Important
Security Update: This release addresses three security vulnerabilities, including a critical path confusion issue allowing arbitrary file execution and a session leak in worker mode. Immediate upgrade is strongly recommended.
Beyond security, this release delivers significant performance improvements by upgrading the compiler to Go 1.26. Users can expect a 10-40% faster Garbage Collector and ~30% faster CGO calls, resulting in significantly reduced latency for PHP applications.
We have also improved stability by addressing race conditions during shutdown, resolving segmentation faults in edge cases (such as early shutdown or specific extension registrations), and refining the handling of $_SERVER and HTTP Basic Auth.
What's Changed
🛡️ Security Fixes
- GHSA-g966-83w7-6w38: Path confusion via Unicode casing in CGI path splitting could allow execution of arbitrary files. Fixed by @AbdrrahimDahmani and @dunglas in commit 04fdc0c.
- GHSA-r3xh-3r3w-47gp: Fixed a session leak between requests handled by workers. Fixed by @xavierleune in commit 24d6c99.
- GHSA-x9p2-77v6-6vhf: Fixed delayed propagation of security fixes in upstream base Docker images. Fixed by @opctim in commit be2d6b9.
- Prevent potential cache pollution issues in CI builds by @dunglas in #2164
🐛 Bug Fixes
- Ensure
$_SERVER['PHP_SELF']always starts with a slash by @dunglas in #2172 - Let PHP handle HTTP Basic Authorization headers natively by @AlliBalliBaba in #2142
- Handle symlinking edge cases correctly by @withinboredom in #1660
- Prevent segmentation faults on early shutdown by @AlliBalliBaba in #2120
- Fix race condition in thread shutdown during drain by @dunglas in #2182
- Worker: Initialize
$_REQUESTcorrectly in worker mode by @xavierleune in #2136 - Worker: Reset INI settings and
$_SESSIONif changed during a worker request by @xavierleune in #2139 - Ext: Fix segmentation fault when registering multiple extensions by @y-l-g in #2112
- Extgen: Make the generator idempotent and avoid touching the original source by @alexandre-daubois in #2011
- Extgen: Correctly handle const blocks to declare iota constants by @alexandre-daubois in #2086
- Extgen: Use fast ZPP (Zend Parameter Parsing) by @alexandre-daubois in #2088
- Static: Don't overwrite
SPC_CMD_VAR_FRANKENPHP_XCADDY_MODULESunconditionally by @henderkes in #2135 - Embed: Fix relative paths not being resolved correctly by Static PHP CLI when embedding an app by @henderkes in #2093
- Embed: Correct path to Composer's
installed.jsonby @Jellyfrog in #2127
🚀 Performance Improvements
- Compile with Go 1.26 (includes 10-40% faster garbage collector and 30% faster CGO calls) by @alexandre-daubois and @dunglas in #2178
- Various internal optimizations by @dunglas in #2175
✨ New Features
- Packages: Add apk repository for Alpine Linux by @henderkes in #2099
Documentation
Note
Translations are now automated using an LLM.
New Contributors
- @Jellyfrog made their first contribution in #2127
- @xavierleune made their first contribution in #2138
- @damienfern made their first contribution in #1900
Full Changelog: v1.11.1...v1.11.2