Skip to main content

PHP agent release notes

Release date: October 9, 2024

Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3

New and improved:

  • Added support for reporting the cloud provider ID. (PHP-1027)

  • Implemented a PHP rule for the Content-Security-Policy header or meta tag. (PHP-1033)

  • Validated support for Drupal version 10. (PHP-849)

Bug fixes:

  • Fixed a segmentation fault that could potentially occur during agent shutdown when run with PHP version 8.1. (PHP-1058)

Release date: September 17, 2024

Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3

New and improved:

  • Added support for security log settings. (PHP-995)

  • The PHP agent now supports the use of CONTRAST__API__TOKEN instead of CONTRAST__API__URLCONTRAST__API__API_KEYCONTRAST__API__SERVICE_KEY, and CONTRAST__API__USER_NAME for communication with Contrast. (PHP-1016)

    Note

    Contrast TeamServer is not yet adding the token to the downloadable agent configuration file.

  • Added the X-Contrast-Reporting-Instance to Contrast TeamServer communication. (PHP-981)

Release date: August 21, 2024

Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3

Bug fixes:

  • Fixed an issue regarding K8 failure to release build 1.32.0. (PHP-1009)

  • The agent now honors the flag to disable the xcontenttype-header-missing rule when sent from Contrast. (PHP-962)

  • Addressed an issue where occasionally, the client would send an incomplete application message, resulting in a Contrast error. (PHP-1004)

  • Addressed an issue where Laravel would fail to run when loaded with the agent and PHP version 8.2. (PHP-1019)

Release date: July 19, 2024

Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3

New and improved:

  • Added framework names for discovered routes. (PHP-976)

  • Added compatibility support for Laravel version 11. (PHP-982)

  • Added the ability for Protect to detect SQL injection vulnerability CVE-2024-27956. (PHP-915)

Bug fixes:

  • Cleaned up source code comments. (PHP-1008)

  • Fixed the title on reported vulnerabilities as seen in Contrast. (PHP-919 and PHP-912)

Release date: June 27, 2024

Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3

New and improved:

  • Added sensitive data masking for reported request cookies. (PHP-913)

  • Added an Unsafe File Upload protect rule. (PHP-818)

  • Added CEF logging for Protect. (PHP-822)

Bug fixes:

  • Fixed an issue that caused a SQL Injection vulnerability cve-2024-27956 to be missed for Assess. (PHP-983)

Release date: June 11, 2024

Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3

New and improved:

  • Initial support for WordPress version 6 content management system.

  • Initial support for Protect when running the PHP agent with the following rules in place:

    • Bot blocking

    • Command Injection

    • IP Blocking

    • Path Traversal

    • Reflected XSS

    • SQL Injection

Bug fixes:

  • Fixed a potential memory leak. (PHP-954)

  • Fixed an issue where the default logging location might not be in sync across processes. (PHP-937)

Release date: May 10, 2024

Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3

New and improved:

  • The agent's log file will now be written as follows:

    • If the directory is specified in the YAML file or the environment variable then the log will be written to that location.

    • If the location is not specified:

      • The agent will attempt to log to $HOME/.contrast/contrast_agent.log

      • If that directory is not accessible, the fallback directory is /tmp/.contrast/

      • Lastly, if /tmp does not exist or there are insufficient privileges then the log stream is written to stdout

    • If using a contrast_security.yaml file for configuration settings, the file location should be specified using the CONTRAST_CONFIG_PATH environment variable. If not explicitly specified the agent will look in the following locations:

      1. /etc/contrast/php

      2. /etc/contrast/

      3. /etc/

Release date: May 6, 2024

Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3

Bug fixes:

  • Addresses issue raised in Support Bulletin: Potential Sensitive Information Leak - PHP Agent 2nd May 2024.

  • If the contrast_security.yaml configuration file is in the application directory, the agent will disable itself when run in a production environment.

  • If the agent log file is configured to be created in the application directory, the agent will discontinue logging when run in a production environment.

Release date: April 25, 2024

Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3

New and improved:

  • Added initial sensitive data masking to trace reports.

Bug fixes:

  • Removed unnecessary warning from the contrast-php-util enable command. (PHP-904)

Release date: April 5, 2024

Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3

Bug fixes:

  • Fixed the issue around restoring of internal settings state that would result in an agent error.

  • Updated logging around saving and restoring internal settings state.

Release date: March 19, 2024

Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3

New and improved:

  • Internal updates to make the RPM package available for RedHat 9.

  • Added some debug logging around internal features.

Release date: March 5, 2024

Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3

New and improved:

  • The initial release of Protect for PHP includes:

    • Running the agent in Protect mode using a configuration setting or the setting specified in the Contrast web interface.

    • Available Protect Rules:  

      • Cross-site scripting (XSS)

      • Command Injection 

      • Path Traversal

      • SQL Injection

      Additional rules will be added in later releases. Other features such as exclusion support, PII masking, IP controls and bot-blocking will be provided in later releases.

  • Added Red Hat 9 for x64 only.

Release date: February 20, 2024

Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3

New and improved:

  • Initial support for PHP 8.3.

Release date: January 22, 2024

Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2

New and improved:

  • Added support for Symfony 6.4 and 7.0

Archive

Release date: December 4, 2023

Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2

New and improved:

  • Added support for doing route discovery on Symfony cached routes.

Release date: November 7, 2023

Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2

New and improved:

  • Added Bookworm as a Debian distribution package.

Release date: October 25, 2023

Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2

New and improved:

  • Added initial support for PHP 8.2.

Release date: October 23, 2023

Language versions currently supported: PHP 7.4, 8.0, 8.1

New and improved:

  • Added logging of environment variables to the agent log.

  • Added additional logging about unwritable log directories.

Release date: August 15, 2023

Language versions currently supported: PHP 7.4, 8.0, 8.1

Bug fixes:

  • Addresses two issues that caused a segmentation fault in the PHP extension when parsing certain framework files. (SUP-4910)

Release date: August 14, 2023

Language versions currently supported: PHP 7.4, 8.0, 8.1

Bug fixes:

  • Addressed the issue of incorrectly named proxy configuration items. (PHP-828)

Release date: August 10, 2023

Language versions currently supported: PHP 7.4, 8.0, 8.1

New and improved:

  • Added ability to specify a proxy to use for Contrast communication.

Release date: July 13, 2023

Language versions currently supported: PHP 7.4, 8.0, 8.1

New and improved:

  • Added logging around setting the temporary path for the network communication layer.

Release date: June 29, 2023

Language versions currently supported: PHP 7.4, 8.0, 8.1

Bug fixes:

  • Fixed an issue where setting the request logging feature (api.log_requests) to true while using STDOUT as the log output path would result in no logging of network requests.

Release date: May 31, 2023

Language versions currently supported: PHP 7.4, 8.0, 8.1

Bug fixes:

  • Fixed issue with seg fault when running with PHP 8.0 and Laravel 9.

  • Fixed issue with passthrough module not loading on versions 8.0 and 8.1.

Release date: May 17, 2023

Language versions currently supported: PHP 7.4, 8.0, 8.1

New and improved:

  • Updated internal packages to address a security flaw.

  • Removed an unused configuration setting.

Bug fixes:

  • Fixed an issue where certain PHP files would cause a segmentation fault in the agent. Improved overall agent robustness.

Release date: April 28, 2023

Language versions currently supported: PHP 7.4, 8.0, 8.1

New and improved:

  • Updated internal library versions.

Release date: April 17, 2023

Language versions currently supported: PHP 7.4, 8.0, 8.1

New and improved:

  • Added Jammy as a Debian distribution package.

Release date: March 30, 2023

Language versions currently supported: PHP 7.4, 8.0, 8.1

New and improved:

  • Detection of Symfony framework and version.

  • Added instrumentation for Doctrine when using Symfony.

Bug fixes:

  • Updated the copyright date for the license file.

  • Ensured that group, metadata, and session_metadata values from the configuration file are properly parsed for automatic application onboarding.

Release date: February 17, 2023

Language versions currently supported: PHP 7.4, 8.0, 8.1

New and improved:

  • Added support for Symfony framework.

Release date: January 26, 2023

Language versions currently supported: PHP 7.4, 8.0, 8.1

New and improved:

  • Added SCA analysis for custom Drupal modules (not installed via Composer).

Bug fixes:

  • Fixed a potential crash in the agent when encountering PHP code that consists of a coalesce call and a closure.

  • Updated the data provided to Contrast to ensure that it contains a valid stack trace.

  • Eliminated some potential false positive reflected-xss reports from request headers.

Release date: November 14, 2022

Language versions currently supported: PHP 7.4, 8.0, 8.1

New and improved:

  • Identify Drupal modules not installed via Composer.

  • Added support for PHP 8.0.

Bug fixes:

  • Use the web server root directory as the working directory when running with PHP-FPM on Red Hat Enterprise. (PHP-679)

Release date: September 20, 2022

Language versions currently supported: PHP 7.4., 8.1

New and improved:

  • Initial support for PHP 8.1.

Release date: August 30, 2022

Language versions currently supported: PHP 7.4

New and improved:

  • Added initial Assess support for Drupal 8 and 9.

  • Added SCA support for Drupal 8 and 9 when installing modules using Composer packages.

Release date: June 28, 2022

Language versions currently supported: PHP 7.4

New and improved:

  • Added support for LDAP injection rules.

  • Added support for NoSQL injection rules for MongoDB and Redis.

Release date: June 13, 2022

Language versions currently supported: PHP 7.4

Bug fixes:

  • Fixes minor issue with route discovery logs.

Release date: June 06, 2022

Language versions currently supported: PHP 7.4

New and improved:

  • Initial triggers for redos rule.

  • Provides packages for arm64/aarch64.

Bug fixes:

  • Includes fixes previously released in 1.3.1 and 1.3.2.

Release date: May 26, 2022

Language versions currently supported: PHP 7.4

Release date: May 25, 2022

Language versions currently supported: PHP 7.4

Bug fixes:

  • Better error handling for request shutdown hook. (PHP-576)

Release date: May 24, 2022

Language versions currently supported: PHP 7.4

New and improved:

  • Initial support for nosql-injection rule: initial support is for the Datastax Cassandra CQL driver for PHP.

  • Support for capturing full stack traces and relevant common configuration options.

Bug fixes:

  • Fixed issue when using relative agent log path. (PHP-540)

  • Fixed issue with route discovery when running under php-fpm. (PHP-528)

Release date: May 11, 2022

Language versions currently supported: PHP 7.4

New and improved:

  • Agent is now disabled by default with PHP command-line interface (CLI) in order to prevent accidental analysis of PHP scripts and commands.

  • Added diagnostic script contrast-php-util to agent package along with experimental commands for enabling/disabling agent to ease onboarding.

  • Added support for reflection-injection rule.

Bug fixes:

  • Contains fixes for configuration of Assess and API certificates that were included in previous individual bugfix releases.

Release date: April 26, 2022

Language versions currently supported: PHP 7.4

New and improved:

  • Add certificate configuration option for Contrast API.

Release date: April 25, 2022

Language versions currently supported: PHP 7.4

Bug fixes:

  • Agent now defers to Contrast web interface setting for enabling Assess if omitted from configuration. Previously the agent required Assess to be explicitly enabled locally as well.

Release date: April 21, 2022

Language versions currently supported: PHP 7.4

New and improved:

  • Improvements to trace event rendering in the Contrast web interface.

  • Added coverage to unsafe-code-execution for extract function.

Bug fixes:

  • Fixed issue with configuration file discovery paths. (PHP-496)

  • Fixed issue with json_decode propagation. (PHP-482)

Release date: April 4, 2022

Language versions currently supported: PHP 7.4

New and improved:

  • Assess and SCA feature support for PHP applications.

  • Support for the Laravel framework.