This is a SECURITY release. All users are encouraged to upgrade immediately.
Added
This release adds features to allow filtering a ServerRequest as generated by Laminas\Diactoros\ServerRequestFactory::fromGlobals() for the purposes of initialization. Examples include:
Adding a request identifier.
Using X-Forwarded-* headers to modify the URL to represent the original client request.
The features are based on a new interface, Laminas\Diactorors\ServerRequestFilter\FilterServerRequestInterface, which defines a single method:
public function __invoke(
\Psr\Http\Message\ServerRequestInterface $request
): \Psr\Http\Message\ServerRequestInterface
We provide two implementations, as follows:
Laminas\Diactoros\ServerRequestFilter\DoNotFilter will return the provided request verbatim.
Laminas\Diactoros\ServerRequestFilter\FilterUsingXForwardedHeaders has named constructors that allow you to define how and when X-Forwarded-* headers are used to modify the URI instance associated with the request. These methods are:
trustAny(): this method generates a filter instance that will trust all X-Forwarded-* headers from any source.
trustReservedSubnets(array $trustedHeaders = ?): this method generates a filter instance that only modifies the URL if the IP address of the requesting server is from a reserved, private subnet (localhost; classes A, B, and C subnets; and IPv6 private and local-link subnets). By default, it will trust all X-Forwarded-* headers from these sources, but you may specify a list to allow via the $trustedHeaders argument.
trustProxies(array $proxyCIDRList, array $trustedHeaders = ?): this method will generate a filter instance that only modifies the URL if the requesting server matches an entry in the $proxyCIDRList. These entries may be IP addresses, or any IPv4 or IPv6 CIDR subnets. By default, it will trust all X-Forwarded-* headers from these sources, but you may specify a list to allow via the $trustedHeaders argument.
ServerRequestFactory::fromGlobals() now accepts a FilterServerRequestInterface instance as the optional argument $requestFilter. If none is provided, it uses one as produced by FilterUsingXForwardedHeaders::trustReservedSubnets().
Deprecated
The function Laminas\Diactoros\marshalUriFromSapi() is deprecated, and no longer used internally.
Changed
Laminas\Diactoros\ServerRequestFactory::fromGlobals() no longer consumes marshalUriFromSapi(), and instead inlines an alternate implementation. The new implementation does not consider X-Forwarded-* headers by default when generating the associated URI instance. Internally, if no FilterServerRequestInterface implementation is provided, it defaults to using an instance returned by FilterUsingXForwardeHeaders::trustReservedSubnets(). If you previously relied on X-Forwarded-* headers, you MAY need to update your code to use either the FilterUsingXForwardedHeaders::trustAny() or FilterUsingXForwardedHeaders::trustProxies() methods to generate a filter to use with ServerRequestFactory::fromGlobals().
Fixed
Fixes CVE-2022-31109
2.11.1
Total issues resolved: 0
Total pull requests resolved: 0
Total contributors: 0
Commits
25b11d4 Merge pull request from GHSA-8274-h5jp-97vr
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Bumps laminas/laminas-diactoros from 2.11.0 to 2.11.1.
Release notes
Sourced from laminas/laminas-diactoros's releases.
Commits
25b11d4
Merge pull request from GHSA-8274-h5jp-97vr4b5d1ad
qa: apply Psalm rules and update baseline4d0cf3e
docs: remove references to new major v3 and changes to server request filteringd94d8a8
refactor: removetrustNone()
method5c40729
docs: update documentation to reflect changes following refactoring83a7fc5
refactor: mark IPRange class internal73dffa8
refactor: remove X-Forwarded filter factory0aa29ba
qa: fixes as proposed by Marco80fc3de
refactor: default FilterServerRequestInterface instance is now FilterUsingXFo...dcaf760
feature: addstrustReservedSubnets(array $trustedHeaders = [])
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)