Skip to content
This repository has been archived by the owner on Jan 29, 2020. It is now read-only.

Diactoros 1.0.4
Compare
Choose a tag to compare
@weierophinney weierophinney released this 23 Jun 16:20
· 1267 commits to master since this release
1.0.4
86f8035

This is a security release.

A patch has been applied to Zend\Diactoros\Uri::filterPath() that ensures that paths can only begin with a single leading slash. This prevents the following potential security issues:

  • XSS vectors. If the URI path is used for links or form targets, this prevents cases where the first segment of the path resembles a domain name, thus creating scheme-relative links such as //example.com/foo. With the patch, the leading double slash is reduced to a single slash, preventing the XSS vector.
  • Open redirects. If the URI path is used for Location or Link headers, without a scheme and authority, potential for open redirects exist if clients do not prepend the scheme and authority. Again, preventing a double slash corrects the vector.

If you are using Zend\Diactoros\Uri for creating links, form targets, or redirect paths, and only using the path segment, we recommend upgrading immediately.

Added

  • #25 adds documentation. Documentation is written in markdown, and can be converted to HTML using bookdown. New features now MUST include documentation for acceptance.

Deprecated

  • Nothing.

Removed

  • Nothing.

Fixed

  • #51 fixes MessageTrait::getHeaderLine() to return an empty string instead of null if the header is undefined (which is the behavior specified in PSR-7).
  • #57 fixes the behavior of how the ServerRequestFactory marshals upload files when they are represented as a nested associative array.
  • #49 provides several fixes that ensure that Diactoros complies with the PSR-7 specification:
    • MessageInterface::getHeaderLine() MUST return a string (that string CAN be empty). Previously, Diactoros would return null.
    • If no Host header is set, the $preserveHost flag MUST be ignored when calling withUri() (previously, Diactoros would not set the Host header if $preserveHost was true, but no Host header was present).
    • The request method MUST be a string; it CAN be empty. Previously, Diactoros would return null.
    • The request MUST return a UriInterface instance from getUri(); that instance CAN be empty. Previously, Diactoros would return null; now it lazy-instantiates an empty Uri instance on initialization.
  • ZF2015-05 was addressed by altering Uri::filterPath() to prevent emitting a path prepended with multiple slashes.
Assets 2