Zend Framework 1.11.0BETA1 Released

The Zend Framework team is pleased to announce the immediate availability of
the first beta release of Zend Framework 1.11.0. This release is the
culmination of several months of effort by contributors and Zend Framework
partners, and offers several key new features, including support for mobile
devices and the first stable release of the SimpleCloud API.

You may download the release from the following location:

(Note, beta releases appear separate from stable releases.)

This release is of BETA quality, and should be used for
testing purposes only, not production. While the code has been well tested,
we do expect there may be a few issues to resolve prior to a release
candidate or general access release.

New Features in Zend Framework 1.11

Mobile Support

Zend Framework 1.11 marks the first release with explicit support for mobile
devices, via the new component Zend_Http_UserAgent. This component was
developed by Raphael Carles. Carles is CTO of Interakting, the digital agency
of Business & Decision Group of France. Interakting employs 150 PHP
professionals to build industrial PHP projects, and its clients include Canal
+/Vivendi, BNP Paribas, Samsung France, Ministry of Education, Alapage
(Orange), Orange Tunisia, and many others. As such, they have extensive
experience in supporting mobile devices, and stepped forward to contribute to
Zend Framework, which they leverage in their projects.

Zend_Http_UserAgent performs two responsibilities:

  • User-Agent detection
  • Device capabilities detection, based on User-Agent

The component includes a “features” adapter mechanism that allows developers to
tie into different backends for the purpose of discovering device
capabilities. Currently, the only shipped adapter is for the
WURFL (Wireless Universal Resource File)

Luca Passani, author and lead of the WURFL project, has provided an exemption to Zend Framework to provide a non-GPL adapter accessing the WURFL PHP API.

Additional hooks into the component are provided via a Zend_Application
resource plugin, and a Zend_View helper, allowing developers the ability to
return output customized for the detected device (e.g., alternate layouts,
alternate images, Flash versus HTML5 support, etc.).

Zend_Cloud: SimpleCloud API

During ZendCon 2009, Zend announced a prototype of the SimpleCloud API.
This API was to provide hooks into cloud-based document storage, queue
services, and file storage.

Zend Framework 1.11.0 markes the first official, stable release of
Zend_Cloud, Zend Framework’s PHP version of the SimpleCloud API. Current
support includes:

  • Document Services:
    • Amazon SimpleDB
    • Windows Azure’s Table Storage
  • Queue Services:
    • Amazon Simple Queue Service (SQS)
    • Windows Azure’s Queue Service
    • All adapters supported by Zend_Queue:
      • Zend Platform JobQueue
      • Memcacheq
      • Relational Database
      • ActiveMQ
  • Storage Services:
    • Amazon Simple Storage Service (S3)
    • Windows Azure’s Blog Storage
    • Nirvanix
    • Local filesystem

When using any of the SimpleCloud APIs, your code will be portable across the
various adapters provided, allowing you to pick and choose your services, as
well as try different services until you find one that suits your application
or business needs. Additionally, if you find you need to code adapter-specific
features, you can drop down to the specific adapter in order to do so.

More adapters will be arriving in the coming months, giving you even more options!

We thank Wil Sinclair and Stas Malyshev for their assistance in the initial
releases of Zend_Cloud.


Several classes in Zend Framework were patched to eliminate the potential for leaking timing information from the direct comparison of sensitive data such as plaintext passwords or cryptographic signatures to user input. These leaks arise from the normal process of comparing any two strings in PHP. The nature of the leaks is that strings are often compared byte by byte, with a negative result being returned early as soon as any set of non-matching bytes is detected. The more bytes that are equal (starting from the first byte) between both sides of the comparison, the longer it takes for a final result to be returned. Based on the time it takes to return a negative or positive result, it is possible that an attacker could, over many samples of requests, craft a string that compares positively to another secret string value known only to a target server simply by guessing the string one byte at a time and measuring each guess’ execution time. This server secret could be a plaintext password or the correct cryptographic signature of a request the attacker wants to execute, such as is used in several open protocols including OpenID and OAuth. This could obviously enable an attacker to gain sufficient information to perform a secondary attack such as masquerading as an authenticated user.

This form of attack is known as a Remote Timing Attack. Timing Attacks have been problematic in the past but to date have been very difficult to perform remotely over the internet due to the interference of network jitter which limits their effectiveness in resolving very small timing differences. While the internet still poses a challenge to performing successful Timing Attacks against a remote server, the increasing use of frameworks on local networks and in cloud computing, where network jitter may be significantly reduced, raises the distinct possibility that remote Timing Attacks will become feasible against ever smaller timing information leaks, such as those leaked when comparing any two strings. As a precaution, the applied changes implement a fixed time comparison for several classes which would be attractive targets in any potential remote Timing Attack. A fixed time comparison function does not leak any timing information useful to an attacker thus proactively preventing any future vulnerability to these forms of attack.

We thank Padraic Brady for his efforts in identifying and patching these vulnerabilities.

Dojo Support

Zend Framework’s default Dojo Toolkit version has been bumped to version 1.5.0.

SimpleDB Support

Zend Framework has provided support for Amazon’s Simple Storage Service (S3),
Simple Queue Service (SQS), and Elastic Cloud Compute (EC2) platforms for
several releases. Zend Framework 1.11.0 adds support for SimpleDB, Amazon’s
non-relational document storage database offering. Support is available for all
SimpleDB operations via Zend_Service_Amazon_SimpleDb.

Zend Framework’s SimpleDB adapter was originally written by Wil Sinclair.

eBay Findings API Support

eBay has an extensive REST API, allowing developers to build applications
interacting with their extensive data. Zend Framework 1.11.0 includes
Zend_Service_Ebay_Findings, which provides complete support for the eBay
Findings API. This API allows developers to query eBay for details on active
auctions, using categories or keywords.

Zend_Service_Ebay was contributed by Renan de Lima and Ramon Henrique Ornelas.

New Configuration Formats

Zend_Config has been a quite popular component in Zend Framework, and has
offerred adapters for PHP arrays, XML, and INI configuration files. Zend
Framework 1.11.0 now offers two additional configuration formats: YAML and JSON.

Zend_Config_Yaml provides a very rudimentary YAML-parser that should work
with most configuration formats. However, it also allows you to specify an
alternate YAML parser if desired, allowing you to lever tools such as PECL’s
ext/syck or Symfony’s YAML component, sfYaml.

Zend_Config_Json leverages the Zend_Json component, and by extension

Both adapters have support for PHP constants, as well as provide the ability to
write configuration files based on configuration objects.

Stas Malyshev created both adapters for Zend Framework; Zend_Config_Json also
had assistance from Sudheer Satyanarayana.

URL Shortening

Zend_Service_ShortUrl was added for this release. The component provides a
simple interface for use with most URL shortening services, defining simply the
methods “shorten” and “unshorten”. Adapters for two services, http://jdem.cz and
http://tinyurl.com, are provided with this release.

Zend_Service_ShortUrl was contributed by Martin Hujer.

Additional View Helpers

Several new view helpers are now exposed:

  • Zend_View_Helper_UserAgent ties into the Zend_Http_UserAgent component, detailed above. It gives you access to the UserAgent instance, allowing you to query for the device and capabilities.
  • Zend_View_Helper_TinySrc is an additional portion of Zend Framework’s mobile offering for version 1.11.0. The helper ties into the TinySrc API, allowing you to a) provide device-specific image sizes and formats for your site, and b) offload generation of those images to this third-party service. The helper creates img tags pointing to the service, and provides options for specifying adaptive sizing and formats.
  • Zend_View_Helper_Gravatar ties into the Gravatar API, allowing you to provide avatar images for registered users that utilize the Gravatar service. This helper was contributed by Marcin Morawski.

Download it today!

We’d appreciate your feedback on this release — please download and test
it, and let us know what issues you encounter.

Also, please join me in extending a hearty round of congratulations to all
the contributors involved in this release!

About Matthew Weier O'Phinney

Matthew is a Principal Engineer at Zend Technologies. He is currently project lead for both Zend Framework and Apigility; a Zend Certified Engineer; and a member of the Zend Education Advisory Board, the group responsible for authoring the Zend Certification Exam. He contributes to a number of open source projects, blogs on PHP-related topics, and presents talks and tutorials related to PHP development and the projects to which he contributes. You can read more of his thoughts on his blog, mwop.net/blog.