-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update dependency laminas/laminas-diactoros to ~2.18.1 [SECURITY] - autoclosed #78
Closed
renovate
wants to merge
1
commit into
master
from
renovate/packagist-laminas/laminas-diactoros-vulnerability
Closed
Update dependency laminas/laminas-diactoros to ~2.18.1 [SECURITY] - autoclosed #78
renovate
wants to merge
1
commit into
master
from
renovate/packagist-laminas/laminas-diactoros-vulnerability
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
renovate
bot
force-pushed
the
renovate/packagist-laminas/laminas-diactoros-vulnerability
branch
from
September 26, 2022 01:47
038bb2d
to
c0f9ce0
Compare
renovate
bot
changed the title
Pin dependency laminas/laminas-diactoros to v2.8.0 [SECURITY]
Update dependency laminas/laminas-diactoros to ~2.11.1 [SECURITY]
Sep 26, 2022
renovate
bot
changed the title
Update dependency laminas/laminas-diactoros to ~2.11.1 [SECURITY]
Pin dependency laminas/laminas-diactoros to v2.8.0 [SECURITY]
Sep 27, 2022
renovate
bot
force-pushed
the
renovate/packagist-laminas/laminas-diactoros-vulnerability
branch
2 times, most recently
from
September 28, 2022 08:24
79e9db3
to
c762224
Compare
renovate
bot
changed the title
Pin dependency laminas/laminas-diactoros to v2.8.0 [SECURITY]
Update dependency laminas/laminas-diactoros to ~2.11.1 [SECURITY]
Sep 28, 2022
renovate
bot
changed the title
Update dependency laminas/laminas-diactoros to ~2.11.1 [SECURITY]
Pin dependency laminas/laminas-diactoros to v2.8.0 [SECURITY]
Oct 2, 2022
renovate
bot
force-pushed
the
renovate/packagist-laminas/laminas-diactoros-vulnerability
branch
2 times, most recently
from
October 2, 2022 14:05
0dbe7bf
to
d9be578
Compare
renovate
bot
changed the title
Pin dependency laminas/laminas-diactoros to v2.8.0 [SECURITY]
Update dependency laminas/laminas-diactoros to ~2.11.1 [SECURITY]
Oct 2, 2022
renovate
bot
changed the title
Update dependency laminas/laminas-diactoros to ~2.11.1 [SECURITY]
Pin dependency laminas/laminas-diactoros to v2.8.0 [SECURITY]
Oct 5, 2022
renovate
bot
force-pushed
the
renovate/packagist-laminas/laminas-diactoros-vulnerability
branch
2 times, most recently
from
October 5, 2022 09:15
d5ecb01
to
e05d390
Compare
renovate
bot
changed the title
Pin dependency laminas/laminas-diactoros to v2.8.0 [SECURITY]
Update dependency laminas/laminas-diactoros to ~2.11.1 [SECURITY]
Oct 5, 2022
renovate
bot
changed the title
Update dependency laminas/laminas-diactoros to ~2.11.1 [SECURITY]
Pin dependency laminas/laminas-diactoros to v2.8.0 [SECURITY]
Oct 5, 2022
renovate
bot
force-pushed
the
renovate/packagist-laminas/laminas-diactoros-vulnerability
branch
2 times, most recently
from
October 5, 2022 20:39
557a06b
to
059abb8
Compare
renovate
bot
changed the title
Pin dependency laminas/laminas-diactoros to v2.8.0 [SECURITY]
Update dependency laminas/laminas-diactoros to ~2.11.1 [SECURITY]
Oct 5, 2022
renovate
bot
changed the title
Update dependency laminas/laminas-diactoros to ~2.11.1 [SECURITY]
Pin dependency laminas/laminas-diactoros to v2.8.0 [SECURITY]
Oct 6, 2022
renovate
bot
force-pushed
the
renovate/packagist-laminas/laminas-diactoros-vulnerability
branch
2 times, most recently
from
October 6, 2022 13:59
786a904
to
cc06eec
Compare
renovate
bot
changed the title
Pin dependency laminas/laminas-diactoros to v2.8.0 [SECURITY]
Update dependency laminas/laminas-diactoros to ~2.11.1 [SECURITY]
Oct 6, 2022
renovate
bot
changed the title
Update dependency laminas/laminas-diactoros to ~2.11.1 [SECURITY]
Pin dependency laminas/laminas-diactoros to v2.8.0 [SECURITY]
Oct 6, 2022
renovate
bot
force-pushed
the
renovate/packagist-laminas/laminas-diactoros-vulnerability
branch
2 times, most recently
from
October 6, 2022 19:30
6c1d59e
to
3be6bb4
Compare
renovate
bot
changed the title
Pin dependency laminas/laminas-diactoros to v2.8.0 [SECURITY]
Update dependency laminas/laminas-diactoros to ~2.11.1 [SECURITY]
Oct 6, 2022
renovate
bot
changed the title
Update dependency laminas/laminas-diactoros to ~2.11.1 [SECURITY]
Pin dependency laminas/laminas-diactoros to v2.8.0 [SECURITY]
Oct 10, 2022
renovate
bot
force-pushed
the
renovate/packagist-laminas/laminas-diactoros-vulnerability
branch
2 times, most recently
from
October 10, 2022 17:52
5b0832f
to
96a8142
Compare
renovate
bot
changed the title
Pin dependency laminas/laminas-diactoros to v2.8.0 [SECURITY]
Update dependency laminas/laminas-diactoros to ~2.11.1 [SECURITY]
Oct 10, 2022
renovate
bot
force-pushed
the
renovate/packagist-laminas/laminas-diactoros-vulnerability
branch
from
May 1, 2024 13:34
99e3e4c
to
eb456ca
Compare
renovate
bot
changed the title
Update dependency laminas/laminas-diactoros to ~2.26.0 [SECURITY]
Update dependency laminas/laminas-diactoros to ~2.18.1 [SECURITY]
May 1, 2024
renovate
bot
force-pushed
the
renovate/packagist-laminas/laminas-diactoros-vulnerability
branch
from
May 9, 2024 11:44
eb456ca
to
0d1773e
Compare
renovate
bot
changed the title
Update dependency laminas/laminas-diactoros to ~2.18.1 [SECURITY]
Update dependency laminas/laminas-diactoros to ~2.26.0 [SECURITY]
May 9, 2024
renovate
bot
force-pushed
the
renovate/packagist-laminas/laminas-diactoros-vulnerability
branch
from
May 9, 2024 12:18
0d1773e
to
8be93b6
Compare
renovate
bot
changed the title
Update dependency laminas/laminas-diactoros to ~2.26.0 [SECURITY]
Update dependency laminas/laminas-diactoros to ~2.18.1 [SECURITY]
May 9, 2024
renovate
bot
force-pushed
the
renovate/packagist-laminas/laminas-diactoros-vulnerability
branch
from
May 15, 2024 19:35
8be93b6
to
ebdeb27
Compare
renovate
bot
changed the title
Update dependency laminas/laminas-diactoros to ~2.18.1 [SECURITY]
Update dependency laminas/laminas-diactoros to ~2.26.0 [SECURITY]
May 15, 2024
renovate
bot
force-pushed
the
renovate/packagist-laminas/laminas-diactoros-vulnerability
branch
from
May 16, 2024 01:50
ebdeb27
to
380a6d1
Compare
renovate
bot
changed the title
Update dependency laminas/laminas-diactoros to ~2.26.0 [SECURITY]
Update dependency laminas/laminas-diactoros to ~2.18.1 [SECURITY]
May 16, 2024
renovate
bot
force-pushed
the
renovate/packagist-laminas/laminas-diactoros-vulnerability
branch
from
June 1, 2024 02:09
380a6d1
to
e8cdb1d
Compare
renovate
bot
changed the title
Update dependency laminas/laminas-diactoros to ~2.18.1 [SECURITY]
Update dependency laminas/laminas-diactoros to ~2.26.0 [SECURITY]
Jun 1, 2024
renovate
bot
force-pushed
the
renovate/packagist-laminas/laminas-diactoros-vulnerability
branch
from
June 1, 2024 04:56
e8cdb1d
to
5843de8
Compare
renovate
bot
changed the title
Update dependency laminas/laminas-diactoros to ~2.26.0 [SECURITY]
Update dependency laminas/laminas-diactoros to ~2.18.1 [SECURITY]
Jun 1, 2024
renovate
bot
force-pushed
the
renovate/packagist-laminas/laminas-diactoros-vulnerability
branch
from
June 27, 2024 08:27
5843de8
to
d61d0b3
Compare
renovate
bot
changed the title
Update dependency laminas/laminas-diactoros to ~2.18.1 [SECURITY]
Update dependency laminas/laminas-diactoros to ~2.26.0 [SECURITY]
Jun 27, 2024
renovate
bot
force-pushed
the
renovate/packagist-laminas/laminas-diactoros-vulnerability
branch
from
June 27, 2024 10:56
d61d0b3
to
e2d7376
Compare
renovate
bot
changed the title
Update dependency laminas/laminas-diactoros to ~2.26.0 [SECURITY]
Update dependency laminas/laminas-diactoros to ~2.18.1 [SECURITY]
Jun 27, 2024
renovate
bot
force-pushed
the
renovate/packagist-laminas/laminas-diactoros-vulnerability
branch
from
July 14, 2024 11:08
e2d7376
to
9fef6b3
Compare
renovate
bot
changed the title
Update dependency laminas/laminas-diactoros to ~2.18.1 [SECURITY]
Update dependency laminas/laminas-diactoros to ~2.26.0 [SECURITY]
Jul 14, 2024
renovate
bot
force-pushed
the
renovate/packagist-laminas/laminas-diactoros-vulnerability
branch
from
July 14, 2024 12:54
9fef6b3
to
d9c8d0a
Compare
renovate
bot
changed the title
Update dependency laminas/laminas-diactoros to ~2.26.0 [SECURITY]
Update dependency laminas/laminas-diactoros to ~2.18.1 [SECURITY]
Jul 14, 2024
renovate
bot
force-pushed
the
renovate/packagist-laminas/laminas-diactoros-vulnerability
branch
from
July 28, 2024 16:32
d9c8d0a
to
0044269
Compare
renovate
bot
changed the title
Update dependency laminas/laminas-diactoros to ~2.18.1 [SECURITY]
Update dependency laminas/laminas-diactoros to ~2.26.0 [SECURITY]
Jul 28, 2024
renovate
bot
force-pushed
the
renovate/packagist-laminas/laminas-diactoros-vulnerability
branch
from
July 28, 2024 18:26
0044269
to
2657f40
Compare
renovate
bot
changed the title
Update dependency laminas/laminas-diactoros to ~2.26.0 [SECURITY]
Update dependency laminas/laminas-diactoros to ~2.18.1 [SECURITY]
Jul 28, 2024
renovate
bot
changed the title
Update dependency laminas/laminas-diactoros to ~2.18.1 [SECURITY]
Update dependency laminas/laminas-diactoros to ~2.18.1 [SECURITY] - autoclosed
Aug 6, 2024
renovate
bot
deleted the
renovate/packagist-laminas/laminas-diactoros-vulnerability
branch
August 6, 2024 07:45
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
None yet
0 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
~2.8.0
->~2.18.1
GitHub Vulnerability Alerts
CVE-2022-31109
Impact
Applications that use Diactoros, and are either not behind a proxy, or can be accessed via untrusted proxies, can potentially have the host, protocol, and/or port of a
Laminas\Diactoros\Uri
instance associated with the incoming server request modified to reflect values fromX-Forwarded-*
headers. Such changes can potentially lead to XSS attacks (if a fully-qualified URL is used in links) and/or URL poisoning.Patches
Any version after 2.11.0.
Starting in laminas/laminas-diactoros 2.11.1, we have added
Laminas\Diactoros\ServerRequestFilter\FilterServerRequestInterface
, which defines the single method__invoke(Psr\Http\Message\ServerRequestInterface $request): Psr\Http\Message\ServerRequestInterface
. Filters implementing this interface allow modifying and returning a generatedServerRequest
.The primary use case of the interface is to allow modifying the generated URI based on the presence of headers such as
X-Forwarded-Host
. When operating behind a reverse proxy, theHost
header is often rewritten to the name of the node to which the request is being forwarded, and anX-Forwarded-Host
header is generated with the originalHost
value to allow the server to determine the original host the request was intended for. (We have always examined theX-Forwarded-Proto
header; as of Diactoros 2.11.1, we also examine theX-Forwarded-Port
header.) To accommodate this use case, we created Laminas\Diactoros\ServerRequestFilter\FilterUsingXForwardedHeaders.Due to potential security issues, it is generally best to only accept these headers if you trust the reverse proxy that has initiated the request.
(This value is found in
$_SERVER['REMOTE_ADDR']
, which is present as$request->getServerParams()['REMOTE_ADDR']
within PSR-7 implementations.)FilterUsingXForwardedHeaders
provides named constructors to allow you to trust these headers from any source (which has been the default behavior of Diactoros since the beginning), or to specify specific IP addresses or CIDR subnets to trust, along with which headers are trusted.Laminas\Diactoros\ServerRequestFactory::fromGlobals()
was updated to accept aFilterServerRequestInterface
as an additional, optional argument. Since theX-Forwarded-*
headers do have valid use cases, particularly in clustered environments using a load balancer, to prevent backwards compatibility breaks, if no filter is provided, we generate an instance viaFilterUsingXForwardedHeaders::trustReservedSubnets()
, which generates an instance marked to trust only proxies on private subnets.Workarounds
Infrastructure or DevOps can configure web servers to reject
X-Forwarded-*
headers at the web server level.Users of laminas/laminas-diactoros can make use of the
Laminas\Diactoros\RequestFilter\RequestFilterInterface
functionality in order to either (a) disable usage of theX-Forwarded-*
headers entirely, (b) opt-in to it, or (c) opt-in to the usage for configured proxy servers.References
For more information
If you have any questions or comments about this advisory:
CVE-2023-29530
Impact
Affected versions of Laminas Diactoros accepted a single line feed (LF /
\n
) character at the end of a header name. When serializing such a header name containing a line-feed into the on-the-wire representation of a HTTP/1.x message, the resulting message would be syntactically invalid, due to the header line being terminated too early. An attacker that is able to control the header names that are passed to Laminas Diactoros would be able to intentionally craft invalid messages, possibly causing application errors or invalid HTTP requests being sent out with an PSR-18 HTTP client. The latter might present a denial of service vector if a remote service’s web application firewall bans the application due to the receipt of malformed requests.Patches
The problem has been patched in the following versions:
Workarounds
Validate HTTP header keys and/or values, and if using user-supplied values, filter them to strip off leading or trailing newline characters before calling
withHeader()
.References
Release Notes
laminas/laminas-diactoros (laminas/laminas-diactoros)
v2.18.1
Compare Source
v2.18.0
Compare Source
Release Notes for 2.18.0
Feature release (minor)
2.18.0
Enhancement
v2.17.0
Compare Source
Release Notes for 2.17.0
Feature release (minor)
2.17.0
Enhancement
SensitiveParameter
attribute toUri::withUserInfo()
thanks to @TimWollav2.16.0
Compare Source
Release Notes for 2.16.0
Feature release (minor)
2.16.0
Enhancement
v2.15.0
Compare Source
Release Notes for 2.15.0
Feature release (minor)
2.15.0
renovate
v2.14.0
Compare Source
Release Notes for 2.14.0
Feature release (minor)
2.14.0
Documentation,Enhancement
Enhancement
config.allow-plugins
key in composer.json thanks to @TimWollaexport-ignore
attribute for/renovate.json
thanks to @TimWollav2.13.0
Compare Source
Release Notes for 2.13.0
Feature release (minor)
2.13.0
Enhancement
laminas/laminas-coding-standard:2.3.x
upgrades thanks to @Ocramiuslaminas/laminas-coding-standard:2.3.x
, improved types and internal API thanks to @gsteelrenovate
v2.12.0
Compare Source
Release Notes for 2.12.0
Feature release (minor)
2.12.0
Bug
UploadedFileTest::setUp()
thanks to @TimWollaEnhancement
host
headers when constructing a ServerRequest thanks to @TimWollaDocumentation,Enhancement
v2.11.3
Compare Source
Release Notes for 2.11.3
2.11.x bugfix release (patch)
2.11.3
Bug,Enhancement
UploadedFile::moveTo()
so it actually removes the original file when used in CLI context, and doesn't leave orphaned files thanks to @k2rnv2.11.2
Compare Source
Release Notes for 2.11.2
2.11.x bugfix release (patch)
2.11.2
Bug
v2.11.1
Compare Source
Release Notes for 2.11.1
This is a SECURITY release. All users are encouraged to upgrade immediately.
Added
This release adds features to allow filtering a
ServerRequest
as generated byLaminas\Diactoros\ServerRequestFactory::fromGlobals()
for the purposes of initialization. Examples include:X-Forwarded-*
headers to modify the URL to represent the original client request.The features are based on a new interface,
Laminas\Diactorors\ServerRequestFilter\FilterServerRequestInterface
, which defines a single method:We provide two implementations, as follows:
Laminas\Diactoros\ServerRequestFilter\DoNotFilter
will return the provided request verbatim.Laminas\Diactoros\ServerRequestFilter\FilterUsingXForwardedHeaders
has named constructors that allow you to define how and whenX-Forwarded-*
headers are used to modify the URI instance associated with the request. These methods are:trustAny()
: this method generates a filter instance that will trust allX-Forwarded-*
headers from any source.trustReservedSubnets(array $trustedHeaders = ?)
: this method generates a filter instance that only modifies the URL if the IP address of the requesting server is from a reserved, private subnet (localhost; classes A, B, and C subnets; and IPv6 private and local-link subnets). By default, it will trust allX-Forwarded-*
headers from these sources, but you may specify a list to allow via the$trustedHeaders
argument.trustProxies(array $proxyCIDRList, array $trustedHeaders = ?)
: this method will generate a filter instance that only modifies the URL if the requesting server matches an entry in the$proxyCIDRList
. These entries may be IP addresses, or any IPv4 or IPv6 CIDR subnets. By default, it will trust allX-Forwarded-*
headers from these sources, but you may specify a list to allow via the$trustedHeaders
argument.ServerRequestFactory::fromGlobals()
now accepts aFilterServerRequestInterface
instance as the optional argument$requestFilter
. If none is provided, it uses one as produced byFilterUsingXForwardedHeaders::trustReservedSubnets()
.Deprecated
Laminas\Diactoros\marshalUriFromSapi()
is deprecated, and no longer used internally.Changed
Laminas\Diactoros\ServerRequestFactory::fromGlobals()
no longer consumesmarshalUriFromSapi()
, and instead inlines an alternate implementation. The new implementation does not considerX-Forwarded-*
headers by default when generating the associated URI instance. Internally, if noFilterServerRequestInterface
implementation is provided, it defaults to using an instance returned byFilterUsingXForwardeHeaders::trustReservedSubnets()
. If you previously relied onX-Forwarded-*
headers, you MAY need to update your code to use either theFilterUsingXForwardedHeaders::trustAny()
orFilterUsingXForwardedHeaders::trustProxies()
methods to generate a filter to use withServerRequestFactory::fromGlobals()
.Fixed
2.11.1
v2.11.0
Compare Source
Release Notes for 2.11.0
Feature release (minor)
2.11.0
Enhancement
export-ignore
attribute for.laminas-ci.json
thanks to @TimWollav2.10.0
Compare Source
Release Notes for 2.10.0
Changed
This release adds minor normalization of header values with line continuations; the line continuations are now normalized to a single space. This is done to conform to RFC 7230#3.2.4, which is an important security guideline.
2.10.0
Enhancement
use function trim;
thanks to @TimWollaBug,Enhancement
Bug
v2.9.2
Compare Source
Release Notes for 2.9.2
2.9.x bugfix release (patch)
2.9.2
Bug
v2.9.1
Compare Source
Release Notes for 2.9.1
2.9.x bugfix release (patch)
2.9.1
Bug
v2.9.0
Compare Source
Release Notes for 2.9.0
2.9.0
Enhancement
Documentation,Enhancement,hacktoberfest-accepted
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.