github php/frankenphp v1.12.4
on GitHub

8 hours ago

FrankenPHP 1.12.4 is a hardening and stability release. It pulls in upstream security fixes from Caddy 2.11.4 and Mercure 0.24.2, closes a class of HTTP header spoofing, and fixes several crashes and data races in worker mode. Every user should upgrade.

The headline is defense-in-depth against underscore-header spoofing. CGI maps dashes to underscores (Foo-Bar becomes HTTP_FOO_BAR), so a client-supplied Foo_Bar header is indistinguishable from a legitimate Foo-Bar in $_SERVER and can spoof any header an app or upstream proxy trusts (forwarded-for, auth, etc.). The bundled Caddy 2.11.4 now ignores header fields containing underscores at the server layer, and FrankenPHP documents the risk for code using the Go API directly.

🔒 Security & Hardening

  • Underscore header spoofing blocked at the server layer. The bundled Caddy 2.11.4 now ignores HTTP header fields whose name contains an underscore, preventing collisions with the dash-to-underscore CGI mapping (reported by @Vincent550102, patched by @dunglas upstream). NewRequestWithContext now documents the risk for direct Go API users by @dunglas in #2460.
  • Caddy 2.11.4 security patches bundled: TLS client-auth fix, Windows backslash normalization in the path matcher, rewrite placeholder re-expansion fix, and a patch for GHSA-vcc4-2c75-vc9v. See the Caddy 2.11.4 release notes.
  • Mercure 0.24.2 security hardening bundled for the Mercure Caddy module: SSE field injection via id/type (CWE-93) now rejected, reserved /.well-known/mercure topic forgery blocked, Last-Event-ID metadata disclosure fixed, and DoS amplification caps added. See the Mercure 0.24.2 release notes.
  • Security model documentation describing FrankenPHP's trust boundaries and what qualifies as a security issue by @alexandre-daubois in #2455.

🐛 Fixes

  • Fix ext-parallel crashes by correctly propagating the parent thread index via SG(server_context) by @henderkes in #2438.
  • Clear in_save_handler state that blocked the subsequent close handler by @henderkes in #2443.
  • Fix a data race in metrics by replacing the mutex with a read-write mutex by @alexandre-daubois in #2450 and removing redundant shutdown assignments by @henderkes in #2452.
  • Report headers_sent() as false under CLI emulation by @henderkes in #2453.

⚡ Internal Improvements

  • Drop the unreachable space-to-underscore replacement in header names (Go's net/http already rejects spaces) by @dunglas in #2441.
  • Make UPX packing opt-in via the COMPRESS env var by @dunglas in #2429.
  • Dependency updates including Caddy 2.11.4 and Mercure 0.24.2 in #2454 and #2462.

📖 Documentation

💖 New Contributors

Need help adopting FrankenPHP, hardening a PHP application against header-spoofing and real-time security issues like these, or auditing your worker setup for races? Les-Tilleuls.coop — the team behind FrankenPHP — provides professional support, consulting, custom development, and training. Get in touch: contact@les-tilleuls.coop.

Full Changelog: v1.12.3...v1.12.4

Check out latest releases or
releases around php/frankenphp v1.12.4

Don't miss a new frankenphp release

NewReleases is sending notifications on new releases.

Get notifications