LTS Version 1.7 is missing a security fix

[weierophinney]

• I was not able to find an open or closed issue matching what I'm seeing.
• This is not a question. (Questions should be asked on chat (Signup here) or our forums.)

According to https://framework.zend.com/long-term-support 1.7 is the long term support version of zend-diactoros, however the Symfony security scanner shows that 1.7.2 is missing the fix for the URL Rewrite vulnerability [CVE-NONE-0001]: https://framework.zend.com/security/advisory/ZF2018-01

I've tried to be helpful and backport this in https://github.com/alexpott/zend-diactoros/tree/1.7.x-CVE-NONE-0001 but I can't create a PR because there is no 1.7 release branch.

Code to reproduce the issue

        $server = [
            'REQUEST_URI' => 'https://example.com/requested/path',
            'HTTP_X_ORIGINAL_URL' => '/hijack-attempt'
        ];
        $path = ServerRequestFactory::marshalRequestUri($server);

Expected results

        $path === '/requested/path';

Actual results

        $path === '/hijack-attempt';

---

Originally posted by @alexpott at zendframework/zend-diactoros#373

[weierophinney]

The LTS page is a bit misleading. While 1.7 is listed as the LTS version, you can safely upgrade to any other release in the 1.X series without issue since we follow semver. Since 1.8 has received those fixes, update your version constraint to use ^1.7 (which will get anything from 1.7.0 forward in the 1.X series).

---

Originally posted by @weierophinney at zendframework/zend-diactoros#373 (comment)

[weierophinney]

@weierophinney Well if we want support until 2022-03-15 then looking at https://framework.zend.com/long-term-support we need to stay on 1.7 since support for 1.8 ends in 2019-09-27.

Are you saying that because 1.7 is supported until 2022-03-15 then because you follow semver 1.8 will supported till then as well? If so yep the LTS page does seem misleading.

But also if there are known security issues against 1.7 what does LTS mean?

---

Originally posted by @alexpott at zendframework/zend-diactoros#373 (comment)

[weierophinney]

If we follow the release notes then the release-1.8 branch has not received any changes other than the fixes since September last year so I think we can assume 1.8 is an LTS as well but yeah having an actual confirmation will help.

---

Originally posted by @jibran at zendframework/zend-diactoros#373 (comment)

[weierophinney]

@jibran @alexpott

Version 1.8 is LTS version, not 1.7. The issue is in the table - we will try to update it shortly.
Please note that there is a paragraph how to adapt LTS version:

Adopting an LTS version

Opting-in to an LTS version of a component can be done using Composer:

$ composer require "{package}:^{version}"

The above will modify your composer.json to provide a semantic version constraint, ensuring you only get backwards-compatible updates to the given package.

and, paragraph before we have:

During the LTS period, all direct dependencies of the skeleton will receive security support in the latest versions possible under the version constraints as listed in the skeleton application's composer.json file.

so, when we use ^1.7.0, version 1.8 will be installed as well and this one should be marked as LTS.

---

Originally posted by @michalbundyra at zendframework/zend-diactoros#373 (comment)