Zend Framework 1.11.0 FINAL Released

The Zend Framework team is pleased to announce the immediate availability of
the general access release of Zend Framework 1.11.0. This release is the
culmination of several months of effort by contributors and Zend Framework
partners, and offers several key new features, including support for mobile
devices and the first stable release of the SimpleCloud API.

You may download the release from the following location:

http://framework.zend.com/download/latest

The following is a summary of new features and capabilities introduced in
version 1.11.0

Mobile Support

Zend Framework 1.11 marks the first release with explicit support for mobile
devices, via the new component Zend_Http_UserAgent. This
component was developed by Raphael Carles. Carles is CTO of Interakting, the
digital agency of Business & Decision Group of France. Interakting
employs 150 PHP professionals to build industrial PHP projects, and its
clients include Canal +/Vivendi, BNP Paribas, Samsung France, Ministry of
Education, Alapage (Orange), Orange Tunisia, and many others. As such, they
have extensive experience in supporting mobile devices, and stepped forward
to contribute to Zend Framework, which they leverage in their projects.

Zend_Http_UserAgent performs two responsibilities:

  • User-Agent detection
  • Device capabilities detection, based on User-Agent

The component includes a “features” adapter mechanism that allows developers
to tie into different backends for the purpose of discovering device
capabilities. Currently, Zend Framework ships with adapters for the WURFL (Wireless Universal
Resource File) API, Tera-WURFL, and
DeviceAtlas, with more planned for the
future.

Luca Passani, author and lead of the WURFL project, has provided an
exemption to Zend Framework to provide a non-GPL adapter accessing the
WURFL PHP API.

Additional hooks into the component are provided via a
Zend_Application resource plugin, and a Zend_View
helper, allowing developers the ability to return output customized for the
detected device (e.g., alternate layouts, alternate images, Flash versus
HTML5 support, etc.).

Zend_Cloud: SimpleCloud API

During ZendCon 2009, Zend announced a prototype of the
SimpleCloud API. This API was to provide hooks into
cloud-based document storage, queue services, and file storage.

Zend Framework 1.11.0 markes the first official, stable release of
Zend_Cloud, Zend Framework’s PHP version of the
SimpleCloud API. Current support includes:

  • Document Services:
    • Amazon SimpleDB
    • Windows Azure’s Table Storage
  • Queue Services:
    • Amazon Simple Queue Service (SQS)
    • Windows Azure’s Queue Service
    • All adapters supported by Zend_Queue:
      • Zend Platform JobQueue
      • Memcacheq
      • Relational Database
      • ActiveMQ
  • Storage Services:
    • Amazon Simple Storage Service (S3)
    • Windows Azure’s Blog Storage
    • Nirvanix
    • Local filesystem

When using any of the SimpleCloud APIs, your code will be
portable across the various adapters provided, allowing you to pick and
choose your services, as well as try different services until you find one
that suits your application or business needs. Additionally, if you find you
need to code adapter-specific features, you can drop down to the specific
adapter in order to do so.

More adapters will be arriving in the coming months, giving you even more
options!

We thank Wil Sinclair and Stas Malyshev for their assistance in the initial
releases of Zend_Cloud.

Security

Several classes in Zend Framework were patched to eliminate the potential
for leaking timing information from the direct comparison of sensitive data
such as plaintext passwords or cryptographic signatures to user input. These
leaks arise from the normal process of comparing any two strings in PHP. The
nature of the leaks is that strings are often compared byte by byte, with a
negative result being returned early as soon as any set of non-matching
bytes is detected. The more bytes that are equal (starting from the first
byte) between both sides of the comparison, the longer it takes for a final
result to be returned. Based on the time it takes to return a negative or
positive result, it is possible that an attacker could, over many samples of
requests, craft a string that compares positively to another secret string
value known only to a target server simply by guessing the string one byte
at a time and measuring each guess’ execution time. This server secret could
be a plaintext password or the correct cryptographic signature of a request
the attacker wants to execute, such as is used in several open protocols
including OpenID and OAuth. This could obviously
enable an attacker to gain sufficient information to perform a secondary
attack such as masquerading as an authenticated user.

This form of attack is known as a Remote Timing Attack. Timing
Attacks have been problematic in the past but to date have been very
difficult to perform remotely over the internet due to the interference of
network jitter which limits their effectiveness in resolving very small
timing differences. While the internet still poses a challenge to performing
successful Timing Attacks against a remote server, the increasing use of
frameworks on local networks and in cloud computing, where network jitter
may be significantly reduced, raises the distinct possibility that remote
Timing Attacks will become feasible against ever smaller timing information
leaks, such as those leaked when comparing any two strings. As a precaution,
the applied changes implement a fixed time comparison for several classes
which would be attractive targets in any potential remote Timing Attack. A
fixed time comparison function does not leak any timing information useful
to an attacker thus proactively preventing any future vulnerability to these
forms of attack.

We thank Pàdraic Brady for his efforts in identifying and patching these
vulnerabilities.

Dojo Support

Zend Framework’s default Dojo Toolkit version has been bumped to version
1.5.0, which includes the new dojox.mobile component, a simple framework for
client-side mobile applications.

SimpleDB Support

Zend Framework has provided support for Amazon’s Simple Storage Service
(S3), Simple Queue Service (SQS), and Elastic Cloud Compute (EC2) platforms
for several releases. Zend Framework 1.11.0 adds support for
SimpleDB, Amazon’s non-relational document storage database
offering. Support is available for all SimpleDB operations via
Zend_Service_Amazon_SimpleDb.

Zend Framework’s SimpleDB adapter was originally written by Wil
Sinclair.

eBay Findings API Support

eBay has an extensive REST API, allowing developers to build applications
interacting with their extensive data. Zend Framework 1.11.0 includes
Zend_Service_Ebay_Findings, which provides complete support for
the eBay Findings API. This API allows developers to query eBay for details
on active auctions, using categories or keywords.

Zend_Service_Ebay was contributed by Renan de Lima, Ramon
Henrique Ornelas, and Don Bosco Nguyen Van Hoi.

MariaDB Compatibility

Zend_Db’s mysql and Pdo_Mysql adapters are fully MariaDB compatible, and the documentation
has been updated to reflect configuration options for this fork of MySQL.

New Configuration Formats

Zend_Config has been a quite popular component in Zend
Framework, and has offerred adapters for PHP arrays, XML, and INI
configuration files. Zend Framework 1.11.0 now offers two additional
configuration formats: YAML and JSON.

Zend_Config_Yaml provides a very rudimentary YAML-parser that
should work with most configuration formats. However, it also allows you to
specify an alternate YAML parser if desired, allowing you to lever tools
such as PECL’s ext/syck or Symfony’s YAML component,
sfYaml.

Zend_Config_Json leverages the Zend_Json
component, and by extension ext/json.

Both adapters have support for PHP constants, as well as provide the ability
to write configuration files based on configuration objects.

Stas Malyshev created both adapters for Zend Framework;
Zend_Config_Json also had assistance from Sudheer
Satyanarayana.

URL Shortening

Zend_Service_ShortUrl was added for this release. The component
provides a simple interface for use with most URL shortening services,
defining simply the methods “shorten” and “unshorten”. Adapters for two
services, http://jdem.cz and http://tinyurl.com, are provided with this
release.

Zend_Service_ShortUrl was contributed by Martin Hujer.

Additional View Helpers

Several new view helpers are now exposed:

  • Zend_View_Helper_UserAgent ties into the Zend_Http_UserAgent component, detailed above. It gives you access to the UserAgent instance, allowing you to query for the device and capabilities.
  • Zend_View_Helper_TinySrc is an additional portion of Zend Framework’s mobile offering for version 1.11.0. The helper ties into the TinySrc API, allowing you to a) provide device-specific image sizes and formats for your site, and b) offload generation of those images to this third-party service. The helper creates img tags pointing to the service, and provides options for specifying adaptive sizing and formats.
  • Zend_View_Helper_Gravatar ties into the Gravatar API, allowing you to provide avatar images for registered users that utilize the Gravatar service. This helper was contributed by Marcin Morawski.

Thank You!

We’d like to thank the countless contributors who have made Zend Framework
1.11.0 possible. Over 200 issues and feature requests were closed in
preparation for this release, reflecting the efforts of dozens of
contributors to the project.

About Matthew Weier O'Phinney

Matthew is a Principal Engineer at Zend Technologies. He is currently project lead for both Zend Framework and Apigility; a Zend Certified Engineer; and a member of the Zend Education Advisory Board, the group responsible for authoring the Zend Certification Exam. He contributes to a number of open source projects, blogs on PHP-related topics, and presents talks and tutorials related to PHP development and the projects to which he contributes. You can read more of his thoughts on his blog, mwop.net/blog.