LTS Version 1.7 is missing a security fix

zendframework / zend-diactoros

PSR-7 HTTP Message implementation

BSD 3-Clause "New" or "Revised" License

1.55k stars 152 forks source link

LTS Version 1.7 is missing a security fix #373

Open alexpott opened 5 years ago

alexpott commented 5 years ago

[x] I was not able to find an open or closed issue matching what I'm seeing.
[x] This is not a question. (Questions should be asked on chat (Signup here) or our forums.)

According to https://framework.zend.com/long-term-support 1.7 is the long term support version of zend-diactoros, however the Symfony security scanner shows that 1.7.2 is missing the fix for the URL Rewrite vulnerability [CVE-NONE-0001]: https://framework.zend.com/security/advisory/ZF2018-01

I've tried to be helpful and backport this in https://github.com/alexpott/zend-diactoros/tree/1.7.x-CVE-NONE-0001 but I can't create a PR because there is no 1.7 release branch.

Code to reproduce the issue

        $server = [
            'REQUEST_URI' => 'https://example.com/requested/path',
            'HTTP_X_ORIGINAL_URL' => '/hijack-attempt'
        ];
        $path = ServerRequestFactory::marshalRequestUri($server);

Expected results

        $path === '/requested/path';

Actual results

        $path === '/hijack-attempt';

weierophinney commented 5 years ago

The LTS page is a bit misleading. While 1.7 is listed as the LTS version, you can safely upgrade to any other release in the 1.X series without issue since we follow semver. Since 1.8 has received those fixes, update your version constraint to use ^1.7 (which will get anything from 1.7.0 forward in the 1.X series).

alexpott commented 5 years ago

@weierophinney Well if we want support until 2022-03-15 then looking at https://framework.zend.com/long-term-support we need to stay on 1.7 since support for 1.8 ends in 2019-09-27.

Are you saying that because 1.7 is supported until 2022-03-15 then because you follow semver 1.8 will supported till then as well? If so yep the LTS page does seem misleading.

But also if there are known security issues against 1.7 what does LTS mean?

jibran commented 5 years ago

If we follow the release notes then the release-1.8 branch has not received any changes other than the fixes since September last year so I think we can assume 1.8 is an LTS as well but yeah having an actual confirmation will help.

michalbundyra commented 5 years ago

@jibran @alexpott

Version 1.8 is LTS version, not 1.7. The issue is in the table - we will try to update it shortly. Please note that there is a paragraph how to adapt LTS version:

Adopting an LTS version

Opting-in to an LTS version of a component can be done using Composer:
$ composer require "{package}:^{version}"
The above will modify your composer.json to provide a semantic version constraint, ensuring you only get backwards-compatible updates to the given package.

and, paragraph before we have:

During the LTS period, all direct dependencies of the skeleton will receive security support in the latest versions possible under the version constraints as listed in the skeleton application's composer.json file.

so, when we use ^1.7.0, version 1.8 will be installed as well and this one should be marked as LTS.

weierophinney commented 4 years ago

This repository has been closed and moved to laminas/laminas-diactoros; a new issue has been opened at https://github.com/laminas/laminas-diactoros/issues/4.