Merge branch 'security/zf2018-01'

Fixes ZF2018-01

CHANGELOG.md

@@ -2,15 +2,50 @@
 
 All notable changes to this project will be documented in this file, in reverse chronological order by release.
 
-## 2.8.1 - TBD
+## 2.8.1 - 2018-08-01
 
 ### Added
 
 - Nothing.
 
 ### Changed
 
-- Nothing.
+- This release modifies how `Zend\Http\PhpEnvironment\Request` marshals the
+  request URI. In prior releases, we would attempt to inspect the
+  `X-Rewrite-Url` and `X-Original-Url` headers, using their values, if present.
+  These headers are issued by the ISAPI_Rewrite module for IIS (developed by
+  HeliconTech). However, we have no way of guaranteeing that the module is what
+  issued the headers, making it an unreliable source for discovering the URI. As
+  such, we have removed this feature in this release of zend-http.
+
+  If you are developing a zend-mvc application, you can mimic the
+  functionality by adding a bootstrap listener like the following:
+
+  ```php
+  public function onBootstrap(MvcEvent $mvcEvent)
+  {
+      $request = $mvcEvent->getRequest();
+      $requestUri = null;
+
+      $httpXRewriteUrl = $request->getHeader('X-Rewrite-Url');
+      if ($httpXRewriteUrl) {
+          $requestUri = $httpXRewriteUrl->getFieldValue();
+      }
+
+      $httpXOriginalUrl = $request->getHeader('X-Original-Url');
+      if ($httpXOriginalUrl) {
+          $requestUri = $httpXOriginalUrl->getFieldValue();
+      }
+
+      if ($requestUri) {
+          $request->setUri($requestUri)
+      }
+  }
+  ```
+
+  If you use a listener such as the above, make sure you also instruct your web
+  server to strip any incoming headers of the same name so that you can
+  guarantee they are issued by the ISAPI_Rewrite module.
 
 ### Deprecated
 

src/PhpEnvironment/Request.php

@@ -434,18 +434,6 @@ protected function detectRequestUri()
         $requestUri = null;
         $server     = $this->getServer();
 
-        // Check this first so IIS will catch.
-        $httpXRewriteUrl = $server->get('HTTP_X_REWRITE_URL');
-        if ($httpXRewriteUrl !== null) {
-            $requestUri = $httpXRewriteUrl;
-        }
-
-        // Check for IIS 7.0 or later with ISAPI_Rewrite
-        $httpXOriginalUrl = $server->get('HTTP_X_ORIGINAL_URL');
-        if ($httpXOriginalUrl !== null) {
-            $requestUri = $httpXOriginalUrl;
-        }
-
         // IIS7 with URL Rewrite: make sure we get the unencoded url
         // (double slash problem).
         $iisUrlRewritten = $server->get('IIS_WasUrlRewritten');
@@ -454,12 +442,10 @@ protected function detectRequestUri()
             return $unencodedUrl;
         }
 
+        $requestUri = $server->get('REQUEST_URI');
+
         // HTTP proxy requests setup request URI with scheme and host [and port]
         // + the URL path, only use URL path.
-        if (! $httpXRewriteUrl) {
-            $requestUri = $server->get('REQUEST_URI');
-        }
-
         if ($requestUri !== null) {
             return preg_replace('#^[^/:]+://[^/]+#', '', $requestUri);
         }

test/PhpEnvironment/RequestTest.php

@@ -116,15 +116,6 @@ public static function baseUrlAndPathProvider()
                 '/index.php',
                 '',
             ],
-            [
-                [
-                    'HTTP_X_REWRITE_URL' => '/index.php/news/3?var1=val1&var2=val2',
-                    'PHP_SELF'           => '/index.php/news/3',
-                    'SCRIPT_FILENAME'    => '/var/web/html/index.php',
-                ],
-                '/index.php',
-                '',
-            ],
             [
                 [
                     'ORIG_PATH_INFO'  => '/index.php/news/3',