PHP agent release notes
Release date: December 13, 2024
Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3
New and improved:
Add new version of Ubuntu (Noble Numbat) as a supported release. (PHP-1092)
Assess performance improvements. (PHP-1039, PHP-1089, PHP-1090)
Add compatibility support for Drupal 11. (PHP-1023)
Bug fixes:
Fix issue with the format of the reported effective config. (PHP-1094)
Release date: November 25, 2024
Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3
New and improved:
Generate and upload effective config. (PHP-997)
Add support for specifying the log rollover size for both the log file and the security log file. (PHP-1036)
Implement API v1.1 server settings endpoint support with polling on request. (PHP-1049)
Detect containerization and upload to TeamServer. (PHP-1068)
Bug fixes:
Fix the blocking mode as specified to TeamServer for Bot blocking and IP Blacklist. (PHP-1073)
Release date: October 9, 2024
Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3
New and improved:
Added support for reporting the cloud provider ID. (PHP-1027)
Implemented a PHP rule for the
Content-Security-Policy
header or meta tag. (PHP-1033)Validated support for Drupal version 10. (PHP-849)
Bug fixes:
Fixed a segmentation fault that could potentially occur during agent shutdown when run with PHP version 8.1. (PHP-1058)
Release date: September 17, 2024
Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3
New and improved:
Added support for security log settings. (PHP-995)
The PHP agent now supports the use of
CONTRAST__API__TOKEN
instead ofCONTRAST__API__URL
,CONTRAST__API__API_KEY
,CONTRAST__API__SERVICE_KEY
, andCONTRAST__API__USER_NAME
for communication with Contrast. (PHP-1016)Note
Contrast TeamServer is not yet adding the token to the downloadable agent configuration file.
Added the X-Contrast-Reporting-Instance to Contrast TeamServer communication. (PHP-981)
Release date: August 21, 2024
Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3
Bug fixes:
Fixed an issue regarding K8 failure to release build 1.32.0. (PHP-1009)
The agent now honors the flag to disable the
xcontenttype-header-missing
rule when sent from Contrast. (PHP-962)Addressed an issue where occasionally, the client would send an incomplete application message, resulting in a Contrast error. (PHP-1004)
Addressed an issue where Laravel would fail to run when loaded with the agent and PHP version 8.2. (PHP-1019)
Release date: July 19, 2024
Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3
New and improved:
Added framework names for discovered routes. (PHP-976)
Added compatibility support for Laravel version 11. (PHP-982)
Added the ability for Protect to detect SQL injection vulnerability CVE-2024-27956. (PHP-915)
Bug fixes:
Cleaned up source code comments. (PHP-1008)
Fixed the title on reported vulnerabilities as seen in Contrast. (PHP-919 and PHP-912)
Release date: June 27, 2024
Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3
New and improved:
Added sensitive data masking for reported request cookies. (PHP-913)
Added an Unsafe File Upload protect rule. (PHP-818)
Added CEF logging for Protect. (PHP-822)
Bug fixes:
Fixed an issue that caused a SQL Injection vulnerability cve-2024-27956 to be missed for Assess. (PHP-983)
Release date: June 11, 2024
Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3
New and improved:
Initial support for WordPress version 6 content management system.
Initial support for Protect when running the PHP agent with the following rules in place:
Bot blocking
Command Injection
IP Blocking
Path Traversal
Reflected XSS
SQL Injection
Bug fixes:
Fixed a potential memory leak. (PHP-954)
Fixed an issue where the default logging location might not be in sync across processes. (PHP-937)
Release date: May 10, 2024
Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3
New and improved:
The agent's log file will now be written as follows:
If the directory is specified in the YAML file or the environment variable then the log will be written to that location.
If the location is not specified:
The agent will attempt to log to
$HOME/.contrast/contrast_agent.log
If that directory is not accessible, the fallback directory is
/tmp/.contrast/
Lastly, if
/tmp
does not exist or there are insufficient privileges then the log stream is written tostdout
If using a
contrast_security.yaml
file for configuration settings, the file location should be specified using theCONTRAST_CONFIG_PATH
environment variable. If not explicitly specified the agent will look in the following locations:/etc/contrast/php
/etc/contrast/
/etc/
Release date: May 6, 2024
Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3
Bug fixes:
Addresses issue raised in Support Bulletin: Potential Sensitive Information Leak - PHP Agent 2nd May 2024.
If the
contrast_security.yaml
configuration file is in the application directory, the agent will disable itself when run in a production environment.If the agent log file is configured to be created in the application directory, the agent will discontinue logging when run in a production environment.
Release date: April 25, 2024
Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3
New and improved:
Added initial sensitive data masking to trace reports.
Bug fixes:
Removed unnecessary warning from the
contrast-php-util
enable command. (PHP-904)
Release date: April 5, 2024
Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3
Bug fixes:
Fixed the issue around restoring of internal settings state that would result in an agent error.
Updated logging around saving and restoring internal settings state.
Release date: March 19, 2024
Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3
New and improved:
Internal updates to make the RPM package available for RedHat 9.
Added some debug logging around internal features.
Release date: March 5, 2024
Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3
New and improved:
The initial release of Protect for PHP includes:
Running the agent in Protect mode using a configuration setting or the setting specified in the Contrast web interface.
Available Protect Rules:
Cross-site scripting (XSS)
Command Injection
Path Traversal
SQL Injection
Additional rules will be added in later releases. Other features such as exclusion support, PII masking, IP controls and bot-blocking will be provided in later releases.
Added Red Hat 9 for x64 only.
Release date: February 20, 2024
Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2, 8.3
New and improved:
Initial support for PHP 8.3.
Release date: January 22, 2024
Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2
New and improved:
Added support for Symfony 6.4 and 7.0
Archive
Release date: December 4, 2023
Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2
New and improved:
Added support for doing route discovery on Symfony cached routes.
Release date: November 7, 2023
Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2
New and improved:
Added Bookworm as a Debian distribution package.
Release date: October 25, 2023
Language versions currently supported: PHP 7.4, 8.0, 8.1, 8.2
New and improved:
Added initial support for PHP 8.2.
Release date: October 23, 2023
Language versions currently supported: PHP 7.4, 8.0, 8.1
New and improved:
Added logging of environment variables to the agent log.
Added additional logging about unwritable log directories.
Release date: August 15, 2023
Language versions currently supported: PHP 7.4, 8.0, 8.1
Bug fixes:
Addresses two issues that caused a segmentation fault in the PHP extension when parsing certain framework files. (SUP-4910)
Release date: August 14, 2023
Language versions currently supported: PHP 7.4, 8.0, 8.1
Bug fixes:
Addressed the issue of incorrectly named proxy configuration items. (PHP-828)
Release date: August 10, 2023
Language versions currently supported: PHP 7.4, 8.0, 8.1
New and improved:
Added ability to specify a proxy to use for Contrast communication.
Release date: July 13, 2023
Language versions currently supported: PHP 7.4, 8.0, 8.1
New and improved:
Added logging around setting the temporary path for the network communication layer.
Release date: June 29, 2023
Language versions currently supported: PHP 7.4, 8.0, 8.1
Bug fixes:
Fixed an issue where setting the request logging feature (
api.log_requests
) to true while usingSTDOUT
as the log output path would result in no logging of network requests.
Release date: May 31, 2023
Language versions currently supported: PHP 7.4, 8.0, 8.1
Bug fixes:
Fixed issue with seg fault when running with PHP 8.0 and Laravel 9.
Fixed issue with passthrough module not loading on versions 8.0 and 8.1.
Release date: May 17, 2023
Language versions currently supported: PHP 7.4, 8.0, 8.1
New and improved:
Updated internal packages to address a security flaw.
Removed an unused configuration setting.
Bug fixes:
Fixed an issue where certain PHP files would cause a segmentation fault in the agent. Improved overall agent robustness.
Release date: April 28, 2023
Language versions currently supported: PHP 7.4, 8.0, 8.1
New and improved:
Updated internal library versions.
Release date: April 17, 2023
Language versions currently supported: PHP 7.4, 8.0, 8.1
New and improved:
Added Jammy as a Debian distribution package.
Release date: March 30, 2023
Language versions currently supported: PHP 7.4, 8.0, 8.1
New and improved:
Detection of Symfony framework and version.
Added instrumentation for Doctrine when using Symfony.
Bug fixes:
Updated the copyright date for the license file.
Ensured that group, metadata, and session_metadata values from the configuration file are properly parsed for automatic application onboarding.
Release date: February 17, 2023
Language versions currently supported: PHP 7.4, 8.0, 8.1
New and improved:
Added support for Symfony framework.
Release date: January 26, 2023
Language versions currently supported: PHP 7.4, 8.0, 8.1
New and improved:
Added SCA analysis for custom Drupal modules (not installed via Composer).
Bug fixes:
Fixed a potential crash in the agent when encountering PHP code that consists of a coalesce call and a closure.
Updated the data provided to Contrast to ensure that it contains a valid stack trace.
Eliminated some potential false positive reflected-xss reports from request headers.
Release date: November 14, 2022
Language versions currently supported: PHP 7.4, 8.0, 8.1
New and improved:
Identify Drupal modules not installed via Composer.
Added support for PHP 8.0.
Bug fixes:
Use the web server root directory as the working directory when running with PHP-FPM on Red Hat Enterprise. (PHP-679)
Release date: September 20, 2022
Language versions currently supported: PHP 7.4., 8.1
New and improved:
Initial support for PHP 8.1.
Release date: August 30, 2022
Language versions currently supported: PHP 7.4
New and improved:
Added initial Assess support for Drupal 8 and 9.
Added SCA support for Drupal 8 and 9 when installing modules using Composer packages.
Release date: June 28, 2022
Language versions currently supported: PHP 7.4
New and improved:
Added support for LDAP injection rules.
Added support for NoSQL injection rules for MongoDB and Redis.
Release date: June 13, 2022
Language versions currently supported: PHP 7.4
Bug fixes:
Fixes minor issue with route discovery logs.
Release date: June 06, 2022
Language versions currently supported: PHP 7.4
New and improved:
Initial triggers for
redos
rule.Provides packages for arm64/aarch64.
Bug fixes:
Includes fixes previously released in 1.3.1 and 1.3.2.
Release date: May 26, 2022
Language versions currently supported: PHP 7.4
Release date: May 25, 2022
Language versions currently supported: PHP 7.4
Bug fixes:
Better error handling for request shutdown hook. (PHP-576)
Release date: May 24, 2022
Language versions currently supported: PHP 7.4
New and improved:
Initial support for
nosql-injection
rule: initial support is for the Datastax Cassandra CQL driver for PHP.Support for capturing full stack traces and relevant common configuration options.
Bug fixes:
Fixed issue when using relative agent log path. (PHP-540)
Fixed issue with route discovery when running under
php-fpm
. (PHP-528)
Release date: May 11, 2022
Language versions currently supported: PHP 7.4
New and improved:
Agent is now disabled by default with PHP command-line interface (CLI) in order to prevent accidental analysis of PHP scripts and commands.
Added diagnostic script
contrast-php-util
to agent package along with experimental commands for enabling/disabling agent to ease onboarding.Added support for
reflection-injection
rule.
Bug fixes:
Contains fixes for configuration of Assess and API certificates that were included in previous individual bugfix releases.
Release date: April 26, 2022
Language versions currently supported: PHP 7.4
New and improved:
Add certificate configuration option for Contrast API.
Release date: April 25, 2022
Language versions currently supported: PHP 7.4
Bug fixes:
Agent now defers to Contrast web interface setting for enabling Assess if omitted from configuration. Previously the agent required Assess to be explicitly enabled locally as well.
Release date: April 21, 2022
Language versions currently supported: PHP 7.4
New and improved:
Improvements to trace event rendering in the Contrast web interface.
Added coverage to
unsafe-code-execution
forextract
function.
Bug fixes:
Fixed issue with configuration file discovery paths. (PHP-496)
Fixed issue with
json_decode
propagation. (PHP-482)
Release date: April 4, 2022
Language versions currently supported: PHP 7.4
New and improved:
Assess and SCA feature support for PHP applications.
Support for the Laravel framework.