either version 1.11.15 or 1.12.1 or greater.

Other Information

Acknowledgments

The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:

  • Yury Dyachenko at Positive Research Center

Reporting Potential Security Issues

If you have encountered a potential security vulnerability in Zend Framework, please report it to us at zf-security@zend.com. We will work with you to verify the vulnerability and patch it.

When reporting issues, please provide the following information:

  • Component(s) affected
  • A description indicating how to reproduce the issue
  • A summary of the security vulnerability and impact

We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect Zend Framework users and provides them with a chance to upgrade and/or update in order to protect their applications.

For sensitive email communications, please use our PGP key.

Policy

Zend Framework takes security seriously. If we verify a reported security vulnerability, our policy is:

  • We will patch the current release branch, as well as the immediate prior minor release branch.
  • After patching the release branches, we will immediately issue new security fix releases for each patched release branch.
  • A security advisory will be released on the Zend Framework site detailing the vulnerability, as well as recommendations for end-users to protect themselves. Security advisories will be listed at http://framework.zend.com/security/advisories, as well as via a feed (which is also present in the website head for easy feed discovery)