PHP microagent release notes¶ Sqreen PHP extension¶ [1.24.2] 2021-02-24 Reviewed severity of all log statements to better highlight potential issues with Sqreen or the user application. Improved wording of relevant log statements. [1.24.1] 2021-02-10 Fixed instrumentation of user methods inherited from internal classes. [1.24.0] 2021-02-03 Added Server-Side Request Forgery protection support. Added vendor_location configuration option. Security and reliability improvements. [1.23.0] 2020-12-04 PHP 8 Support for Debian and Red Hat based systems. Added LFI filter callback. Improved composer support. [1.22.1] 2020-10-07 Fixed HTTP tracing potentially causing malformed headers. Security and reliability improvements. [1.22.0] 2020-09-17 Added support for asynchronous tracing events. Introduced native callback for user tracking SDK. [1.21.0] 2020-07-29 Introduced tracing for HTTP services. New blocking page design. Added default daemon parameter to listen on localhost when launched by the extension. [1.20.1] 2020-06-19 Bug fixes on sqeen-installer. [1.20.0] 2020-06-11 Added support for Ubuntu Eoan and Focal. Support for stripping environment variables. Bug fixes and improvements. [1.19.1] 2020-05-13 Bug fixes and improvements. Added support for environment tokens. [1.19.0] 2020-02-12 Support PHP 7.4 Fix shutdown crash on PHP 5.6/ZTS. Fix sqreen-installer escaping certain characters. Miscellaneous fixes and improvements. [1.18.0] 2019-09-04 Introduce support for the In-app WAF [1.17.1] 2019-08-13 Fix potentially uninitialized memory in track events [1.17.0] 2019-07-10 sqreen-installer detects and alerts if supplied token is empty or obviously invalid. Make agent compatible with a combination of Doctrine ORM and jms/di-extra-bundle. Fix an issue on install with application name that embeds punctuation characters. sqreen-installer detects PHP 7.3 on Apache on Debian and derivatives miscellaneous fixes to instrumentation of user functions (in all supported PHP versions) [1.16.1] 2019-05-01 Correct a warning caused when the agent look for installed.json outside of open_basedir's specification [1.16.0] 2019-04-18 Improve the performance of the request shutdown Improve the performance of attacks recording Better limit the time taken by CRS Better measure the performance impact of Sqreen [1.15.0] 2019-03-22 Support for organization token Improve SQL coverage on PostgreSQL Improve compatibility with the upcomming Debian Buster, and with Ubuntu 18.04 and 18.10 [1.14.0] 2019-01-22 Support redirect_user action [1.13.1] 2019-01-14 Fix sqreen-installer not recognizing php 7.3 installations Better support for performance budget [1.13.0] 2019-01-07 Support Sqreen performance budget [1.12.0] 2018-12-20 Support performance metrics Hooks for connections to mysql/pgsql and callbacks for generating metrics (in order to support database discovery) [1.11.0] 2018-12-03 Support PHP 7.3 Performance improvement for redirect_ip and block_ip actions [1.10.0] 2018-10-24 Fix segfault on restart for release builds on PHP 7/ZTS Do not log fatal error when blocking xss: read content-type in response, ignore non-html [1.9.5] 2018-08-03 Remove XSS false positive for reflected JavaScript variable [1.9.4] 2018-08-01 Support RunCloud in the installation script [1.9.3] 2018-07-26 Improve XSS detection [1.9.2] 2018-06-19 Improve block user security response behavior [1.9.1] 2018-06-18 Improve compatibility with NewRelic [1.9.0] 2018-06-12 Add support for block user security response. Update security responses format. [1.8.2] 2018-06-07 Improve PHP XSS security plugin detection [1.8.1] 2018-05-24 Improve PHP binary detection in the sqreen-installer script [1.8.0] 2018-05-17 Improve communication with the daemon Add support for security responses Improve launch_daemon behavior [1.7.0] 2018-04-25 Add new SDK sqreen\track Add a new hookpoint on the XML entity loader Improve compatibility with Apache 2 Improve detection of Composer packages [1.6.0] 2018-03-22 Improve Alpine packaging Improve performance while blocking attacks on PHP FPM Move OWASP WAF rule in the extension to improve performances Launch the daemon from the extension [1.5.6] 2018-03-16 Improve handling of network issue [1.5.5] 2018-03-07 Better handling of blocked requests during php-fpm request_startup Add connection timeout with the daemon [1.5.4] 2018-02-28 Correctly handle headers without colon [1.5.3] 2018-02-21 Better detection of PHP in sqreen-installer Fix passlist with XSS detection [1.5.2] 2018-02-17 Fix PDO deinstrumentation on httpd-itk Fix warning on old glibc (<2.17) Fix install script on env without $PATH Add set_ini option in sqreen-installer [1.5.1] 2018-02-13 Support for debian wheezy Add missing build for PHP 5.4 [1.5.0] 2018-01-31 Add support for PHP 5.3 And PHP 5.4 Add support for libmysqlclient Fix error page display [1.4.0] 2018-01-12 Support for SDK identify [1.3.0] 2017-12-19 Support for PHP 7.2 [1.2.2] 2017-12-14 Fix an issue with userland function instrumentation Display an error when no PHP installation found [1.2.1] 2017-11-28 Better handling of CPanel installation Fix RPM update [1.2] 2017-11-21 Improve XSS protection Improve installation on CPanel [1.1.2] 2017-10-26 Fix include/eval hook bug in PHP 5.5 Correctly set sqreen-installer symlink on update [1.1.1] 2017-10-26 Improve XSS detection [1.1.0] 2017-10-20 Add support for Alpine package Improve SQL detection when using Doctrine [1.0.2] 2017-10-12 Improve XSS detection [1.0.1] 2017-10-06 Logging improvement [1.0] 2017-10-06 Fix log file permissions Better handling of network issues Fix spurious error messages [0.12.2] 2017-10-05 Correctly close log file after apache2 reload [0.12.1] 2017-10-03 Fix apache graceful restart Log in only one file [0.12] 2017-09-27 Add support for composer packages Add support for the protection mode Support for eval injection protection Improve performance of backtrace fetching Fix an issue with the PostreSQL hook Fix wrong metrics being sent [0.11] 2017-09-18 Support passlist Global performance improvement Send parsed params to the daemon Performance improvement on PHP processes creation Support for PostgreSQL [0.10.1] 2017-09-06 Fix Debian setup issues Support backtraces Better connection failure handling Fix extension version dislpay Do not require mysqnld anymore [0.10] 2017-09-04 Faster XSS protection Shell injection protection Denylist support Extension is not enabled on CLI Support for sqreen.disable option Remove package dependencies [0.9] 2017-08-24 Authentication SDK support Improve memory management Allow to use hostnames in daemon address [0.8] 2017-08-21 Add support for PHP 5.5 and 5.6 Add support for ZTS Fix memory leaks Improve log management [0.7.3] 2017-08-11 Fix MySQL instrumentation for PDO [0.7.2] 2017-08-08 Improve TCP communication with the daemon [0.7.1] 2017-08-06 Read configuration after module initialization [0.7] 2017-08-03 Improve logs Improve memory management Improve reliability on agent / daemon communication Add the ability to dynamically update the security rules [0.6.6] 2017-07-27 Make build compatible with CentOS6 Fix closing socket on module exit [0.6.5] 2017-07-18 Fix issue on request initialization endpoint [0.6.4] 2017-07-17 Fix issue on path transmitted to the daemon [0.5] Fix HTTP headers read in FPM [0.4] 2017-06-13 Public release of the PHP agent Sqreen daemon for PHP¶ [1.21.0] 2020-10-28 Fixed bug which caused ip_header to be ignored from configuration file. Improved backend URL validation. Added support for collect_body on SDK track events. Improved the In-App WAF. Further bug fixes and improvements. [1.20.0] 2020-09-17 Added support for asynchronous tracing events. Introduced tracing for MySQL, PostgreSQL, SQLite3, Redis, MongoDB and AMQP. Improved the In-App WAF. [1.19.0] 2020-07-29 Fixed configuration file and environment loading. Detect backend connectivity and default to sqreen.com whenever available. Introduced tracing for HTTP services. Minor fixes and improvements. [1.18.0] 2020-07-02 Log file permissions to be more restrictive. Restrict backend URLs to known domains. Updated PyMiniRacer to version 0.3.0, related to CVE-2020-25489. Multiple other bug fixes and improvements. [1.17.1] 2020-06-11 Improved the In-App WAF. Added support for signal API. Improved initialization process. General performance improvements and bug fixes. [1.16.0] 2020-04-10 Improved PII scrubbing. Better JS garbage collection. Introduce the STRIP_HTTP_REFERER configuration option. Improvements to the In-App WAF. Fix the rule signature verification, related to CVE-2020-25490. General performance improvements and bug fixes. [1.15.1] 2019-12-26 Avoid sending an unexpected field in user monitoring [1.15.0] 2019-12-18 Multiple In-App WAF reliability and performance improvements. Fix an inconsistency in Security Responses enforcement. Improved network loop performance. [1.14.1] 2019-10-04 Improve support for the In-App WAF [1.14.0] 2019-09-24 Introduce support for the In-App WAF Expire old extension sessions when they have not been used for more than 10 minutes Multiple performance improvements [1.13.1] 2019-08-12 Fix an issue that could cause the agent to go in an infinite loop Support the improved format for attack rendering [1.13.0] 2019-04-18 Improve the performance of the request shutdown Improve the performance of attack recording Improve the management of an unstable link between the daemon and the extension Add support for Ubuntu 19.04 [1.12.0] 2019-03-22 Support of organization token Configurable PII scrubbing. Learn more about this: configuration Improve the behaviour of the agent when our API experience difficulties Improve compatibility with the upcomming Debian Buster, and with Ubuntu 18.04 and 18.10 Improve the handling of malformed IP addresses [1.10.0] 2019-01-22 Support redirect_user action [1.9.2] 2019-01-17 Support metrics on rules without daemon-side callbacks (db detection rules) [1.9.1] 2019-01-14 Better support for performance budget [1.9.0] 2019-01-07 Support Sqreen clock time overhead cap [1.8.1] 2018-12-23 Improve stability when blocking multiple IPs [1.8.0] 2018-12-20 Fix memory leaks Reduce number of v8 isolates instantiated (less memory usage) Improve performance of ip blocking Support performance metrics sent by the PHP extension [1.7.0] 2018-11-20 Improve CPU usage [1.6.5] 2018-08-08 Improve startup performance [1.6.4] 2018-08-03 Improve stability [1.6.3] 2018-07-10 Strip sensitive data before sending them to the BackEnd [1.6.2] 2018-07-03 Improve performance on high throughput application Fix the IP denylist for request without IP [1.6.1] 2018-06-11 Update security plugin signature validation algorithm. Update vendored dependencies. [1.6.0] 2018-05-17 Improve communication with the BackEnd Correctly forward security responses to the extension [1.5.0] 2018-04-25 Handle track SDK Minor performance improvement when executing security rules [1.4.4] 2018-04-11 Add IP_HEADER option to configure on which header the IP is fetch [1.4.3] 2018-04-09 Improve user-agent matching detection Improve log messages Make the binary compatible with prelink [1.4.2] 2018-03-15 Check Sqreen BackEnd connection before accepting new connections Read config file from /etc/default/sqreen-agent if the file exists [1.4.1] 2018-03-12 Improve memory usage Properly scale down unused processes [1.4.0] 2018-03-05 Improve memory usage Improve handling of disabled application Fixed file descriptor leak [1.3.1] 2018-02-16 Don't trigger logging code when logging is not enabled Don't record broken pipe error [1.3.0] 2018-01-12 Support for sdk identify [1.2.3] 2018-01-11 Properly handle SIGTERM with multiple processes [1.2.2] 2018-01-10 Start new process when handling lot of connections [1.2.1] 2018-01-08 Improve performance when handling many connections [1.2.1] 2018-01-08 Improve performance when handling many connection [1.2.0] 2017-11-23 Update the user-agent used Fix crash that can occurs on invalid payload Smaller communication payloads [1.1.2] 2017-10-27 Add more accurate log on error Display extension version on log [1.1.1] 2017-10-26 Remove exec requirement on /tmp [1.1.0] 2017-10-25 Handle backtrace fetching during rule execution [1.0.4] 2017-10-20 Relogin on PHP extension update [1.0.3] 2017-10-18 Improve performance on long parameters [1.0.2] 2017-10-16 Better handling of big payload Fix encoding issues in JS callbacks Improve IP address detection [1.0.1] 2017-10-13 Correctly handle disconnected client Better handling of IP address [1.0.0] 2017-10-06 Better handling of network issues [0.9.3] 2017-10-05 Correctly handle HTTP request without IP [0.9.2] 2017-09-28 Better detection of vulnerability discovery [0.9.1] 2017-09-21 Better connection failure handling [0.9.0] 2017-09-18 Support record of PHP traceback Global performance improvement [0.8.2] 2017-09-08 Fix rules reload behaviour [0.8.1] 2017-09-01 Correctly fetch the headers [0.8.0] 2017-09-01 Correctly record IP address Add passlist support Better handling of HTTP request Memory improvement Correctly handle systemd service [0.7.9] 2017-08-25 Better handling of non unicode data Better handling of error [0.7.8] 2017-08-18 Prevent leak of file descriptor [0.7.7] 2017-08-17 Be more resilient on socket creation [0.7.6] 2017-08-16 Fix memory leak [0.7.5] 2017-08-11 Correctly handle cargs [0.7.4] 2017-08-10 Better handling of package removing Better handling of invalid msg_pack command [0.7.3] 2017-08-08 Improve TCP communication with the extension [0.7.2] 2017-08-03 Remove unexpected logging messages [0.7.1] 2017-08-03 Better logging when using a proxy [0.7.0] 2017-08-03 Improve logging messages Improve communication between the agent and the extension