Merge branch 'hotfix/23'

Close #23

CHANGELOG.md

@@ -2,7 +2,7 @@
 
 All notable changes to this project will be documented in this file, in reverse chronological order by release.
 
-## 2.5.3 - TBD
+## 2.5.3 - 2015-09-14
 
 ### Added
 
@@ -18,7 +18,12 @@ All notable changes to this project will be documented in this file, in reverse
 
 ### Fixed
 
-- Nothing.
+- [#23](https://github.com/zendframework/zend-http/pull/23) fixes a BC break
+  introduced with fixes for [ZF2015-04](http://framework.zend.com/security/advisory/ZF2015-04),
+  pertaining specifically to the `SetCookie` header. The fix backs out a
+  check for message splitting syntax, as that particular class already encodes
+  the value in a manner that prevents the attack. It also adds tests to ensure
+  the security vulnerability remains patched.
 
 ## 2.5.2 - 2015-08-05
 
@@ -36,13 +41,13 @@ All notable changes to this project will be documented in this file, in reverse
 
 ### Fixed
 
-- [#7](https://github.com/zendframework/zend-feed/pull/7) fixes a call in the
+- [#7](https://github.com/zendframework/zend-http/pull/7) fixes a call in the
   proxy adapter to `Response::extractCode()`, which does not exist, to
   `Response::fromString()->getStatusCode()`, which does.
-- [#8](https://github.com/zendframework/zend-feed/pull/8) ensures that the Curl
+- [#8](https://github.com/zendframework/zend-http/pull/8) ensures that the Curl
   client adapter enables the `CURLINFO_HEADER_OUT`, which is required to ensure
   we can fetch the raw request after it is sent.
-- [#14](https://github.com/zendframework/zend-feed/pull/14) fixes
+- [#14](https://github.com/zendframework/zend-http/pull/14) fixes
   `Zend\Http\PhpEnvironment\Request` to ensure that empty `SCRIPT_FILENAME` and
   `SCRIPT_NAME` values which result in an empty `$baseUrl` will not raise an
   `E_WARNING` when used to do a `strpos()` check during base URI detection.

src/Header/SetCookie.php

@@ -302,7 +302,6 @@ public function getName()
      */
     public function setValue($value)
     {
-        HeaderValue::assertValid($value);
         $this->value = $value;
         return $this;
     }

test/Header/SetCookieTest.php

@@ -431,8 +431,15 @@ public function testPreventsCRLFAttackViaFromString()
      */
     public function testPreventsCRLFAttackViaConstructor()
     {
-        $this->setExpectedException('Zend\Http\Header\Exception\InvalidArgumentException');
         $header = new SetCookie("leo_auth_token", "example\r\n\r\nevilContent");
+        $this->assertEquals('Set-Cookie: leo_auth_token=example%0D%0A%0D%0AevilContent', $header->toString());
+    }
+
+    public function testPreventsCRLFAttackViaSetValue()
+    {
+        $header = new SetCookie("leo_auth_token");
+        $header->setValue("example\r\n\r\nevilContent");
+        $this->assertEquals('Set-Cookie: leo_auth_token=example%0D%0A%0D%0AevilContent', $header->toString());
     }
 
     public function setterInjections()