search

geo6 / geocoder

GNU General Public License v3.0
2 stars 0 forks source link

[Security] Bump zendframework/zend-diactoros from 1.8.2 to 1.8.4 #96

Closed dependabot-preview[bot] closed 6 years ago

dependabot-preview[bot] commented 6 years ago

Bumps zendframework/zend-diactoros from 1.8.2 to 1.8.4. This update includes security fixes.

Vulnerabilities fixed *Sourced from [The PHP Security Advisories Database](https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zend-diactoros/ZF2018-01.yaml).* > **URL Rewrite vulnerability** > > Affected versions: >=1.0.0, <1.8.4
Release notes *Sourced from [zendframework/zend-diactoros's releases](https://github.com/zendframework/zend-diactoros/releases).* > ## zend-diactoros 1.8.4 > Added > ----- > > - Nothing. > > Changed > ------- > > - This release modifies how `ServerRequestFactory` marshals the request URI. In > prior releases, we would attempt to inspect the `X-Rewrite-Url` and > `X-Original-Url` headers, using their values, if present. These headers are > issued by the ISAPI_Rewrite module for IIS (developed by HeliconTech). > However, we have no way of guaranteeing that the module is what issued the > headers, making it an unreliable source for discovering the URI. As such, we > have removed this feature in this release of Diactoros. > > If you are developing a middleware application, you can mimic the > functionality via middleware as follows: > > ```php > use Psr\Http\Message\ResponseInterface; > use Psr\Http\Message\ServerRequestInterface; > use Psr\Http\Server\RequestHandlerInterface; > use Zend\Diactoros\Uri; > > public function process(ServerRequestInterface $request, RequestHandlerInterface $handler) : ResponseInterface > { > $requestUri = null; > > $httpXRewriteUrl = $request->getHeaderLine('X-Rewrite-Url'); > if ($httpXRewriteUrl !== null) { > $requestUri = $httpXRewriteUrl; > } > > $httpXOriginalUrl = $request->getHeaderLine('X-Original-Url'); > if ($httpXOriginalUrl !== null) { > $requestUri = $httpXOriginalUrl; > } > > if ($requestUri !== null) { > $request = $request->withUri(new Uri($requestUri)); > } > > return $handler->handle($request); > } > ``` > > If you use middleware such as the above, make sure you also instruct your web > server to strip any incoming headers of the same name so that you can > ... (truncated)
Changelog *Sourced from [zendframework/zend-diactoros's changelog](https://github.com/zendframework/zend-diactoros/blob/master/CHANGELOG.md).* > ## 1.8.4 - 2018-08-01 > > ### Added > > - Nothing. > > ### Changed > > - This release modifies how `ServerRequestFactory` marshals the request URI. In > prior releases, we would attempt to inspect the `X-Rewrite-Url` and > `X-Original-Url` headers, using their values, if present. These headers are > issued by the ISAPI_Rewrite module for IIS (developed by HeliconTech). > However, we have no way of guaranteeing that the module is what issued the > headers, making it an unreliable source for discovering the URI. As such, we > have removed this feature in this release of Diactoros. > > If you are developing a middleware application, you can mimic the > functionality via middleware as follows: > > ```php > use Psr\Http\Message\ResponseInterface; > use Psr\Http\Message\ServerRequestInterface; > use Psr\Http\Server\RequestHandlerInterface; > use Zend\Diactoros\Uri; > > public function process(ServerRequestInterface $request, RequestHandlerInterface $handler) : ResponseInterface > { > $requestUri = null; > > $httpXRewriteUrl = $request->getHeaderLine('X-Rewrite-Url'); > if ($httpXRewriteUrl !== null) { > $requestUri = $httpXRewriteUrl; > } > > $httpXOriginalUrl = $request->getHeaderLine('X-Original-Url'); > if ($httpXOriginalUrl !== null) { > $requestUri = $httpXOriginalUrl; > } > > if ($requestUri !== null) { > $request = $request->withUri(new Uri($requestUri)); > } > > return $handler->handle($request); > } > ``` > > If you use middleware such as the above, make sure you also instruct your web > server to strip any incoming headers of the same name so that you can > guarantee they are issued by the ISAPI_Rewrite module. > ... (truncated)
Commits - [`736ffa7`](https://github.com/zendframework/zend-diactoros/commit/736ffa7c2bfa4a60e8a10acb316fa2ac456c5fba) Merge branch 'security/zf2018-01' - [`3a4f44f`](https://github.com/zendframework/zend-diactoros/commit/3a4f44f7f89f7007f3c3e4ca69ac23874f8a4093) Remove support for the X-Original-Url and X-Rewrite-Url headers - [`ed59d8a`](https://github.com/zendframework/zend-diactoros/commit/ed59d8a8447ae19ab3fea64c605f2365b2edbd22) Bumped version - [`d44f8dd`](https://github.com/zendframework/zend-diactoros/commit/d44f8ddfb7656fa5f648989fe7787b213fc4faf3) Bumped to next dev version (1.8.4) - [`72c1383`](https://github.com/zendframework/zend-diactoros/commit/72c13834fb3db2a962e913758b384ff2e6425d6e) 1.8.3 readiness - [`4f926cd`](https://github.com/zendframework/zend-diactoros/commit/4f926cd53105cd292f5a09aaa6edc472fcfd02a2) Added date for 1.8.3 release to CHANGELOG - [`15f6b9b`](https://github.com/zendframework/zend-diactoros/commit/15f6b9b3181ce897bac58a9787e1ea73cc8e35e1) Merge branch 'hotfix/322' - [`274cab4`](https://github.com/zendframework/zend-diactoros/commit/274cab4cdd2ecaaf8bd8a54026791bc934111fb8) Keep assertion message in `assertStreamContents()` - [`991795b`](https://github.com/zendframework/zend-diactoros/commit/991795b40421cb2129ecb85f14ded831872c8d74) Merge pull request [#322](https://github-redirect.dependabot.com/zendframework/zend-diactoros/issues/322) from snapshotpl/phpunit7 - [`cd3d811`](https://github.com/zendframework/zend-diactoros/commit/cd3d811e6a14ced74239d50563139dde9f72d04f) Merge branch 'hotfix/321' - Additional commits viewable in [compare view](https://github.com/zendframework/zend-diactoros/compare/1.8.2...1.8.4)


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) Finally, you can contact us by mentioning @dependabot.