Update dependency laminas/laminas-diactoros to ~2.18.1 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
laminas/laminas-diactoros (source)	~2.8.0 -> ~2.18.1

GitHub Vulnerability Alerts

CVE-2022-31109

Impact

Applications that use Diactoros, and are either not behind a proxy, or can be accessed via untrusted proxies, can potentially have the host, protocol, and/or port of a Laminas\Diactoros\Uri instance associated with the incoming server request modified to reflect values from X-Forwarded-* headers. Such changes can potentially lead to XSS attacks (if a fully-qualified URL is used in links) and/or URL poisoning.

Patches

Any version after 2.11.0.

Starting in laminas/laminas-diactoros 2.11.1, we have added Laminas\Diactoros\ServerRequestFilter\FilterServerRequestInterface, which defines the single method __invoke(Psr\Http\Message\ServerRequestInterface $request): Psr\Http\Message\ServerRequestInterface. Filters implementing this interface allow modifying and returning a generated ServerRequest.

The primary use case of the interface is to allow modifying the generated URI based on the presence of headers such as X-Forwarded-Host. When operating behind a reverse proxy, the Host header is often rewritten to the name of the node to which the request is being forwarded, and an X-Forwarded-Host header is generated with the original Host value to allow the server to determine the original host the request was intended for. (We have always examined the X-Forwarded-Proto header; as of Diactoros 2.11.1, we also examine the X-Forwarded-Port header.) To accommodate this use case, we created Laminas\Diactoros\ServerRequestFilter\FilterUsingXForwardedHeaders.

Due to potential security issues, it is generally best to only accept these headers if you trust the reverse proxy that has initiated the request.
(This value is found in $_SERVER['REMOTE_ADDR'], which is present as $request->getServerParams()['REMOTE_ADDR'] within PSR-7 implementations.) FilterUsingXForwardedHeaders provides named constructors to allow you to trust these headers from any source (which has been the default behavior of Diactoros since the beginning), or to specify specific IP addresses or CIDR subnets to trust, along with which headers are trusted.

Laminas\Diactoros\ServerRequestFactory::fromGlobals() was updated to accept a FilterServerRequestInterface as an additional, optional argument. Since the X-Forwarded-* headers do have valid use cases, particularly in clustered environments using a load balancer, to prevent backwards compatibility breaks, if no filter is provided, we generate an instance via FilterUsingXForwardedHeaders::trustReservedSubnets(), which generates an instance marked to trust only proxies on private subnets.

Workarounds

Infrastructure or DevOps can configure web servers to reject X-Forwarded-* headers at the web server level.

Users of laminas/laminas-diactoros can make use of the Laminas\Diactoros\RequestFilter\RequestFilterInterface functionality in order to either (a) disable usage of the X-Forwarded-* headers entirely, (b) opt-in to it, or (c) opt-in to the usage for configured proxy servers.

References

• HTTP Host Header Attacks

For more information

If you have any questions or comments about this advisory:

• Open an issue in laminas/laminas-diactoros
• Email us

CVE-2023-29530

Impact

Affected versions of Laminas Diactoros accepted a single line feed (LF / \n ) character at the end of a header name. When serializing such a header name containing a line-feed into the on-the-wire representation of a HTTP/1.x message, the resulting message would be syntactically invalid, due to the header line being terminated too early. An attacker that is able to control the header names that are passed to Laminas Diactoros would be able to intentionally craft invalid messages, possibly causing application errors or invalid HTTP requests being sent out with an PSR-18 HTTP client. The latter might present a denial of service vector if a remote service’s web application firewall bans the application due to the receipt of malformed requests.

Patches

The problem has been patched in the following versions:

• 2.18.1
• 2.19.1
• 2.20.1
• 2.21.1
• 2.22.1
• 2.23.1
• 2.24.2
• 2.25.2

Workarounds

Validate HTTP header keys and/or values, and if using user-supplied values, filter them to strip off leading or trailing newline characters before calling withHeader().

References

• CVE-2023-29197
• GHSA-wxmh-65f7-jcvw

---

Release Notes

laminas/laminas-diactoros (laminas/laminas-diactoros)

v2.18.1

Compare Source

v2.18.0

Compare Source

Release Notes for 2.18.0

Feature release (minor)

2.18.0

• Total issues resolved: 0
• Total pull requests resolved: 1
• Total contributors: 1

Enhancement

• 118: Add PHP 8.2, Drop PHP 7.4 thanks to @​gsteel

v2.17.0

Compare Source

Release Notes for 2.17.0

Feature release (minor)

2.17.0

• Total issues resolved: 0
• Total pull requests resolved: 1
• Total contributors: 1

Enhancement

• 116: Apply PHP 8.2's SensitiveParameter attribute to Uri::withUserInfo() thanks to @​TimWolla

v2.16.0

Compare Source

Release Notes for 2.16.0

Feature release (minor)

2.16.0

• Total issues resolved: 0
• Total pull requests resolved: 1
• Total contributors: 1

Enhancement

• 115: Apply PHP 7.4 syntax and typed property thanks to @​samsonasik

v2.15.0

Compare Source

Release Notes for 2.15.0

Feature release (minor)

2.15.0

• Total issues resolved: 0
• Total pull requests resolved: 1
• Total contributors: 1

renovate

• 114: Dropped PHP 7.3 support, update dependency laminas/laminas-coding-standard to ^2.4.0, removed prophecy mocks thanks to @​renovate[bot]

v2.14.0

Compare Source

Release Notes for 2.14.0

Feature release (minor)

2.14.0

• Total issues resolved: 0
• Total pull requests resolved: 3
• Total contributors: 2

Documentation,Enhancement

• 113: Fix static return type in RequestTrait thanks to @​gsteel

Enhancement

• 110: Remove duplicate config.allow-plugins key in composer.json thanks to @​TimWolla
• 109: Add export-ignore attribute for /renovate.json thanks to @​TimWolla

v2.13.0

Compare Source

Release Notes for 2.13.0

Feature release (minor)

2.13.0

• Total issues resolved: 0
• Total pull requests resolved: 4
• Total contributors: 3

Enhancement

• 106: Refined types as per laminas/laminas-coding-standard:2.3.x upgrades thanks to @​Ocramius
• 103: Update to laminas/laminas-coding-standard:2.3.x, improved types and internal API thanks to @​gsteel

renovate

• 101: Update dependency laminas/laminas-coding-standard to v2 - autoclosed thanks to @​renovate[bot]
• 100: Configure Renovate thanks to @​renovate[bot]

v2.12.0

Compare Source

Release Notes for 2.12.0

Feature release (minor)

2.12.0

• Total issues resolved: 0
• Total pull requests resolved: 5
• Total contributors: 4

Bug

• 99: Merge release 2.11.3 into 2.12.x thanks to @​github-actions[bot]
• 92: Fix typo in property name in UploadedFileTest::setUp() thanks to @​TimWolla

Enhancement

• 97: Ignore obviously malformed host headers when constructing a ServerRequest thanks to @​TimWolla
• 91: Fix typo thanks to @​PhantomWatson

Documentation,Enhancement

• 93: Clarify how zero-valued header parsing changed from diactoros 1.x to 2.x thanks to @​S1ructure

v2.11.3

Compare Source

Release Notes for 2.11.3

2.11.x bugfix release (patch)

2.11.3

• Total issues resolved: 0
• Total pull requests resolved: 1
• Total contributors: 1

Bug,Enhancement

• 98: Fixed UploadedFile::moveTo() so it actually removes the original file when used in CLI context, and doesn't leave orphaned files thanks to @​k2rn

v2.11.2

Compare Source

Release Notes for 2.11.2

2.11.x bugfix release (patch)

2.11.2

• Total issues resolved: 0
• Total pull requests resolved: 1
• Total contributors: 1

Bug

• 95: Resolve Host header and X-Forwarded-Proto regressions thanks to @​weierophinney

v2.11.1

Compare Source

Release Notes for 2.11.1

This is a SECURITY release. All users are encouraged to upgrade immediately.

Added

This release adds features to allow filtering a ServerRequest as generated by Laminas\Diactoros\ServerRequestFactory::fromGlobals() for the purposes of initialization. Examples include:

• Adding a request identifier.
• Using X-Forwarded-* headers to modify the URL to represent the original client request.

The features are based on a new interface, Laminas\Diactorors\ServerRequestFilter\FilterServerRequestInterface, which defines a single method:

public function __invoke(
    \Psr\Http\Message\ServerRequestInterface $request
): \Psr\Http\Message\ServerRequestInterface

We provide two implementations, as follows:

• Laminas\Diactoros\ServerRequestFilter\DoNotFilter will return the provided request verbatim.
• Laminas\Diactoros\ServerRequestFilter\FilterUsingXForwardedHeaders has named constructors that allow you to define how and when X-Forwarded-* headers are used to modify the URI instance associated with the request. These methods are:
  • trustAny(): this method generates a filter instance that will trust all X-Forwarded-* headers from any source.
  • trustReservedSubnets(array $trustedHeaders = ?): this method generates a filter instance that only modifies the URL if the IP address of the requesting server is from a reserved, private subnet (localhost; classes A, B, and C subnets; and IPv6 private and local-link subnets). By default, it will trust all X-Forwarded-* headers from these sources, but you may specify a list to allow via the $trustedHeaders argument.
  • trustProxies(array $proxyCIDRList, array $trustedHeaders = ?): this method will generate a filter instance that only modifies the URL if the requesting server matches an entry in the $proxyCIDRList. These entries may be IP addresses, or any IPv4 or IPv6 CIDR subnets. By default, it will trust all X-Forwarded-* headers from these sources, but you may specify a list to allow via the $trustedHeaders argument.

ServerRequestFactory::fromGlobals() now accepts a FilterServerRequestInterface instance as the optional argument $requestFilter. If none is provided, it uses one as produced by FilterUsingXForwardedHeaders::trustReservedSubnets().

Deprecated

• The function Laminas\Diactoros\marshalUriFromSapi() is deprecated, and no longer used internally.

Changed

Laminas\Diactoros\ServerRequestFactory::fromGlobals() no longer consumes marshalUriFromSapi(), and instead inlines an alternate implementation. The new implementation does not consider X-Forwarded-* headers by default when generating the associated URI instance. Internally, if no FilterServerRequestInterface implementation is provided, it defaults to using an instance returned by FilterUsingXForwardeHeaders::trustReservedSubnets(). If you previously relied on X-Forwarded-* headers, you MAY need to update your code to use either the FilterUsingXForwardedHeaders::trustAny() or FilterUsingXForwardedHeaders::trustProxies() methods to generate a filter to use with ServerRequestFactory::fromGlobals().

Fixed

• Fixes CVE-2022-31109

2.11.1

• Total issues resolved: 0
• Total pull requests resolved: 0
• Total contributors: 0

v2.11.0

Compare Source

Release Notes for 2.11.0

Feature release (minor)

2.11.0

• Total issues resolved: 0
• Total pull requests resolved: 2
• Total contributors: 1

Enhancement

• 90: Use constant expression for JsonResponse::DEFAULT_JSON_FLAGS thanks to @​TimWolla
• 89: Add export-ignore attribute for .laminas-ci.json thanks to @​TimWolla

v2.10.0

Compare Source

Release Notes for 2.10.0

Changed

This release adds minor normalization of header values with line continuations; the line continuations are now normalized to a single space. This is done to conform to RFC 7230#3.2.4, which is an important security guideline.

2.10.0

• Total issues resolved: 0
• Total pull requests resolved: 5
• Total contributors: 2

Enhancement

• 88: Correctly use function trim; thanks to @​TimWolla
• 85: Fix method names of test cases in Request\SerializerTest thanks to @​TimWolla

Bug,Enhancement

• 87: Normalize line-folded headers values to not contain newlines thanks to @​TimWolla

Bug

• 86: Merge release 2.9.2 into 2.10.x thanks to @​github-actions[bot]
• 83: Merge release 2.9.1 into 2.10.x thanks to @​github-actions[bot]

v2.9.2

Compare Source

Release Notes for 2.9.2

2.9.x bugfix release (patch)

2.9.2

• Total issues resolved: 0
• Total pull requests resolved: 1
• Total contributors: 1

Bug

• 84: Trim whitespace in header values thanks to @​TimWolla

v2.9.1

Compare Source

Release Notes for 2.9.1

2.9.x bugfix release (patch)

2.9.1

• Total issues resolved: 0
• Total pull requests resolved: 1
• Total contributors: 1

Bug

• 82: Fix unserialization of header continuation / line folding thanks to @​TimWolla

v2.9.0

Compare Source

Release Notes for 2.9.0

2.9.0

• Total issues resolved: 1
• Total pull requests resolved: 4
• Total contributors: 4

Enhancement

• 80: Prepare for Renovate with reusable workflows thanks to @​ghostwriter
• 78: Change HTTP Reason phrases according to the iana update thanks to @​marcelthole
• 75: [QA] Using php >= 7.3 syntax, where possible thanks to @​samsonasik

Documentation,Enhancement,hacktoberfest-accepted

• 76: Simplify redirects of legacy docs thanks to @​driehle

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.