The Zend Framework community is pleased to announce the immediate availability of Zend Framework 1.12.19! Packages and installation instructions are available at:

Changelog

This release includes a single security patch, reported as ZF2016-02, for SQL injection vulnerabilities in the Zend_Db_Select::order() and Zend_Db_Select::group() methods. If you use these, we recommend updating immedaitely.

To see the complete set of issues resolved for 1.12.2, please visit the changelog:

Thank You!

Many thanks to all contributors to this release!

Source

ZF2016-02: Potential SQL injection in ORDER and GROUP statements of Zend_Db_Select

The implementation of ORDER BY and GROUP BY in Zend_Db_Select of ZF1 is vulnerable by the following SQL injection:

$db = Zend_Db::factory(/* options here */);
$select = new Zend_Db_Select($db);
$select->from('p');
$select->order("MD5(\"(\");DELETE FROM p2; #)"); // same with group()

The above $select will render the following SQL statement:

SELECT `p`.* FROM `p` ORDER BY MD5("");DELETE FROM p2; #) ASC

instead of the correct one:

SELECT `p`.* FROM `p` ORDER BY "MD5("""");DELETE FROM p2; #)" ASC

This security fix can be considered as an improvement of the previous ZF2014-04.

Action Taken

We fixed the reported SQL injection using two regular expressions for the order() and the group() methods in Zend_Db_Select, created as the class constants REGEX_COLUMN_EXPR_ORDER and REGEX_COLUMN_EXPR_GROUP, respectively. These are defined as:

/^([\w]+\s*\(([^\(\)]|(?1))*\))$/

This regexp is different from the previous REGEX_COLUMN_EXPR, which used the character patterm [\w]*; we now require at least one word boundary ([\w]+).

The patch is available starting in Zend Framework 1.12.19.

Other Information

This SQL injection attack does not affect Zend Framework 2 and 3 versions because the implementations of Zend\Db\Sql\Select::order() and Zend\Db\Sql\Select::group() do not manage parenthetical expressions.

Acknowledgments

The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:

  • Peter O'Callaghan, who discovered and reported the issue;
  • Enrico Zimuel, who provided the patch.

Source

After 17 months of effort, hundreds of releases, tens of thousands of commits by hundreds of contributors, and millions of installs, we're pleased to announce the immediate availability of Zend Framework 3.

What is Zend Framework 3?

For Zend Framework 2 MVC users, the differences are subtle:

  • Increased performance; we've measured up to 4X faster applications under PHP 5, and even better performance under PHP 7!
  • PHP 7 support.
  • A focus on de-coupling packages, to allow re-use in a greater number of contexts. In some cases, this has meant the creation of new packages that either split concerns, or provide integration between multiple components.
  • A focus on documentation. Documentation is now included within each component repository, allowing us to block contributions for lack of documentation, as well as automate deployment of documentation. See our new documentation site for the results.

Migration from version 2 to version 3 was at the top of our minds, and we have provided a number of forwards compatibility features over the course of ZF3 development, and written migration guides to help you navigate the changes.

If you are already familiar with our MVC, or want to get started with it, we have created a new version of the skeleton application that ships with minimal dependencies, and provides a number of convenience features including the ability to select optional packages at installation, as well as auto-register components and modules when adding them to your application. Read more about the skeleton in the documentation.

For newcomers to the framework, we have been working on our package architecture, and attempting to make each package installable with a minimal amount of dependencies, to allow usage in any project, from Zend Framework MVC applications to other popular frameworks such as Laravel and Symfony. All components are now developed independently, with their own release schedules, allowing us to ship bugfixes and new features more frequently. This change has allowed us to tag multiple hundreds of releases in the past year!

The Zend Framework 3 initiatives also included a number of new features, primarily around PSR-7 (HTTP Message interfaces) support. These include:

Yes, you read that correctly: Zend Framework now ships with a microframework as a parallel offering to its MVC full-stack framework! For users new to Zend Framework who are looking for a place to dive in, we recommend Expressive, as we feel PSR-7 middleware represents the future of PHP application development.

The release today is a new beginning for the framework, returning to its original mission: a strong component library, with opt-in MVC features.

Join our community today; we're available on the #zftalk Freenode IRC channel, and via our component repositories (for discussing issues and development).

— The Zend Framework Team —

Look for follow-up posts on this blog soon, detailing some of the new features!

Source

With the release of Zend Framework 3, it's time to halt development on Zend Framework 1. As such, we hereby announce that Zend Framework 1 reaches its End of Life (EOL) three months from today, on 28 September 2016.

Between now and then, we will only provide security fixes, if any security reports are made in that time frame. Past that point, we will offer custom bug and security fixes for Zend Framework 1 on-demand only to Enterprise users of Zend Server.

Additionally, as of today, access to our legacy subversion server is disabled. If you were using svn:externals to incorporate Zend Framework into your application, please download the relevant package as listed in our Zend Framework packages archives instead, or update your application to use Composer.

If you need assistance migrating your Zend Framework 1 application to Zend Framework 2/3 or Expressive, Zend offers architecture migration services.

If you are in need of Zend Framework 2/3 training, Zend offers both a Zend Framework 2 Fundamentals course and a Zend Framework 2 Advanced Concepts course.

Source

This is an installment in an ongoing series of posts on ZF3 development status. Since the last status update:

  • ~130 pull requests merged, and ~100 issues closed.
  • Over 30 component releases.
  • Completion of the component documentation migration.
  • Tagging of zend-mvc 3.0.
  • Completion of the new skeleton application and related installers.

Documentation

Since the last update, we managed to complete the migration of documentation to components, as well as publish documentation for all components!

You can view a list of all documented components via GitHub Pages:

Each component contains a link in the topnav to scroll in the component list, allowing you to navigate to other components.

Please help us thank Frank Brückner for the enormous amount of assistance he provided driving this milestone to completion!

zend-mvc 3.0 stability

After copious testing with the skeleton application (more on that below), and prepping components such as zend-test to work with it, we decided that zend-mvc was ready to tag with a 3.0 stable version!

For those not following previous updates, the main goals of the zend-mvc v3 effort were:

  • De-couple from other components. Many components were listed as development requirements and suggestions due to the fact that zend-mvc contained zend-servicemanager integrations for them. We have moved those integrations into the components themselves.
  • Reduce dependencies to exactly what's needed for a basic zend-mvc application:
    • EventManager
    • HTTP
    • ModuleManager
    • Router
    • ServiceManager
    • Standard Library
    • View
  • Split optional integrations into their own packages. These included:
    • Console integration (now provided via zend-mvc-console)
    • i18n integration (now provided via zend-mvc-i18n)
    • Several plugins had requirements on additional libraries, including:
      • PRG (uses zend-session)
      • FilePRG (uses zend-form and zend-session)
      • FlashMessenger (uses zend-session)
      • Identity (uses zend-authentication)

During the process, we were able to remove around 75% of the code, making the component much smaller, more maintainable, and more focused.

Once zend-mvc was tagged 3.0, we quickly followed up with a zend-test 3.0 release, and stable releases of zend-mvc-console, zend-mvc-i18n, and the various zend-mvc-plugin packages.

Skeleton application

We'd begun refactoring the skeleton application previously, and were able to complete the work in the past couple weeks. The new skeleton:

  • Migrates to PSR-4 directory layout for the shipped Application module.
  • Relies on Composer for all autoloading, including the Application module.
  • Removes all translations. These were of dubious use, and were quite difficult to maintain.
  • Depends only on zend-mvc, zend-component-installer (which automates injecting components and modules into application configuration during installation), and zend-skeleton-installer (more on this below).
  • We removed almost 8000 lines of code, adding only 800!

zend-skeleton-installer is a new Composer plugin that prompts the user during installation to:

  • Decide if they want a minimal install, or want to add optional packages.
  • Prompts for a number of common optional packages, including caching, logging, console integration, i18n, etc.
  • When installation is complete, it removes itself from the project!

Matthew plans to blog on the code behind zend-skeleton-installer in the near future.

You can test out the new skeleton using the following:

$ composer create-project "zendframework/skeleton-application:dev-develop" zend-project

The above will use the new develop branch, and create a project in the directory zend-project.

Finally, we added both an updated Vagrantfile and Docker support to the skeleton, allowing you to start developing in a consistent, de-coupled environment immediately.

For Vagrant, after you've installed, execute:

$ vagrant up

For Docker, you will need to use docker-compose; once you have that available, execute:

$ docker-compose up -d --build

With each, we bind your host port 8080 to the container's port 80, allowing you to visit it at http://localhost:8080/

We're excited about the new skeleton, and look forward to getting your feedback on it!

Final milestones

We have a few last milestones before we're ready to announce the completion of the Zend Framework 3 initiatives.

First, because PHP 5.5 support ends at the end of June, we will be releasing a new minor version of all components setting the minimum supported PHP version to 5.6. (Many already have such versions in place.)

Second, now that the skeleton application is ready, we will be migrating our tutorials to a new repository, converting them to Markdown and MkDocs, and updating them to follow the new skeleton and component changes.

Finally, we will be deciding what the zendframework/zendframework package will look like for a version 3 tag. In large part, it becomes unnecessary, as we can ship even the skeleton with a minimal set of components; however, for those who want "everything at once", keeping it around as a metapackage may have value. We'll be announcing the plans for it soon.

Until next time

If you want to help:

  • Test the new skeleton (see the directions above) and provide feedback.
  • Search for help wanted or EasyFix issues (most of the latter are documentation).

Many thanks to all the contributors who have provided feedback, patches, reviews, or releases since the last update!

Source

This is an installment in an ongoing series of posts on ZF3 development status. Since the last status update:

  • ~130 pull requests merged, and ~100 issues closed.
  • Over 30 component releases.
  • Completion of the component documentation migration.
  • Tagging of zend-mvc 3.0.
  • Completion of the new skeleton application and related installers.

Documentation

Since the last update, we managed to complete the migration of documentation to components, as well as publish documentation for all components!

You can view a list of all documented components via GitHub Pages:

Each component contains a link in the topnav to scroll in the component list, allowing you to navigate to other components.

Please help us thank Frank Brückner for the enormous amount of assistance he provided driving this milestone to completion!

zend-mvc 3.0 stability

After copious testing with the skeleton application (more on that below), and prepping components such as zend-test to work with it, we decided that zend-mvc was ready to tag with a 3.0 stable version!

For those not following previous updates, the main goals of the zend-mvc v3 effort were:

  • De-couple from other components. Many components were listed as development requirements and suggestions due to the fact that zend-mvc contained zend-servicemanager integrations for them. We have moved those integrations into the components themselves.
  • Reduce dependencies to exactly what's needed for a basic zend-mvc application:
    • EventManager
    • HTTP
    • ModuleManager
    • Router
    • ServiceManager
    • Standard Library
    • View
  • Split optional integrations into their own packages. These included:
    • Console integration (now provided via zend-mvc-console)
    • i18n integration (now provided via zend-mvc-i18n)
    • Several plugins had requirements on additional libraries, including:
      • PRG (uses zend-session)
      • FilePRG (uses zend-form and zend-session)
      • FlashMessenger (uses zend-session)
      • Identity (uses zend-authentication)

During the process, we were able to remove around 75% of the code, making the component much smaller, more maintainable, and more focused.

Once zend-mvc was tagged 3.0, we quickly followed up with a zend-test 3.0 release, and stable releases of zend-mvc-console, zend-mvc-i18n, and the various zend-mvc-plugin packages.

Skeleton application

We'd begun refactoring the skeleton application previously, and were able to complete the work in the past couple weeks. The new skeleton:

  • Migrates to PSR-4 directory layout for the shipped Application module.
  • Relies on Composer for all autoloading, including the Application module.
  • Removes all translations. These were of dubious use, and were quite difficult to maintain.
  • Depends only on zend-mvc, zend-component-installer (which automates injecting components and modules into application configuration during installation), and zend-skeleton-installer (more on this below).
  • We removed almost 8000 lines of code, adding only 800!

zend-skeleton-installer is a new Composer plugin that prompts the user during installation to:

  • Decide if they want a minimal install, or want to add optional packages.
  • Prompts for a number of common optional packages, including caching, logging, console integration, i18n, etc.
  • When installation is complete, it removes itself from the project!

Matthew plans to blog on the code behind zend-skeleton-installer in the near future.

You can test out the new skeleton using the following:

$ composer create-project "zendframework/skeleton-application:dev-develop" zend-project

The above will use the new develop branch, and create a project in the directory zend-project.

Finally, we added both an updated Vagrantfile and Docker support to the skeleton, allowing you to start developing in a consistent, de-coupled environment immediately.

For Vagrant, after you've installed, execute:

$ vagrant up

For Docker, you will need to use docker-compose; once you have that available, execute:

$ docker-compose up -d --build

With each, we bind your host port 8080 to the container's port 80, allowing you to visit it at http://localhost:8080/

We're excited about the new skeleton, and look forward to getting your feedback on it!

Final milestones

We have a few last milestones before we're ready to announce the completion of the Zend Framework 3 initiatives.

First, because PHP 5.5 support ends at the end of June, we will be releasing a new minor version of all components setting the minimum supported PHP version to 5.6. (Many already have such versions in place.)

Second, now that the skeleton application is ready, we will be migrating our tutorials to a new repository, converting them to Markdown and MkDocs, and updating them to follow the new skeleton and component changes.

Finally, we will be deciding what the zendframework/zendframework package will look like for a version 3 tag. In large part, it becomes unnecessary, as we can ship even the skeleton with a minimal set of components; however, for those who want "everything at once", keeping it around as a metapackage may have value. We'll be announcing the plans for it soon.

Until next time

If you want to help:

  • Test the new skeleton (see the directions above) and provide feedback.
  • Search for help wanted or EasyFix issues (most of the latter are documentation).

Many thanks to all the contributors who have provided feedback, patches, reviews, or releases since the last update!

Source

As announced last week, today, we have renamed the "zf2" repository on GitHub to "zendframework".

Per the GitHub documentation on renames, existing links will be automatically redirected, and will persist as long as we do not create a new repository with the name "zf2". Redirects occur for:

  • issues
  • wikis
  • stars
  • followers
  • git operations

Update your remotes

While git operations pushing and pulling from the original repository URLs will continue to work, GitHub recommends you update your git remotes to point to the new location. You can do this with the following in the CLI:

$ git remote set-url origin https://github.com/zendframework/zendframework.git

Note the following:

  • Replace origin with the name of the remote you use locally; upstream is also commonly used. Run git remote -v to see what you're actually using.
  • Valid remote URLs now include:

Composer

Because Packagist points to GitHub, it will seamlessly redirect. Additionally, all sha1s for all commit remain identical. As such, there should be no impact to end-users for the change for existing installs.

We have updated Packagist to point to the new URL as well, so that as users update, their composer.lock files will start pointing to the new URL.

Source

As announced last week, today, we have renamed the "zf2" repository on GitHub to "zendframework".

Per the GitHub documentation on renames, existing links will be automatically redirected, and will persist as long as we do not create a new repository with the name "zf2". Redirects occur for:

  • issues
  • wikis
  • stars
  • followers
  • git operations

Update your remotes

While git operations pushing and pulling from the original repository URLs will continue to work, GitHub recommends you update your git remotes to point to the new location. You can do this with the following in the CLI:

$ git remote set-url origin https://github.com/zendframework/zendframework.git

Note the following:

  • Replace origin with the name of the remote you use locally; upstream is also commonly used. Run git remote -v to see what you're actually using.
  • Valid remote URLs now include:

Composer

Because Packagist points to GitHub, it will seamlessly redirect. Additionally, all sha1s for all commit remain identical. As such, there should be no impact to end-users for the change for existing installs.

We have updated Packagist to point to the new URL as well, so that as users update, their composer.lock files will start pointing to the new URL.

Source

In contrast to Zend Framework 2, which was a complete rewrite and break with the architecture of Zend Framework 1, the Zend Framework 3 initiative is more of an evolutionary change. We are laser-focused on keeping as much backwards compatibility as possible, and providing reasonable migration steps for our users. Instead of moving development to a new repository, we have split code into multiple component repositories, and made the main Zend Framework repository a "meta" repository, containing dependency information only.

Another way of putting it: changes to the main repository are happening incrementally, and version 3 will just be a new major version update within the existing repository.

However, such evolutionary change poses a slight logistical problem: the repository is currently named "zf2".

As such, we've decided to rename the repository to remove the version identifier. It will become simply "zendframework".

This naming is already reflected in our Composer package, which is named "zendframework/zendframework". Additionally, GitHub will provide long-lived redirects for all links to the repository, including those to issues, comments, pull requests, etc.; those redirects also work at the git level for each of HTTPS, SSH, and git protocol access. Because no sha1s change, this means that Composer installs will not suffer any issues, either.

We've also verified with GitHub that references of the form zendframework/zf2#... within commits, comments, etc. will continue to work, and redirect to the new location.

With all our concerns satifisied, we'll be making the change on 3 May 2016, and will post to the blog with details on how to update your git remotes to point to the renamed repository at that time.

Source

In contrast to Zend Framework 2, which was a complete rewrite and break with the architecture of Zend Framework 1, the Zend Framework 3 initiative is more of an evolutionary change. We are laser-focused on keeping as much backwards compatibility as possible, and providing reasonable migration steps for our users. Instead of moving development to a new repository, we have split code into multiple component repositories, and made the main Zend Framework repository a "meta" repository, containing dependency information only.

Another way of putting it: changes to the main repository are happening incrementally, and version 3 will just be a new major version update within the existing repository.

However, such evolutionary change poses a slight logistical problem: the repository is currently named "zf2".

As such, we've decided to rename the repository to remove the version identifier. It will become simply "zendframework".

This naming is already reflected in our Composer package, which is named "zendframework/zendframework". Additionally, GitHub will provide long-lived redirects for all links to the repository, including those to issues, comments, pull requests, etc.; those redirects also work at the git level for each of HTTPS, SSH, and git protocol access. Because no sha1s change, this means that Composer installs will not suffer any issues, either.

We've also verified with GitHub that references of the form zendframework/zf2#... within commits, comments, etc. will continue to work, and redirect to the new location.

With all our concerns satifisied, we'll be making the change on 3 May 2016, and will post to the blog with details on how to update your git remotes to point to the renamed repository at that time.

Source