|
2 | 2 |
|
3 | 3 | All notable changes to this project will be documented in this file, in reverse chronological order by release. |
4 | 4 |
|
5 | | -## 1.0.4 - TBD |
| 5 | +## 1.0.4 - 2015-06-23 |
| 6 | + |
| 7 | +This is a security release. |
| 8 | + |
| 9 | +A patch has been applied to `Zend\Diactoros\Uri::filterPath()` that ensures that |
| 10 | +paths can only begin with a single leading slash. This prevents the following |
| 11 | +potential security issues: |
| 12 | + |
| 13 | +- XSS vectors. If the URI path is used for links or form targets, this prevents |
| 14 | + cases where the first segment of the path resembles a domain name, thus |
| 15 | + creating scheme-relative links such as `//example.com/foo`. With the patch, |
| 16 | + the leading double slash is reduced to a single slash, preventing the XSS |
| 17 | + vector. |
| 18 | +- Open redirects. If the URI path is used for `Location` or `Link` headers, |
| 19 | + without a scheme and authority, potential for open redirects exist if clients |
| 20 | + do not prepend the scheme and authority. Again, preventing a double slash |
| 21 | + corrects the vector. |
| 22 | + |
| 23 | +If you are using `Zend\Diactoros\Uri` for creating links, form targets, or |
| 24 | +redirect paths, and only using the path segment, we recommend upgrading |
| 25 | +immediately. |
6 | 26 |
|
7 | 27 | ### Added |
8 | 28 |
|
@@ -39,6 +59,9 @@ All notable changes to this project will be documented in this file, in reverse |
39 | 59 | - The request MUST return a `UriInterface` instance from `getUri()`; that |
40 | 60 | instance CAN be empty. Previously, Diactoros would return `null`; now it |
41 | 61 | lazy-instantiates an empty `Uri` instance on initialization. |
| 62 | +- [ZF2015-05](http://framework.zend.com/security/advisory/ZF2015-05) was |
| 63 | + addressed by altering `Uri::filterPath()` to prevent emitting a path prepended |
| 64 | + with multiple slashes. |
42 | 65 |
|
43 | 66 | ## 1.0.3 - 2015-06-04 |
44 | 67 |
|
|
0 commit comments