2.13.0

Release Notes for 2.13.0

Feature release (minor)

2.13.0

• Total issues resolved: 0
• Total pull requests resolved: 4
• Total contributors: 3

Enhancement

• 106: Refined types as per laminas/laminas-coding-standard:2.3.x upgrades thanks to @Ocramius
• 103: Update to laminas/laminas-coding-standard:2.3.x, improved types and internal API thanks to @gsteel

renovate

• 101: Update dependency laminas/laminas-coding-standard to v2 - autoclosed thanks to @renovate[bot]
• 100: Configure Renovate thanks to @renovate[bot]

2.12.0

Release Notes for 2.12.0

Feature release (minor)

2.12.0

• Total issues resolved: 0
• Total pull requests resolved: 5
• Total contributors: 4

Bug

• 99: Merge release 2.11.3 into 2.12.x thanks to @github-actions[bot]
• 92: Fix typo in property name in UploadedFileTest::setUp() thanks to @TimWolla

Enhancement

• 97: Ignore obviously malformed host headers when constructing a ServerRequest thanks to @TimWolla
• 91: Fix typo thanks to @PhantomWatson

Documentation,Enhancement

• 93: Clarify how zero-valued header parsing changed from diactoros 1.x to 2.x thanks to @S1ructure

2.11.3

Release Notes for 2.11.3

2.11.x bugfix release (patch)

2.11.3

• Total issues resolved: 0
• Total pull requests resolved: 1
• Total contributors: 1

Bug,Enhancement

• 98: Fixed UploadedFile::moveTo() so it actually removes the original file when used in CLI context, and doesn't leave orphaned files thanks to @k2rn

2.11.2

Release Notes for 2.11.2

2.11.x bugfix release (patch)

2.11.2

• Total issues resolved: 0
• Total pull requests resolved: 1
• Total contributors: 1

Bug

• 95: Resolve Host header and X-Forwarded-Proto regressions thanks to @weierophinney

2.11.1

Release Notes for 2.11.1

This is a SECURITY release. All users are encouraged to upgrade immediately.

Added

This release adds features to allow filtering a ServerRequest as generated by Laminas\Diactoros\ServerRequestFactory::fromGlobals() for the purposes of initialization. Examples include:

• Adding a request identifier.
• Using X-Forwarded-* headers to modify the URL to represent the original client request.

The features are based on a new interface, Laminas\Diactorors\ServerRequestFilter\FilterServerRequestInterface, which defines a single method:

public function __invoke(
    \Psr\Http\Message\ServerRequestInterface $request
): \Psr\Http\Message\ServerRequestInterface

We provide two implementations, as follows:

• Laminas\Diactoros\ServerRequestFilter\DoNotFilter will return the provided request verbatim.
• Laminas\Diactoros\ServerRequestFilter\FilterUsingXForwardedHeaders has named constructors that allow you to define how and when X-Forwarded-* headers are used to modify the URI instance associated with the request. These methods are:
  • trustAny(): this method generates a filter instance that will trust all X-Forwarded-* headers from any source.
  • trustReservedSubnets(array $trustedHeaders = ?): this method generates a filter instance that only modifies the URL if the IP address of the requesting server is from a reserved, private subnet (localhost; classes A, B, and C subnets; and IPv6 private and local-link subnets). By default, it will trust all X-Forwarded-* headers from these sources, but you may specify a list to allow via the $trustedHeaders argument.
  • trustProxies(array $proxyCIDRList, array $trustedHeaders = ?): this method will generate a filter instance that only modifies the URL if the requesting server matches an entry in the $proxyCIDRList. These entries may be IP addresses, or any IPv4 or IPv6 CIDR subnets. By default, it will trust all X-Forwarded-* headers from these sources, but you may specify a list to allow via the $trustedHeaders argument.

ServerRequestFactory::fromGlobals() now accepts a FilterServerRequestInterface instance as the optional argument $requestFilter. If none is provided, it uses one as produced by FilterUsingXForwardedHeaders::trustReservedSubnets().

Deprecated

• The function Laminas\Diactoros\marshalUriFromSapi() is deprecated, and no longer used internally.

Changed

Laminas\Diactoros\ServerRequestFactory::fromGlobals() no longer consumes marshalUriFromSapi(), and instead inlines an alternate implementation. The new implementation does not consider X-Forwarded-* headers by default when generating the associated URI instance. Internally, if no FilterServerRequestInterface implementation is provided, it defaults to using an instance returned by FilterUsingXForwardeHeaders::trustReservedSubnets(). If you previously relied on X-Forwarded-* headers, you MAY need to update your code to use either the FilterUsingXForwardedHeaders::trustAny() or FilterUsingXForwardedHeaders::trustProxies() methods to generate a filter to use with ServerRequestFactory::fromGlobals().

Fixed

• Fixes CVE-2022-31109

2.11.1

• Total issues resolved: 0
• Total pull requests resolved: 0
• Total contributors: 0

2.11.0

Release Notes for 2.11.0

Feature release (minor)

2.11.0

• Total issues resolved: 0
• Total pull requests resolved: 2
• Total contributors: 1

Enhancement

• 90: Use constant expression for JsonResponse::DEFAULT_JSON_FLAGS thanks to @TimWolla
• 89: Add export-ignore attribute for .laminas-ci.json thanks to @TimWolla

2.10.0

Release Notes for 2.10.0

Changed

This release adds minor normalization of header values with line continuations; the line continuations are now normalized to a single space. This is done to conform to RFC 7230#3.2.4, which is an important security guideline.

2.10.0

• Total issues resolved: 0
• Total pull requests resolved: 5
• Total contributors: 2

Enhancement

• 88: Correctly use function trim; thanks to @TimWolla
• 85: Fix method names of test cases in Request\SerializerTest thanks to @TimWolla

Bug,Enhancement

• 87: Normalize line-folded headers values to not contain newlines thanks to @TimWolla

Bug

• 86: Merge release 2.9.2 into 2.10.x thanks to @github-actions[bot]
• 83: Merge release 2.9.1 into 2.10.x thanks to @github-actions[bot]

2.9.2

Release Notes for 2.9.2

2.9.x bugfix release (patch)

2.9.2

• Total issues resolved: 0
• Total pull requests resolved: 1
• Total contributors: 1

Bug

• 84: Trim whitespace in header values thanks to @TimWolla

2.9.1

Release Notes for 2.9.1

2.9.x bugfix release (patch)

2.9.1

• Total issues resolved: 0
• Total pull requests resolved: 1
• Total contributors: 1

Bug

• 82: Fix unserialization of header continuation / line folding thanks to @TimWolla

2.9.0

Release Notes for 2.9.0

2.9.0

• Total issues resolved: 1
• Total pull requests resolved: 4
• Total contributors: 4

Enhancement

• 80: Prepare for Renovate with reusable workflows thanks to @ghostwriter
• 78: Change HTTP Reason phrases according to the iana update thanks to @marcelthole
• 75: [QA] Using php >= 7.3 syntax, where possible thanks to @samsonasik

Documentation,Enhancement,hacktoberfest-accepted

• 76: Simplify redirects of legacy docs thanks to @driehle