browscap / browscap-site

Website for the Browser Capabilities Project
http://browscap.org/
2 stars 2 forks source link

Bump laminas/laminas-diactoros from 2.11.0 to 2.11.1 #260

Closed dependabot[bot] closed 2 years ago

dependabot[bot] commented 2 years ago

Bumps laminas/laminas-diactoros from 2.11.0 to 2.11.1.

Release notes

Sourced from laminas/laminas-diactoros's releases.

2.11.1

Release Notes for 2.11.1

This is a SECURITY release. All users are encouraged to upgrade immediately.

Added

This release adds features to allow filtering a ServerRequest as generated by Laminas\Diactoros\ServerRequestFactory::fromGlobals() for the purposes of initialization. Examples include:

  • Adding a request identifier.
  • Using X-Forwarded-* headers to modify the URL to represent the original client request.

The features are based on a new interface, Laminas\Diactorors\ServerRequestFilter\FilterServerRequestInterface, which defines a single method:

public function __invoke(
    \Psr\Http\Message\ServerRequestInterface $request
): \Psr\Http\Message\ServerRequestInterface

We provide two implementations, as follows:

  • Laminas\Diactoros\ServerRequestFilter\DoNotFilter will return the provided request verbatim.
  • Laminas\Diactoros\ServerRequestFilter\FilterUsingXForwardedHeaders has named constructors that allow you to define how and when X-Forwarded-* headers are used to modify the URI instance associated with the request. These methods are:
    • trustAny(): this method generates a filter instance that will trust all X-Forwarded-* headers from any source.
    • trustReservedSubnets(array $trustedHeaders = ?): this method generates a filter instance that only modifies the URL if the IP address of the requesting server is from a reserved, private subnet (localhost; classes A, B, and C subnets; and IPv6 private and local-link subnets). By default, it will trust all X-Forwarded-* headers from these sources, but you may specify a list to allow via the $trustedHeaders argument.
    • trustProxies(array $proxyCIDRList, array $trustedHeaders = ?): this method will generate a filter instance that only modifies the URL if the requesting server matches an entry in the $proxyCIDRList. These entries may be IP addresses, or any IPv4 or IPv6 CIDR subnets. By default, it will trust all X-Forwarded-* headers from these sources, but you may specify a list to allow via the $trustedHeaders argument.

ServerRequestFactory::fromGlobals() now accepts a FilterServerRequestInterface instance as the optional argument $requestFilter. If none is provided, it uses one as produced by FilterUsingXForwardedHeaders::trustReservedSubnets().

Deprecated

  • The function Laminas\Diactoros\marshalUriFromSapi() is deprecated, and no longer used internally.

Changed

Laminas\Diactoros\ServerRequestFactory::fromGlobals() no longer consumes marshalUriFromSapi(), and instead inlines an alternate implementation. The new implementation does not consider X-Forwarded-* headers by default when generating the associated URI instance. Internally, if no FilterServerRequestInterface implementation is provided, it defaults to using an instance returned by FilterUsingXForwardeHeaders::trustReservedSubnets(). If you previously relied on X-Forwarded-* headers, you MAY need to update your code to use either the FilterUsingXForwardedHeaders::trustAny() or FilterUsingXForwardedHeaders::trustProxies() methods to generate a filter to use with ServerRequestFactory::fromGlobals().

Fixed

  • Fixes CVE-2022-31109

2.11.1

  • Total issues resolved: 0
  • Total pull requests resolved: 0
  • Total contributors: 0
Commits
  • 25b11d4 Merge pull request from GHSA-8274-h5jp-97vr
  • 4b5d1ad qa: apply Psalm rules and update baseline
  • 4d0cf3e docs: remove references to new major v3 and changes to server request filtering
  • d94d8a8 refactor: remove trustNone() method
  • 5c40729 docs: update documentation to reflect changes following refactoring
  • 83a7fc5 refactor: mark IPRange class internal
  • 73dffa8 refactor: remove X-Forwarded filter factory
  • 0aa29ba qa: fixes as proposed by Marco
  • 80fc3de refactor: default FilterServerRequestInterface instance is now FilterUsingXFo...
  • dcaf760 feature: adds trustReservedSubnets(array $trustedHeaders = [])
  • Additional commits viewable in compare view


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)