Fedora 28: 2018-4a606489ae Critical: php-Zendframework URI Handling

A PHP package containing implementations of the accepted PSR-7 HTTP message

interfaces [1], as well as a "server" implementation similar to node's

http.Server [2].

Documentation: https://zendframework.github.io/zend-diactoros/

Autoloader: /usr/share/php/Zend/Diactoros/autoload.php

[1] https://www.php-fig.org/psr/psr-7/

[2] https://nodejs.org/api/http.html

## 1.8.4 - 2018-08-01 ### Added - Nothing. ### Changed - This release

modifies how `ServerRequestFactory` marshals the request URI. In prior

releases, we would attempt to inspect the `X-Rewrite-Url` and `X-Original-Url`

headers, using their values, if present. These headers are issued by the

ISAPI_Rewrite module for IIS (developed by HeliconTech). However, we have no

way of guaranteeing that the module is what issued the headers, making it an

unreliable source for discovering the URI. As such, we have removed this

feature in this release of Diactoros. If you are developing a middleware

application, you can mimic the functionality via middleware as follows: ```

use Psr\Http\Message\ResponseInterface; use

Psr\Http\Message\ServerRequestInterface; use

Psr\Http\Server\RequestHandlerInterface; use Zend\Diactoros\Uri; public

function process(ServerRequestInterface $request, RequestHandlerInterface

$handler) : ResponseInterface { $requestUri = null;

$httpXRewriteUrl = $request->getHeaderLine('X-Rewrite-Url'); if

($httpXRewriteUrl !== null) { $requestUri = $httpXRewriteUrl; }

$httpXOriginalUrl = $request->getHeaderLine('X-Original-Url'); if

($httpXOriginalUrl !== null) { $requestUri = $httpXOriginalUrl;

} if ($requestUri !== null) { $request = $request->withUri(new

Uri($requestUri)); } return $handler->handle($request); } ```

If you use middleware such as the above, make sure you also instruct your web

server to strip any incoming headers of the same name so that you can

guarantee they are issued by the ISAPI_Rewrite module. ### Deprecated -Nothing. ### Removed - Nothing. ### Fixed - Nothing. ## 1.8.3 - 2018-07-24

### Added - Nothing. ### Changed - Nothing. ### Deprecated - Nothing. ###

Removed - Nothing. ### Fixed - [#321](https://github.com/zendframework/zend-diactoros/pull/321) updates the logic in `Uri::withPort()` to ensure that it

checks that the value provided is either an integer or a string integer, as

only those values may be cast to integer without data loss. -[#320](https://github.com/zendframework/zend-diactoros/pull/320) adds checking

within `Response` to ensure that the provided reason phrase is a string; an

`InvalidArgumentException` is now raised if it is not. This change ensures the

class adheres strictly to the PSR-7 specification. -[#319](https://github.com/zendframework/zend-diactoros/pull/319) provides a fix

to `Zend\Diactoros\Response` that ensures that the status code returned is

_always_ an integer (and never a string containing an integer), thus ensuring

it strictly adheres to the PSR-7 specification. ## 1.8.2 - 2018-07-19 ###

Added - Nothing. ### Changed - Nothing. ### Deprecated - Nothing. ###

Removed - Nothing. ### Fixed - [#318](https://github.com/zendframework/zend-diactoros/pull/318) fixes the logic for discovering whether an HTTPS scheme is

in play to be case insensitive when comparing header and SAPI values, ensuring

no false negative lookups occur. - [#314](https://github.com/zendframework

/zend-diactoros/pull/314) modifies error handling around opening a file resource

within `Zend\Diactoros\Stream::setStream()` to no longer use the second

argument to `set_error_handler()`, and instead check the error type in the

handler itself; this fixes an issue when the handler is nested inside another

error handler, which currently has buggy behavior within the PHP engine. ##

1.8.1 - 2018-07-09 ### Added - Nothing. ### Changed -[#313](https://github.com/zendframework/zend-diactoros/pull/313) changes the

reason phrase associated with the status code 425 to "Too Early",

corresponding to a new definition of the code as specified by the IANA. ###

Deprecated - Nothing. ### Removed - Nothing. ### Fixed -[#312](https://github.com/zendframework/zend-diactoros/pull/312) fixes how the

`normalizeUploadedFiles()` utility function handles nested trees of uploaded

files, ensuring it detects them properly. ## 1.8.0 - 2018-06-27 ### Added -[#307](https://github.com/zendframework/zend-diactoros/pull/307) adds the

following functions under the `Zend\Diactoros` namespace, each of which may be

used to derive artifacts from SAPI supergloabls for the purposes of generating

a `ServerRequest` instance: - `normalizeServer(array $server, callable

$apacheRequestHeaderCallback = null) : array` (main purpose is to aggregate

the `Authorization` header in the SAPI params when under Apache) -`marshalProtocolVersionFromSapi(array $server) : string` -`marshalMethodFromSapi(array $server) : string` - `marshalUriFromSapi(array

$server, array $headers) : Uri` - `marshalHeadersFromSapi(array $server) :

array` - `parseCookieHeader(string $header) : array` -`createUploadedFile(array $spec) : UploadedFile` (creates the instance from

a normal `$_FILES` entry) - `normalizeUploadedFiles(array $files) :

UploadedFileInterface[]` (traverses a potentially nested array of uploaded

file instances and/or `$_FILES` entries, including those aggregated under

mod_php, php-fpm, and php-cgi in order to create a flat array of

`UploadedFileInterface` instances to use in a request) ### Changed -Nothing. ### Deprecated - [#307](https://github.com/zendframework/zend-diactoros/pull/307) deprecates `ServerRequestFactory::normalizeServer()`; the

method is no longer used internally, and users should instead use

`Zend\Diactoros\normalizeServer()`, to which it proxies. -[#307](https://github.com/zendframework/zend-diactoros/pull/307) deprecates

`ServerRequestFactory::marshalHeaders()`; the method is no longer used

internally, and users should instead use

`Zend\Diactoros\marshalHeadersFromSapi()`, to which it proxies. -[#307](https://github.com/zendframework/zend-diactoros/pull/307) deprecates

`ServerRequestFactory::marshalUriFromServer()`; the method is no longer used

internally. Users should use `marshalUriFromSapi()` instead. -[#307](https://github.com/zendframework/zend-diactoros/pull/307) deprecates

`ServerRequestFactory::marshalRequestUri()`. the method is no longer used

internally, and currently proxies to `marshalUriFromSapi()`, pulling the

discovered path from the `Uri` instance returned by that function. Users

should use `marshalUriFromSapi()` instead. -[#307](https://github.com/zendframework/zend-diactoros/pull/307) deprecates

`ServerRequestFactory::marshalHostAndPortFromHeaders()`; the method is no

longer used internally, and currently proxies to `marshalUriFromSapi()`,

pulling the discovered host and port from the `Uri` instance returned by that

function. Users should use `marshalUriFromSapi()` instead. -[#307](https://github.com/zendframework/zend-diactoros/pull/307) deprecates

`ServerRequestFactory::getHeader()`; the method is no longer used internally.

Users should copy and paste the functionality into their own applications if

needed, or rely on headers from a fully-populated `Uri` instance instead. -[#307](https://github.com/zendframework/zend-diactoros/pull/307) deprecates

`ServerRequestFactory::stripQueryString()`; the method is no longer used

internally, and users can mimic the functionality via the expression `$path explode('?', $path, 2)[0];`. - [#307](https://github.com/zendframework/zend-diactoros/pull/307) deprecates `ServerRequestFactory::normalizeFiles()`; the

functionality is no longer used internally, and users can use

`normalizeUploadedFiles()` as a replacement. -[#303](https://github.com/zendframework/zend-diactoros/pull/303) deprecates

`Zend\Diactoros\Response\EmitterInterface` and its various implementations.

These are now provided via the [zendframework/zend-httphandlerrunner](https://docs.zendframework.com/zend-httphandlerrunner/)

package as 1:1 substitutions. - [#303](https://github.com/zendframework/zend-diactoros/pull/303) deprecates the `Zend\Diactoros\Server` class. Users are

directed to the `RequestHandlerRunner` class from the [zendframework/zend-httphandlerrunner](https://docs.zendframework.com/zend-httphandlerrunner/)

package as an alternative. ### Removed - Nothing. ### Fixed - Nothing.

* Thu Aug 2 2018 Shawn Iwinski - 1.8.4-1

- Update to 1.8.4 (RHBZ #1504401 / ZF2018-01 / CVE-2018-14773 / CVE-2018-14774)

* Fri Jul 13 2018 Fedora Release Engineering - 1.7.2-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild

* Wed May 30 2018 Remi Collet - 1.7.2-1

- update to 1.7.2

[ 1 ] Bug #1504401 - php-zendframework-zend-diactoros-1.8.4 is available

https://bugzilla.redhat.com/show_bug.cgi?id=1504401

su -c 'dnf upgrade --advisory FEDORA-2018-4a606489ae' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6ZNPJW3QSANZXQXZVH7QHB35CTVFEBWA/