Vulnerabilities fixed
*Sourced from [The PHP Security Advisories Database](https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zend-diactoros/ZF2018-01.yaml).*
> **URL Rewrite vulnerability**
>
> Affected versions: >=1.0.0, <1.8.4
Release notes
*Sourced from [zendframework/zend-diactoros's releases](https://github.com/zendframework/zend-diactoros/releases).*
> ## zend-diactoros 1.8.4
> Added
> -----
>
> - Nothing.
>
> Changed
> -------
>
> - This release modifies how `ServerRequestFactory` marshals the request URI. In
> prior releases, we would attempt to inspect the `X-Rewrite-Url` and
> `X-Original-Url` headers, using their values, if present. These headers are
> issued by the ISAPI_Rewrite module for IIS (developed by HeliconTech).
> However, we have no way of guaranteeing that the module is what issued the
> headers, making it an unreliable source for discovering the URI. As such, we
> have removed this feature in this release of Diactoros.
>
> If you are developing a middleware application, you can mimic the
> functionality via middleware as follows:
>
> ```php
> use Psr\Http\Message\ResponseInterface;
> use Psr\Http\Message\ServerRequestInterface;
> use Psr\Http\Server\RequestHandlerInterface;
> use Zend\Diactoros\Uri;
>
> public function process(ServerRequestInterface $request, RequestHandlerInterface $handler) : ResponseInterface
> {
> $requestUri = null;
>
> $httpXRewriteUrl = $request->getHeaderLine('X-Rewrite-Url');
> if ($httpXRewriteUrl !== null) {
> $requestUri = $httpXRewriteUrl;
> }
>
> $httpXOriginalUrl = $request->getHeaderLine('X-Original-Url');
> if ($httpXOriginalUrl !== null) {
> $requestUri = $httpXOriginalUrl;
> }
>
> if ($requestUri !== null) {
> $request = $request->withUri(new Uri($requestUri));
> }
>
> return $handler->handle($request);
> }
> ```
>
> If you use middleware such as the above, make sure you also instruct your web
> server to strip any incoming headers of the same name so that you can
> ... (truncated)
Changelog
*Sourced from [zendframework/zend-diactoros's changelog](https://github.com/zendframework/zend-diactoros/blob/master/CHANGELOG.md).*
> ## 1.8.4 - 2018-08-01
>
> ### Added
>
> - Nothing.
>
> ### Changed
>
> - This release modifies how `ServerRequestFactory` marshals the request URI. In
> prior releases, we would attempt to inspect the `X-Rewrite-Url` and
> `X-Original-Url` headers, using their values, if present. These headers are
> issued by the ISAPI_Rewrite module for IIS (developed by HeliconTech).
> However, we have no way of guaranteeing that the module is what issued the
> headers, making it an unreliable source for discovering the URI. As such, we
> have removed this feature in this release of Diactoros.
>
> If you are developing a middleware application, you can mimic the
> functionality via middleware as follows:
>
> ```php
> use Psr\Http\Message\ResponseInterface;
> use Psr\Http\Message\ServerRequestInterface;
> use Psr\Http\Server\RequestHandlerInterface;
> use Zend\Diactoros\Uri;
>
> public function process(ServerRequestInterface $request, RequestHandlerInterface $handler) : ResponseInterface
> {
> $requestUri = null;
>
> $httpXRewriteUrl = $request->getHeaderLine('X-Rewrite-Url');
> if ($httpXRewriteUrl !== null) {
> $requestUri = $httpXRewriteUrl;
> }
>
> $httpXOriginalUrl = $request->getHeaderLine('X-Original-Url');
> if ($httpXOriginalUrl !== null) {
> $requestUri = $httpXOriginalUrl;
> }
>
> if ($requestUri !== null) {
> $request = $request->withUri(new Uri($requestUri));
> }
>
> return $handler->handle($request);
> }
> ```
>
> If you use middleware such as the above, make sure you also instruct your web
> server to strip any incoming headers of the same name so that you can
> guarantee they are issued by the ISAPI_Rewrite module.
> ... (truncated)
Commits
- [`736ffa7`](https://github.com/zendframework/zend-diactoros/commit/736ffa7c2bfa4a60e8a10acb316fa2ac456c5fba) Merge branch 'security/zf2018-01'
- [`3a4f44f`](https://github.com/zendframework/zend-diactoros/commit/3a4f44f7f89f7007f3c3e4ca69ac23874f8a4093) Remove support for the X-Original-Url and X-Rewrite-Url headers
- [`ed59d8a`](https://github.com/zendframework/zend-diactoros/commit/ed59d8a8447ae19ab3fea64c605f2365b2edbd22) Bumped version
- [`d44f8dd`](https://github.com/zendframework/zend-diactoros/commit/d44f8ddfb7656fa5f648989fe7787b213fc4faf3) Bumped to next dev version (1.8.4)
- [`72c1383`](https://github.com/zendframework/zend-diactoros/commit/72c13834fb3db2a962e913758b384ff2e6425d6e) 1.8.3 readiness
- [`4f926cd`](https://github.com/zendframework/zend-diactoros/commit/4f926cd53105cd292f5a09aaa6edc472fcfd02a2) Added date for 1.8.3 release to CHANGELOG
- [`15f6b9b`](https://github.com/zendframework/zend-diactoros/commit/15f6b9b3181ce897bac58a9787e1ea73cc8e35e1) Merge branch 'hotfix/322'
- [`274cab4`](https://github.com/zendframework/zend-diactoros/commit/274cab4cdd2ecaaf8bd8a54026791bc934111fb8) Keep assertion message in `assertStreamContents()`
- [`991795b`](https://github.com/zendframework/zend-diactoros/commit/991795b40421cb2129ecb85f14ded831872c8d74) Merge pull request [#322](https://github-redirect.dependabot.com/zendframework/zend-diactoros/issues/322) from snapshotpl/phpunit7
- [`cd3d811`](https://github.com/zendframework/zend-diactoros/commit/cd3d811e6a14ced74239d50563139dde9f72d04f) Merge branch 'hotfix/321'
- Additional commits viewable in [compare view](https://github.com/zendframework/zend-diactoros/compare/1.8.2...1.8.4)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme
Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com):
- Update frequency (including time of day and day of week)
- Automerge options (never/patch/minor, and dev/runtime dependencies)
- Pull request limits (per update run and/or open at any time)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)
Finally, you can contact us by mentioning @dependabot.
Bumps zendframework/zend-diactoros from 1.8.2 to 1.8.4. This update includes security fixes.
Vulnerabilities fixed
*Sourced from [The PHP Security Advisories Database](https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zend-diactoros/ZF2018-01.yaml).* > **URL Rewrite vulnerability** > > Affected versions: >=1.0.0, <1.8.4Release notes
*Sourced from [zendframework/zend-diactoros's releases](https://github.com/zendframework/zend-diactoros/releases).* > ## zend-diactoros 1.8.4 > Added > ----- > > - Nothing. > > Changed > ------- > > - This release modifies how `ServerRequestFactory` marshals the request URI. In > prior releases, we would attempt to inspect the `X-Rewrite-Url` and > `X-Original-Url` headers, using their values, if present. These headers are > issued by the ISAPI_Rewrite module for IIS (developed by HeliconTech). > However, we have no way of guaranteeing that the module is what issued the > headers, making it an unreliable source for discovering the URI. As such, we > have removed this feature in this release of Diactoros. > > If you are developing a middleware application, you can mimic the > functionality via middleware as follows: > > ```php > use Psr\Http\Message\ResponseInterface; > use Psr\Http\Message\ServerRequestInterface; > use Psr\Http\Server\RequestHandlerInterface; > use Zend\Diactoros\Uri; > > public function process(ServerRequestInterface $request, RequestHandlerInterface $handler) : ResponseInterface > { > $requestUri = null; > > $httpXRewriteUrl = $request->getHeaderLine('X-Rewrite-Url'); > if ($httpXRewriteUrl !== null) { > $requestUri = $httpXRewriteUrl; > } > > $httpXOriginalUrl = $request->getHeaderLine('X-Original-Url'); > if ($httpXOriginalUrl !== null) { > $requestUri = $httpXOriginalUrl; > } > > if ($requestUri !== null) { > $request = $request->withUri(new Uri($requestUri)); > } > > return $handler->handle($request); > } > ``` > > If you use middleware such as the above, make sure you also instruct your web > server to strip any incoming headers of the same name so that you can > ... (truncated)Changelog
*Sourced from [zendframework/zend-diactoros's changelog](https://github.com/zendframework/zend-diactoros/blob/master/CHANGELOG.md).* > ## 1.8.4 - 2018-08-01 > > ### Added > > - Nothing. > > ### Changed > > - This release modifies how `ServerRequestFactory` marshals the request URI. In > prior releases, we would attempt to inspect the `X-Rewrite-Url` and > `X-Original-Url` headers, using their values, if present. These headers are > issued by the ISAPI_Rewrite module for IIS (developed by HeliconTech). > However, we have no way of guaranteeing that the module is what issued the > headers, making it an unreliable source for discovering the URI. As such, we > have removed this feature in this release of Diactoros. > > If you are developing a middleware application, you can mimic the > functionality via middleware as follows: > > ```php > use Psr\Http\Message\ResponseInterface; > use Psr\Http\Message\ServerRequestInterface; > use Psr\Http\Server\RequestHandlerInterface; > use Zend\Diactoros\Uri; > > public function process(ServerRequestInterface $request, RequestHandlerInterface $handler) : ResponseInterface > { > $requestUri = null; > > $httpXRewriteUrl = $request->getHeaderLine('X-Rewrite-Url'); > if ($httpXRewriteUrl !== null) { > $requestUri = $httpXRewriteUrl; > } > > $httpXOriginalUrl = $request->getHeaderLine('X-Original-Url'); > if ($httpXOriginalUrl !== null) { > $requestUri = $httpXOriginalUrl; > } > > if ($requestUri !== null) { > $request = $request->withUri(new Uri($requestUri)); > } > > return $handler->handle($request); > } > ``` > > If you use middleware such as the above, make sure you also instruct your web > server to strip any incoming headers of the same name so that you can > guarantee they are issued by the ISAPI_Rewrite module. > ... (truncated)Commits
- [`736ffa7`](https://github.com/zendframework/zend-diactoros/commit/736ffa7c2bfa4a60e8a10acb316fa2ac456c5fba) Merge branch 'security/zf2018-01' - [`3a4f44f`](https://github.com/zendframework/zend-diactoros/commit/3a4f44f7f89f7007f3c3e4ca69ac23874f8a4093) Remove support for the X-Original-Url and X-Rewrite-Url headers - [`ed59d8a`](https://github.com/zendframework/zend-diactoros/commit/ed59d8a8447ae19ab3fea64c605f2365b2edbd22) Bumped version - [`d44f8dd`](https://github.com/zendframework/zend-diactoros/commit/d44f8ddfb7656fa5f648989fe7787b213fc4faf3) Bumped to next dev version (1.8.4) - [`72c1383`](https://github.com/zendframework/zend-diactoros/commit/72c13834fb3db2a962e913758b384ff2e6425d6e) 1.8.3 readiness - [`4f926cd`](https://github.com/zendframework/zend-diactoros/commit/4f926cd53105cd292f5a09aaa6edc472fcfd02a2) Added date for 1.8.3 release to CHANGELOG - [`15f6b9b`](https://github.com/zendframework/zend-diactoros/commit/15f6b9b3181ce897bac58a9787e1ea73cc8e35e1) Merge branch 'hotfix/322' - [`274cab4`](https://github.com/zendframework/zend-diactoros/commit/274cab4cdd2ecaaf8bd8a54026791bc934111fb8) Keep assertion message in `assertStreamContents()` - [`991795b`](https://github.com/zendframework/zend-diactoros/commit/991795b40421cb2129ecb85f14ded831872c8d74) Merge pull request [#322](https://github-redirect.dependabot.com/zendframework/zend-diactoros/issues/322) from snapshotpl/phpunit7 - [`cd3d811`](https://github.com/zendframework/zend-diactoros/commit/cd3d811e6a14ced74239d50563139dde9f72d04f) Merge branch 'hotfix/321' - Additional commits viewable in [compare view](https://github.com/zendframework/zend-diactoros/compare/1.8.2...1.8.4)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) Finally, you can contact us by mentioning @dependabot.