PHP agent release notes

Add new version of Ubuntu (Noble Numbat) as a supported release. (PHP-1092)

Assess performance improvements. (PHP-1039, PHP-1089, PHP-1090)

Add compatibility support for Drupal 11. (PHP-1023)

Fix issue with the format of the reported effective config. (PHP-1094)

Generate and upload effective config. (PHP-997)

Add support for specifying the log rollover size for both the log file and the security log file. (PHP-1036)

Implement API v1.1 server settings endpoint support with polling on request. (PHP-1049)

Detect containerization and upload to TeamServer. (PHP-1068)

Fix the blocking mode as specified to TeamServer for Bot blocking and IP Blacklist. (PHP-1073)

Added support for reporting the cloud provider ID. (PHP-1027)

Implemented a PHP rule for the Content-Security-Policy header or meta tag. (PHP-1033)

Validated support for Drupal version 10. (PHP-849)

Fixed a segmentation fault that could potentially occur during agent shutdown when run with PHP version 8.1. (PHP-1058)

Added support for security log settings. (PHP-995)

The PHP agent now supports the use of CONTRAST__API__TOKEN instead of CONTRAST__API__URL, CONTRAST__API__API_KEY, CONTRAST__API__SERVICE_KEY, and CONTRAST__API__USER_NAME for communication with Contrast. (PHP-1016)

Added the X-Contrast-Reporting-Instance to Contrast TeamServer communication. (PHP-981)

Fixed an issue regarding K8 failure to release build 1.32.0. (PHP-1009)

The agent now honors the flag to disable the xcontenttype-header-missing rule when sent from Contrast. (PHP-962)

Addressed an issue where occasionally, the client would send an incomplete application message, resulting in a Contrast error. (PHP-1004)

Addressed an issue where Laravel would fail to run when loaded with the agent and PHP version 8.2. (PHP-1019)

Added framework names for discovered routes. (PHP-976)

Added compatibility support for Laravel version 11. (PHP-982)

Added the ability for Protect to detect SQL injection vulnerability CVE-2024-27956. (PHP-915)

Cleaned up source code comments. (PHP-1008)

Fixed the title on reported vulnerabilities as seen in Contrast. (PHP-919 and PHP-912)

Added sensitive data masking for reported request cookies. (PHP-913)

Added an Unsafe File Upload protect rule. (PHP-818)

Added CEF logging for Protect. (PHP-822)

Fixed an issue that caused a SQL Injection vulnerability cve-2024-27956 to be missed for Assess. (PHP-983)

Initial support for WordPress version 6 content management system.

Initial support for Protect when running the PHP agent with the following rules in place:

Fixed a potential memory leak. (PHP-954)

Fixed an issue where the default logging location might not be in sync across processes. (PHP-937)

The agent's log file will now be written as follows:

Addresses issue raised in Support Bulletin: Potential Sensitive Information Leak - PHP Agent 2nd May 2024.

If the contrast_security.yaml configuration file is in the application directory, the agent will disable itself when run in a production environment.

If the agent log file is configured to be created in the application directory, the agent will discontinue logging when run in a production environment.

Added initial sensitive data masking to trace reports.

Removed unnecessary warning from the contrast-php-util enable command. (PHP-904)

Fixed the issue around restoring of internal settings state that would result in an agent error.

Updated logging around saving and restoring internal settings state.

Internal updates to make the RPM package available for RedHat 9.

Added some debug logging around internal features.

The initial release of Protect for PHP includes:

Added Red Hat 9 for x64 only.

Initial support for PHP 8.3.

Added support for Symfony 6.4 and 7.0

Added support for doing route discovery on Symfony cached routes.

Added Bookworm as a Debian distribution package.

Added initial support for PHP 8.2.

Added logging of environment variables to the agent log.

Added additional logging about unwritable log directories.

Addresses two issues that caused a segmentation fault in the PHP extension when parsing certain framework files. (SUP-4910)

Addressed the issue of incorrectly named proxy configuration items. (PHP-828)

Added ability to specify a proxy to use for Contrast communication.

Added logging around setting the temporary path for the network communication layer.

Fixed an issue where setting the request logging feature (api.log_requests) to true while using STDOUT as the log output path would result in no logging of network requests.

Fixed issue with seg fault when running with PHP 8.0 and Laravel 9.

Fixed issue with passthrough module not loading on versions 8.0 and 8.1.

Updated internal packages to address a security flaw.

Removed an unused configuration setting.

Fixed an issue where certain PHP files would cause a segmentation fault in the agent. Improved overall agent robustness.

Updated internal library versions.

Added Jammy as a Debian distribution package.

Detection of Symfony framework and version.

Added instrumentation for Doctrine when using Symfony.

Updated the copyright date for the license file.

Ensured that group, metadata, and session_metadata values from the configuration file are properly parsed for automatic application onboarding.

Added support for Symfony framework.

Added SCA analysis for custom Drupal modules (not installed via Composer).

Fixed a potential crash in the agent when encountering PHP code that consists of a coalesce call and a closure.

Updated the data provided to Contrast to ensure that it contains a valid stack trace.

Eliminated some potential false positive reflected-xss reports from request headers.

Identify Drupal modules not installed via Composer.

Added support for PHP 8.0.

Use the web server root directory as the working directory when running with PHP-FPM on Red Hat Enterprise. (PHP-679)

Initial support for PHP 8.1.

Added initial Assess support for Drupal 8 and 9.

Added SCA support for Drupal 8 and 9 when installing modules using Composer packages.

Added support for LDAP injection rules.

Added support for NoSQL injection rules for MongoDB and Redis.

Fixes minor issue with route discovery logs.

Initial triggers for redos rule.

Provides packages for arm64/aarch64.

Includes fixes previously released in 1.3.1 and 1.3.2.

Better error handling for request shutdown hook. (PHP-576)

Initial support for nosql-injection rule: initial support is for the Datastax Cassandra CQL driver for PHP.

Support for capturing full stack traces and relevant common configuration options.

Fixed issue when using relative agent log path. (PHP-540)

Fixed issue with route discovery when running under php-fpm. (PHP-528)

Agent is now disabled by default with PHP command-line interface (CLI) in order to prevent accidental analysis of PHP scripts and commands.

Added diagnostic script contrast-php-util to agent package along with experimental commands for enabling/disabling agent to ease onboarding.

Added support for reflection-injection rule.

Contains fixes for configuration of Assess and API certificates that were included in previous individual bugfix releases.

Add certificate configuration option for Contrast API.

Agent now defers to Contrast web interface setting for enabling Assess if omitted from configuration. Previously the agent required Assess to be explicitly enabled locally as well.

Improvements to trace event rendering in the Contrast web interface.

Added coverage to unsafe-code-execution for extract function.

Fixed issue with configuration file discovery paths. (PHP-496)

Fixed issue with json_decode propagation. (PHP-482)

Assess and SCA feature support for PHP applications.

Support for the Laravel framework.