ZF Blog

Zend Framework 2.1.4, 2.0.8, and 1.12.3 Released!

The Zend Framework community is pleased to announce the immediate availability of three new releases: 2.1.4, 2.0.8, and 1.12.3! Packages and installation instructions are available at:

The ZF2 releases include three security updates, and all ZF versions also include updates to the Twitter component to follow the Twitter v1.1 API, which is not backwards compatible with previous versions.

Security Fixes

2.1.4 and 2.0.8 contain three security fixes.

Query Route

We were alerted to the fact that the Query route could override parameters matched in parent routes, effectively bypassing constraints defined. In particular, this could result in overriding the controller or action matched by a given route.

The query route was deprecated, as a replacement exists within the HTTP router itself. You can pass a "query" option to the assemble method containing either the query string or an array of key-value pairs:

'name' => 'foo',
), array(
'query' => array(
'page' => 3,
'sort' => 'DESC',
// or: 'query' => 'page=3&sort=DESC'

// via URL helper/plugin:
$rendererOrController->url('foo', array(), array('query' => $request->getQuery()));

Additionally, the merging of query parameters into the route match was removed entirely. Please use the query container of the request object instead.

For more information on the security vector, please see ZF2013-01.

Random Number Generation

The Zend\Math\Rand component generates random bytes using the OpenSSL or Mcrypt extensions when available but will otherwise use PHP's mt_rand() function as a fallback. All outputs from mt_rand() are predictable for the same PHP process if an attacker can brute force the seed - which can be done if the attacker has access to a random number generated by `mt_rand` or the session ID (if generated without using additional entropy).

Zend Framework have revised the Zend\Math\Rand component to replace the current mt_rand() fallback for OpenSSL/Mcrypt with Anthony Ferrara's RandomLib, incorporating an additional entropy source based on source code published by George Argyros. The new fallback collects entropy from numerous sources other than PHP's internal seed mechanism and extracts random bytes from the resulting mixed entropy pool.

For more information on this security vector, please see ZF2013-02.

Database Platform Quoting

Altered Zend\Db to throw notices when insecure usage of the following methods is called:

  • Zend\Db\Adapter\Platform\*::quoteValue*()
  • Zend\Db\Sql\*::getSqlString*()

Fixed Zend\Db Platform objects to use driver level quoting when provided, and throw E_USER_NOTICE when not provided. Added quoteTrustedValue() API for notice-free value quoting. Fixed all userland quoting in Platform objects to handle a wider array of escapable characters.

For more information on this security vector, please see ZF2013-03.

Twitter API Updates

Twitter has begun sunsetting its v1.0 API, and has introduced rolling blackouts in order to prompt developers to move to the v1.1 API. Unfortunately, v1.1 is not backwards compatible with v1.0, so a number of backwards-breaking changes need to be made.

Version 2.1.0 of ZendService_Twitter and version 1.12.3 of Zend Framework have been released with support for v1.1 of the Twitter API. A number of service endpoints were removed, and others moved to new namespaces. As such, if you use the component, you are urged to upgrade, and we encourage you to read the documentation to see what methods are now available, and how to use OAuth access tokens with the service.

Polyfill Support Fixes

Polyfills (version-specific class replacements) have caused some issues in the 2.1 series for users of Zend\Stdlib and Zend\Session. In particular, users who were not using Composer were unaware/uncertain about what extra files needed to be included to load polyfills, and those users who were generating classmaps were running into issues since the same class was being generated twice.

New polyfill support was created which does the following:

  • New, uniquely named classes were created for each polyfill base.
  • A stub class file was created for each class needing polyfill support. A conditional is present in each that uses class_alias to alias the appropriate polyfill base as an import. The stub class then extends the base.
  • The compatibility/autoload.php file in each component affected was altered to trigger an E_USER_DEPRECATED error asking the user to remove the require statement for the file.

The functionality works with both Composer and ZF2's autoloading support, using either PSR-0 or classmaps. All typehinting is preserved.


Below are links to the changelogs for each version.

Thank You!

I'd like to thank our main contributors to this release. In particular, Pádraic Brady and Enrico Zimuel for researching and implementing the Random Number Generator vulnerability and fixes; Ben Scholzen for implementing fixes for the Query route; Ralph Schindler, for his fixes for the database platform quoting vulnerabilities; and Mike Willbanks, for continuing to work on solutions for session storage and timing issues.


Maintenance releases happen monthly on the third Wednesday; expect version 2.1.5 to drop 17 April 2013. We're also gearing up for version 2.2.0, which we are targetting at the end of April 2013/early May.

Return to entries

blog comments powered by Disqus