Zend Framework 1.11.0 FINAL Released

November 2, 2010

News, Zend Framework

The Zend Framework team is pleased to announce the immediate availability of
the general access release of Zend Framework 1.11.0. This release is the
culmination of several months of effort by contributors and Zend Framework
partners, and offers several key new features, including support for mobile
devices and the first stable release of the SimpleCloud API.

You may download the release from the following location:

href="http://framework.zend.com/download/latest">http://framework.zend.com/download/latest

The following is a summary of new features and capabilities introduced in
version 1.11.0

Mobile Support

Zend Framework 1.11 marks the first release with explicit support for mobile
devices, via the new component Zend_Http_UserAgent. This
component was developed by Raphael Carles. Carles is CTO of Interakting, the
digital agency of Business & Decision Group of France. Interakting
employs 150 PHP professionals to build industrial PHP projects, and its
clients include Canal +/Vivendi, BNP Paribas, Samsung France, Ministry of
Education, Alapage (Orange), Orange Tunisia, and many others. As such, they
have extensive experience in supporting mobile devices, and stepped forward
to contribute to Zend Framework, which they leverage in their projects.

Zend_Http_UserAgent performs two responsibilities:

  • User-Agent detection
  • Device capabilities detection, based on User-Agent

The component includes a “features” adapter mechanism that allows developers
to tie into different backends for the purpose of discovering device
capabilities. Currently, Zend Framework ships with adapters for the href="http://wurfl.sourceforge.net/">WURFL (Wireless Universal
Resource File) API, Tera-WURFL, and
DeviceAtlas, with more planned for the
future.

Luca Passani, author and lead of the WURFL project, has provided an
exemption to Zend Framework to provide a non-GPL adapter accessing the
WURFL PHP API.

Additional hooks into the component are provided via a
Zend_Application resource plugin, and a Zend_View
helper, allowing developers the ability to return output customized for the
detected device (e.g., alternate layouts, alternate images, Flash versus
HTML5 support, etc.).

Zend_Cloud: SimpleCloud API

During ZendCon 2009, Zend announced a prototype of the
SimpleCloud API. This API was to provide hooks into
cloud-based document storage, queue services, and file storage.

Zend Framework 1.11.0 markes the first official, stable release of
Zend_Cloud, Zend Framework’s PHP version of the
SimpleCloud API. Current support includes:

  • Document Services:
    • Amazon SimpleDB
    • Windows Azure’s Table Storage
  • Queue Services:
    • Amazon Simple Queue Service (SQS)
    • Windows Azure’s Queue Service
    • All adapters supported by Zend_Queue:
      • Zend Platform JobQueue
      • Memcacheq
      • Relational Database
      • ActiveMQ
  • Storage Services:
    • Amazon Simple Storage Service (S3)
    • Windows Azure’s Blog Storage
    • Nirvanix
    • Local filesystem

When using any of the SimpleCloud APIs, your code will be
portable across the various adapters provided, allowing you to pick and
choose your services, as well as try different services until you find one
that suits your application or business needs. Additionally, if you find you
need to code adapter-specific features, you can drop down to the specific
adapter in order to do so.

More adapters will be arriving in the coming months, giving you even more
options!

We thank Wil Sinclair and Stas Malyshev for their assistance in the initial
releases of Zend_Cloud.

Security

Several classes in Zend Framework were patched to eliminate the potential
for leaking timing information from the direct comparison of sensitive data
such as plaintext passwords or cryptographic signatures to user input. These
leaks arise from the normal process of comparing any two strings in PHP. The
nature of the leaks is that strings are often compared byte by byte, with a
negative result being returned early as soon as any set of non-matching
bytes is detected. The more bytes that are equal (starting from the first
byte) between both sides of the comparison, the longer it takes for a final
result to be returned. Based on the time it takes to return a negative or
positive result, it is possible that an attacker could, over many samples of
requests, craft a string that compares positively to another secret string
value known only to a target server simply by guessing the string one byte
at a time and measuring each guess’ execution time. This server secret could
be a plaintext password or the correct cryptographic signature of a request
the attacker wants to execute, such as is used in several open protocols
including OpenID and OAuth. This could obviously
enable an attacker to gain sufficient information to perform a secondary
attack such as masquerading as an authenticated user.

This form of attack is known as a Remote Timing Attack. Timing
Attacks have been problematic in the past but to date have been very
difficult to perform remotely over the internet due to the interference of
network jitter which limits their effectiveness in resolving very small
timing differences. While the internet still poses a challenge to performing
successful Timing Attacks against a remote server, the increasing use of
frameworks on local networks and in cloud computing, where network jitter
may be significantly reduced, raises the distinct possibility that remote
Timing Attacks will become feasible against ever smaller timing information
leaks, such as those leaked when comparing any two strings. As a precaution,
the applied changes implement a fixed time comparison for several classes
which would be attractive targets in any potential remote Timing Attack. A
fixed time comparison function does not leak any timing information useful
to an attacker thus proactively preventing any future vulnerability to these
forms of attack.

We thank Pàdraic Brady for his efforts in identifying and patching these
vulnerabilities.

Dojo Support

Zend Framework’s default Dojo Toolkit version has been bumped to version
1.5.0, which includes the new dojox.mobile component, a simple framework for
client-side mobile applications.

SimpleDB Support

Zend Framework has provided support for Amazon’s Simple Storage Service
(S3), Simple Queue Service (SQS), and Elastic Cloud Compute (EC2) platforms
for several releases. Zend Framework 1.11.0 adds support for
SimpleDB, Amazon’s non-relational document storage database
offering. Support is available for all SimpleDB operations via
Zend_Service_Amazon_SimpleDb.

Zend Framework’s SimpleDB adapter was originally written by Wil
Sinclair.

eBay Findings API Support

eBay has an extensive REST API, allowing developers to build applications
interacting with their extensive data. Zend Framework 1.11.0 includes
Zend_Service_Ebay_Findings, which provides complete support for
the eBay Findings API. This API allows developers to query eBay for details
on active auctions, using categories or keywords.

Zend_Service_Ebay was contributed by Renan de Lima, Ramon
Henrique Ornelas, and Don Bosco Nguyen Van Hoi.

MariaDB Compatibility

Zend_Db’s mysql and Pdo_Mysql adapters are fully href="http://mariadb.org/">MariaDB compatible, and the documentation
has been updated to reflect configuration options for this fork of href="MySQL.html">MySQL.

New Configuration Formats

Zend_Config has been a quite popular component in Zend
Framework, and has offerred adapters for PHP arrays, XML, and INI
configuration files. Zend Framework 1.11.0 now offers two additional
configuration formats: YAML and JSON.

Zend_Config_Yaml provides a very rudimentary YAML-parser that
should work with most configuration formats. However, it also allows you to
specify an alternate YAML parser if desired, allowing you to lever tools
such as PECL’s ext/syck or Symfony’s YAML component,
sfYaml.

Zend_Config_Json leverages the Zend_Json
component, and by extension ext/json.

Both adapters have support for PHP constants, as well as provide the ability
to write configuration files based on configuration objects.

Stas Malyshev created both adapters for Zend Framework;
Zend_Config_Json also had assistance from Sudheer
Satyanarayana.

URL Shortening

Zend_Service_ShortUrl was added for this release. The component
provides a simple interface for use with most URL shortening services,
defining simply the methods “shorten” and “unshorten”. Adapters for two
services, http://jdem.cz and href="http://tinyurl.com">http://tinyurl.com, are provided with this
release.

Zend_Service_ShortUrl was contributed by Martin Hujer.

Additional View Helpers

Several new view helpers are now exposed:

  • Zend_View_Helper_UserAgent ties into the Zend_Http_UserAgent component, detailed above. It gives you access to the UserAgent instance, allowing you to query for the device and capabilities.
  • Zend_View_Helper_TinySrc is an additional portion of Zend Framework’s mobile offering for version 1.11.0. The helper ties into the TinySrc API, allowing you to a) provide device-specific image sizes and formats for your site, and b) offload generation of those images to this third-party service. The helper creates img tags pointing to the service, and provides options for specifying adaptive sizing and formats.
  • Zend_View_Helper_Gravatar ties into the Gravatar API, allowing you to provide avatar images for registered users that utilize the Gravatar service. This helper was contributed by Marcin Morawski.

Thank You!

We’d like to thank the countless contributors who have made Zend Framework
1.11.0 possible. Over 200 issues and feature requests were closed in
preparation for this release, reflecting the efforts of dozens of
contributors to the project.

About Matthew Weier O'Phinney

Matthew is an open source software architect, specializing in PHP. He is currently project lead for Zend Framework, a project with which he has been involved since before the first public preview release. He is a Zend Certified Engineer, and a member of the Zend Education Advisory Board, the group responsible for authoring the Zend Certification Exam. He contributes to a number of open source projects, blogs on PHP-related topics, and presents talks and tutorials related to PHP development and the projects to which he contributes. You can read more of his thoughts on his blog, weierophinney.net/matthew/.

View all posts by Matthew Weier O'Phinney

21 Responses to “Zend Framework 1.11.0 FINAL Released”

  1. geofferd Says:

    No specific work was done on the MVC other than resolving issue reports.

  2. weierophinney Says:

    @emaillenin The documentation (http://framework.zend.com/manual/en/zend.http.user-agent.html) are fairly comprehensive already, but I will likely explore the component for an upcoming blog post as well.

  3. emaillenin Says:

    @weierophinney
    Can you post an article of explaining Zend_Http_UserAgent and Zend_View_Helper_UserAgent.
    Currently I am running my site on ZF. Planning to roll out a mobile version.

    Thanks,

  4. dafdrotspop Says:

    No specific work was done on the MVC other than resolving issue reports. If you are experiencing issues, the only way for us to resolve them is with an issue report providing a reproduce case that specifically outlines expected behavior, actual behavior, and the minimal reproduce case required.

  5. spider75 Says:

    Sorry it was my fault: I used a gui client to browse the "tags" directory and it didn’t show. The client has already sent to the trashcan ;-) In CLI I should trust.
    Thank you and apologies :-)

  6. spider75 Says:

    Would you add a tag on the release SVN repository? I use this method (svn:externals property) with svn update to stick with latest stable release.

  7. kelmadics Says:

    looking forward to using it! hope you guys make a better documentation though.

  8. ramonornela Says:

    Too not mention: Zend_Mail_Transport_File

  9. ramonornela Says:

    Too not mention: Zend_Mail_Transport_File

  10. mikewillbanks Says:

    You forgot to mention: Zend_Cache_Backend_Libmemcached!!!!

  11. vbguy Says:

    Sorry, I didn’t mean to rant. Except about the bug tracker – it really is terrible.

    My point was I can’t work on it now. I’ll see if I can squeeze some time in the weekend to find the bug.

  12. weierophinney Says:

    @vbguy I understand your frustration. That said, ranting about things being broken in the comments to the release announcement helps nobody. If we are not given the steps to reproduce, we simply don’t know what, if anything, needs to be fixed. Provide us a detailed report so we can fix any issues you encountered for 1.11.1.

  13. vbguy Says:

    >> I wouldn’t want to go as far as this.

    I would (and did).

    It’s a warning sign. "Cliff ahead". This version is seriously screwed up for me. Will it be for everyone? No. For anyone using even marginally complicated MVC routing? Probably.

    I haven’t submitted a bug report yet because (A) I haven’t found where in the ZF source the bug was introduced and/or (B) how to replicate this bug consistently.

    Once I figure out where the bug is (or how to replicate it) I’ll submit a bug.

    But my business takes precedence. I can’t waste hours of time tracking down a bug when (A) version 1.10 works fine for now, (B) ZF 2.0 is coming out in a few months, (C) someone else will inevitably hit this bug, (D) I don’t get paid to work in open source, (E) the bug tracker is so goddamn complicated to use (you get what you pay for).

    That being said, when the next person hits this bug, tell me and I’ll compare notes.

  14. weierophinney Says:

    @vbguy: No specific work was done on the MVC other than resolving issue reports. If you are experiencing issues, the only way for us to resolve them is with an issue report providing a reproduce case that specifically outlines (a) expected behavior, (b) actual behavior, and (c) the minimal reproduce case required.

    We are running the ZF site off of the 1.11.0 code (and have been for a few weeks), and I’m unaware of any issues introduced at this time.

  15. freakingme Says:

    vbguy; I’m not aware of any changes been made there, also I see no relevant issues involved here: http://framework.zend.com/changelog/1.11.0

    If the problem had been known, I suppose this wouldn’t have been released. The only way for getting this fixed is filing a bugreport ( http://framework.zend.com/issues/ ), where you describe the issue as good as possible.

    >> I recommend everyone waits until this bug is fixed before upgrading to Zend Framework 1.11.
    I wouldn’t want to go as far as this. 1.11 has gone through several stages like being in trunk, and we’ve had a beta release, so I assume not everybody (= hardly anybody) will be encountering this

  16. vbguy Says:

    What has changed in routing or MVC behavior? We upgraded from ZF 1.10 to 1.11 and suddenly most of the controllers are not getting called at all. That is you click a link that references another controller and it redirects back to the page you’re on.

    The thing is it only happens on *some* controllers.

    We flip back to ZF 1.10 and magically everything works again. I don’t have time to dig into your bug right now. By I recommend everyone waits until this bug is fixed before upgrading to Zend Framework 1.11.

    Is this a known problem?

  17. dotboost Says:

    http://v1.dotkernel.net/
    this is the live demo

    if you have a mobile device, you will be redirected to mobile page
    a simple static page, built using jquery mobile

    on home page you can find link to admin panel , in order to see statistic info

  18. multivac2x Says:

    Do you have any demo of DotKernel ? I would like to try it online.

  19. dotboost Says:

    We already integrated WURFL in our Application Framework, using RC
    http://www.dotkernel.com/dotkernel/wurfl-zend-framework-integration-into-dotkernel/
    And is working like a charm
    Thank you , it was a long awaited feature

  20. sublimino Says:

    Looking forward to using the Zend_Http_UserAgent component, very useful. Thanks!