PHP microagent release notes

Sqreen PHP extension

[1.24.2] 2021-02-24

  • Reviewed severity of all log statements to better highlight potential issues with Sqreen or the user application.
  • Improved wording of relevant log statements.

[1.24.1] 2021-02-10

  • Fixed instrumentation of user methods inherited from internal classes.

[1.24.0] 2021-02-03

  • Added Server-Side Request Forgery protection support.
  • Added vendor_location configuration option.
  • Security and reliability improvements.

[1.23.0] 2020-12-04

  • PHP 8 Support for Debian and Red Hat based systems.
  • Added LFI filter callback.
  • Improved composer support.

[1.22.1] 2020-10-07

  • Fixed HTTP tracing potentially causing malformed headers.
  • Security and reliability improvements.

[1.22.0] 2020-09-17

  • Added support for asynchronous tracing events.
  • Introduced native callback for user tracking SDK.

[1.21.0] 2020-07-29

  • Introduced tracing for HTTP services.
  • New blocking page design.
  • Added default daemon parameter to listen on localhost when launched by the extension.

[1.20.1] 2020-06-19

  • Bug fixes on sqeen-installer.

[1.20.0] 2020-06-11

  • Added support for Ubuntu Eoan and Focal.
  • Support for stripping environment variables.
  • Bug fixes and improvements.

[1.19.1] 2020-05-13

  • Bug fixes and improvements.
  • Added support for environment tokens.

[1.19.0] 2020-02-12

  • Support PHP 7.4
  • Fix shutdown crash on PHP 5.6/ZTS.
  • Fix sqreen-installer escaping certain characters.
  • Miscellaneous fixes and improvements.

[1.18.0] 2019-09-04

  • Introduce support for the In-app WAF

[1.17.1] 2019-08-13

  • Fix potentially uninitialized memory in track events

[1.17.0] 2019-07-10

  • sqreen-installer detects and alerts if supplied token is empty or obviously invalid.
  • Make agent compatible with a combination of Doctrine ORM and jms/di-extra-bundle.
  • Fix an issue on install with application name that embeds punctuation characters.
  • sqreen-installer detects PHP 7.3 on Apache on Debian and derivatives
  • miscellaneous fixes to instrumentation of user functions (in all supported PHP versions)

[1.16.1] 2019-05-01

  • Correct a warning caused when the agent look for installed.json outside of open_basedir's specification

[1.16.0] 2019-04-18

  • Improve the performance of the request shutdown
  • Improve the performance of attacks recording
  • Better limit the time taken by CRS
  • Better measure the performance impact of Sqreen

[1.15.0] 2019-03-22

  • Support for organization token
  • Improve SQL coverage on PostgreSQL
  • Improve compatibility with the upcomming Debian Buster, and with Ubuntu 18.04 and 18.10

[1.14.0] 2019-01-22

  • Support redirect_user action

[1.13.1] 2019-01-14

  • Fix sqreen-installer not recognizing php 7.3 installations
  • Better support for performance budget

[1.13.0] 2019-01-07

  • Support Sqreen performance budget

[1.12.0] 2018-12-20

  • Support performance metrics
  • Hooks for connections to mysql/pgsql and callbacks for generating metrics (in order to support database discovery)

[1.11.0] 2018-12-03

  • Support PHP 7.3
  • Performance improvement for redirect_ip and block_ip actions

[1.10.0] 2018-10-24

  • Fix segfault on restart for release builds on PHP 7/ZTS
  • Do not log fatal error when blocking
  • xss: read content-type in response, ignore non-html

[1.9.5] 2018-08-03

  • Remove XSS false positive for reflected JavaScript variable

[1.9.4] 2018-08-01

  • Support RunCloud in the installation script

[1.9.3] 2018-07-26

  • Improve XSS detection

[1.9.2] 2018-06-19

  • Improve block user security response behavior

[1.9.1] 2018-06-18

  • Improve compatibility with NewRelic

[1.9.0] 2018-06-12

  • Add support for block user security response.
  • Update security responses format.

[1.8.2] 2018-06-07

  • Improve PHP XSS security plugin detection

[1.8.1] 2018-05-24

  • Improve PHP binary detection in the sqreen-installer script

[1.8.0] 2018-05-17

  • Improve communication with the daemon
  • Add support for security responses
  • Improve launch_daemon behavior

[1.7.0] 2018-04-25

  • Add new SDK sqreen\track
  • Add a new hookpoint on the XML entity loader
  • Improve compatibility with Apache 2
  • Improve detection of Composer packages

[1.6.0] 2018-03-22

  • Improve Alpine packaging
  • Improve performance while blocking attacks on PHP FPM
  • Move OWASP WAF rule in the extension to improve performances
  • Launch the daemon from the extension

[1.5.6] 2018-03-16

  • Improve handling of network issue

[1.5.5] 2018-03-07

  • Better handling of blocked requests during php-fpm request_startup
  • Add connection timeout with the daemon

[1.5.4] 2018-02-28

  • Correctly handle headers without colon

[1.5.3] 2018-02-21

  • Better detection of PHP in sqreen-installer
  • Fix passlist with XSS detection

[1.5.2] 2018-02-17

  • Fix PDO deinstrumentation on httpd-itk
  • Fix warning on old glibc (<2.17)
  • Fix install script on env without $PATH
  • Add set_ini option in sqreen-installer

[1.5.1] 2018-02-13

  • Support for debian wheezy
  • Add missing build for PHP 5.4

[1.5.0] 2018-01-31

  • Add support for PHP 5.3 And PHP 5.4
  • Add support for libmysqlclient
  • Fix error page display

[1.4.0] 2018-01-12

  • Support for SDK identify

[1.3.0] 2017-12-19

  • Support for PHP 7.2

[1.2.2] 2017-12-14

  • Fix an issue with userland function instrumentation
  • Display an error when no PHP installation found

[1.2.1] 2017-11-28

  • Better handling of CPanel installation
  • Fix RPM update

[1.2] 2017-11-21

  • Improve XSS protection
  • Improve installation on CPanel

[1.1.2] 2017-10-26

  • Fix include/eval hook bug in PHP 5.5
  • Correctly set sqreen-installer symlink on update

[1.1.1] 2017-10-26

  • Improve XSS detection

[1.1.0] 2017-10-20

  • Add support for Alpine package
  • Improve SQL detection when using Doctrine

[1.0.2] 2017-10-12

  • Improve XSS detection

[1.0.1] 2017-10-06

  • Logging improvement

[1.0] 2017-10-06

  • Fix log file permissions
  • Better handling of network issues
  • Fix spurious error messages

[0.12.2] 2017-10-05

  • Correctly close log file after apache2 reload

[0.12.1] 2017-10-03

  • Fix apache graceful restart
  • Log in only one file

[0.12] 2017-09-27

  • Add support for composer packages
  • Add support for the protection mode
  • Support for eval injection protection
  • Improve performance of backtrace fetching
  • Fix an issue with the PostreSQL hook
  • Fix wrong metrics being sent

[0.11] 2017-09-18

  • Support passlist
  • Global performance improvement
  • Send parsed params to the daemon
  • Performance improvement on PHP processes creation
  • Support for PostgreSQL

[0.10.1] 2017-09-06

  • Fix Debian setup issues
  • Support backtraces
  • Better connection failure handling
  • Fix extension version dislpay
  • Do not require mysqnld anymore

[0.10] 2017-09-04

  • Faster XSS protection
  • Shell injection protection
  • Denylist support
  • Extension is not enabled on CLI
  • Support for sqreen.disable option
  • Remove package dependencies

[0.9] 2017-08-24

  • Authentication SDK support
  • Improve memory management
  • Allow to use hostnames in daemon address

[0.8] 2017-08-21

  • Add support for PHP 5.5 and 5.6
  • Add support for ZTS
  • Fix memory leaks
  • Improve log management

[0.7.3] 2017-08-11

  • Fix MySQL instrumentation for PDO

[0.7.2] 2017-08-08

  • Improve TCP communication with the daemon

[0.7.1] 2017-08-06

  • Read configuration after module initialization

[0.7] 2017-08-03

  • Improve logs
  • Improve memory management
  • Improve reliability on agent / daemon communication
  • Add the ability to dynamically update the security rules

[0.6.6] 2017-07-27

  • Make build compatible with CentOS6
  • Fix closing socket on module exit

[0.6.5] 2017-07-18

  • Fix issue on request initialization endpoint

[0.6.4] 2017-07-17

  • Fix issue on path transmitted to the daemon

[0.5]

  • Fix HTTP headers read in FPM

[0.4] 2017-06-13

  • Public release of the PHP agent

Sqreen daemon for PHP

[1.21.0] 2020-10-28

  • Fixed bug which caused ip_header to be ignored from configuration file.
  • Improved backend URL validation.
  • Added support for collect_body on SDK track events.
  • Improved the In-App WAF.
  • Further bug fixes and improvements.

[1.20.0] 2020-09-17

  • Added support for asynchronous tracing events.
  • Introduced tracing for MySQL, PostgreSQL, SQLite3, Redis, MongoDB and AMQP.
  • Improved the In-App WAF.

[1.19.0] 2020-07-29

  • Fixed configuration file and environment loading.
  • Detect backend connectivity and default to sqreen.com whenever available.
  • Introduced tracing for HTTP services.
  • Minor fixes and improvements.

[1.18.0] 2020-07-02

  • Log file permissions to be more restrictive.
  • Restrict backend URLs to known domains.
  • Updated PyMiniRacer to version 0.3.0, related to CVE-2020-25489.
  • Multiple other bug fixes and improvements.

[1.17.1] 2020-06-11

  • Improved the In-App WAF.
  • Added support for signal API.
  • Improved initialization process.
  • General performance improvements and bug fixes.

[1.16.0] 2020-04-10

  • Improved PII scrubbing.
  • Better JS garbage collection.
  • Introduce the STRIP_HTTP_REFERER configuration option.
  • Improvements to the In-App WAF.
  • Fix the rule signature verification, related to CVE-2020-25490.
  • General performance improvements and bug fixes.

[1.15.1] 2019-12-26

  • Avoid sending an unexpected field in user monitoring

[1.15.0] 2019-12-18

  • Multiple In-App WAF reliability and performance improvements.
  • Fix an inconsistency in Security Responses enforcement.
  • Improved network loop performance.

[1.14.1] 2019-10-04

  • Improve support for the In-App WAF

[1.14.0] 2019-09-24

  • Introduce support for the In-App WAF
  • Expire old extension sessions when they have not been used for more than 10 minutes
  • Multiple performance improvements

[1.13.1] 2019-08-12

  • Fix an issue that could cause the agent to go in an infinite loop
  • Support the improved format for attack rendering

[1.13.0] 2019-04-18

  • Improve the performance of the request shutdown
  • Improve the performance of attack recording
  • Improve the management of an unstable link between the daemon and the extension
  • Add support for Ubuntu 19.04

[1.12.0] 2019-03-22

  • Support of organization token
  • Configurable PII scrubbing. Learn more about this: configuration
  • Improve the behaviour of the agent when our API experience difficulties
  • Improve compatibility with the upcomming Debian Buster, and with Ubuntu 18.04 and 18.10
  • Improve the handling of malformed IP addresses

[1.10.0] 2019-01-22

  • Support redirect_user action

[1.9.2] 2019-01-17

  • Support metrics on rules without daemon-side callbacks (db detection rules)

[1.9.1] 2019-01-14

  • Better support for performance budget

[1.9.0] 2019-01-07

  • Support Sqreen clock time overhead cap

[1.8.1] 2018-12-23

  • Improve stability when blocking multiple IPs

[1.8.0] 2018-12-20

  • Fix memory leaks
  • Reduce number of v8 isolates instantiated (less memory usage)
  • Improve performance of ip blocking
  • Support performance metrics sent by the PHP extension

[1.7.0] 2018-11-20

  • Improve CPU usage

[1.6.5] 2018-08-08

  • Improve startup performance

[1.6.4] 2018-08-03

  • Improve stability

[1.6.3] 2018-07-10

  • Strip sensitive data before sending them to the BackEnd

[1.6.2] 2018-07-03

  • Improve performance on high throughput application
  • Fix the IP denylist for request without IP

[1.6.1] 2018-06-11

  • Update security plugin signature validation algorithm.
  • Update vendored dependencies.

[1.6.0] 2018-05-17

  • Improve communication with the BackEnd
  • Correctly forward security responses to the extension

[1.5.0] 2018-04-25

  • Handle track SDK
  • Minor performance improvement when executing security rules

[1.4.4] 2018-04-11

  • Add IP_HEADER option to configure on which header the IP is fetch

[1.4.3] 2018-04-09

  • Improve user-agent matching detection
  • Improve log messages
  • Make the binary compatible with prelink

[1.4.2] 2018-03-15

  • Check Sqreen BackEnd connection before accepting new connections
  • Read config file from /etc/default/sqreen-agent if the file exists

[1.4.1] 2018-03-12

  • Improve memory usage
  • Properly scale down unused processes

[1.4.0] 2018-03-05

  • Improve memory usage
  • Improve handling of disabled application
  • Fixed file descriptor leak

[1.3.1] 2018-02-16

  • Don't trigger logging code when logging is not enabled
  • Don't record broken pipe error

[1.3.0] 2018-01-12

  • Support for sdk identify

[1.2.3] 2018-01-11

  • Properly handle SIGTERM with multiple processes

[1.2.2] 2018-01-10

  • Start new process when handling lot of connections

[1.2.1] 2018-01-08

  • Improve performance when handling many connections

[1.2.1] 2018-01-08

  • Improve performance when handling many connection

[1.2.0] 2017-11-23

  • Update the user-agent used
  • Fix crash that can occurs on invalid payload
  • Smaller communication payloads

[1.1.2] 2017-10-27

  • Add more accurate log on error
  • Display extension version on log

[1.1.1] 2017-10-26

  • Remove exec requirement on /tmp

[1.1.0] 2017-10-25

  • Handle backtrace fetching during rule execution

[1.0.4] 2017-10-20

  • Relogin on PHP extension update

[1.0.3] 2017-10-18

  • Improve performance on long parameters

[1.0.2] 2017-10-16

  • Better handling of big payload
  • Fix encoding issues in JS callbacks
  • Improve IP address detection

[1.0.1] 2017-10-13

  • Correctly handle disconnected client
  • Better handling of IP address

[1.0.0] 2017-10-06

  • Better handling of network issues

[0.9.3] 2017-10-05

  • Correctly handle HTTP request without IP

[0.9.2] 2017-09-28

  • Better detection of vulnerability discovery

[0.9.1] 2017-09-21

  • Better connection failure handling

[0.9.0] 2017-09-18

  • Support record of PHP traceback
  • Global performance improvement

[0.8.2] 2017-09-08

  • Fix rules reload behaviour

[0.8.1] 2017-09-01

  • Correctly fetch the headers

[0.8.0] 2017-09-01

  • Correctly record IP address
  • Add passlist support
  • Better handling of HTTP request
  • Memory improvement
  • Correctly handle systemd service

[0.7.9] 2017-08-25

  • Better handling of non unicode data
  • Better handling of error

[0.7.8] 2017-08-18

  • Prevent leak of file descriptor

[0.7.7] 2017-08-17

  • Be more resilient on socket creation

[0.7.6] 2017-08-16

  • Fix memory leak

[0.7.5] 2017-08-11

  • Correctly handle cargs

[0.7.4] 2017-08-10

  • Better handling of package removing
  • Better handling of invalid msg_pack command

[0.7.3] 2017-08-08

  • Improve TCP communication with the extension

[0.7.2] 2017-08-03

  • Remove unexpected logging messages

[0.7.1] 2017-08-03

  • Better logging when using a proxy

[0.7.0] 2017-08-03

  • Improve logging messages
  • Improve communication between the agent and the extension