MEET ACRA 0.81.0


All the terrible things like lunar and solar eclipses, Mercury retrogrades, and PHP code refactoring will come later — this Friday is fully dedicated to the new release of Acra. In Acra 0.81.0 we’ve concentrated our efforts on improving the overall SQL handling, especially when it comes to SQL injection prevention, and teaching Acra’s “firewall” AcraCensor a few new tricks. If you’ve had troubles integrating some 3rd party WAFs into your infrastructure, Acra now might offer you a simpler, trouble-free solution.

The key changes in the new release (shortened, but you can always read a full changelog file):


● Prepared Statements.

- Added support of prepared statements for PostgreSQL/MySQL. Both binary and text response formats are supported now (#192).

● SQL requests filtering in AcraCensor.

● AcraCensor got smarter in preventing SQL Injections.

- Improved flexibility for parsing queries. AcraCensor blocks such "unparseable" queries by default, but setting the configuration flag ignore_parse_error to true will make AcraCensor ignore the "unparseable" quality of queries and send them to the database anyway. Warning! This mode is for debugging purposes or whitelisting queries only!

- Added support of complex JOIN queries (#191).

- Improved QueryCapture, tool for debugging SQL firewall.

- Improved reading/writing QueryCapture log file. Changed format of QueryCapture log to JSON Line (#193).

- Introduced a few fixes here and there, made integration tests for AcraCensor more stable (#184).

● Improving MySQL support.

- We introduced MySQL support just a few Acra releases ago and we continue polishing it. Now we've updated the example projects so you can jump right into the code!

- You can find examples of using Acra for both PostgreSQL and MySQL databases here:

○ Go: see the examples/golang folder (#190).

○ Ruby: see the examples/ruby folder (#189).

○ Python: see the examples/python folder (#188).

● Other

- We’ve updated handling of message formats for PostgreSQL and MySQL protocols (#186).

- Added pre-generated configuration file for AcraAuthmanager. Now it's easier to configure AcraServer using AcraWebconfig (#187).


● Updated architectural schemes, description of AcraCensor.

● Supplied some useful theory - described typical Public Key Infrastructure with some advice on where to put Acra in the general scheme of things and added Acra's Security Model, possible threats, and possible consequences of compromisation.

● Added a page describing the ways Acra can help you better comply with GDPR.

Go get the new version of Acra now!

Copyright © 2014-2018 Cossack Labs Limited
Cossack Labs is a privately-held British company with a team of data security experts based in Kyiv, Ukraine.