zend-diactoros icon indicating copy to clipboard operation
zend-diactoros copied to clipboard

Published 20 hours ago verified publisher icon zendframework

LTS Version 1.7 is missing a security fix

Open alexpott opened this issue 4 years ago • 5 comments

  • [x] I was not able to find an open or closed issue matching what I'm seeing.
  • [x] This is not a question. (Questions should be asked on chat (Signup here) or our forums.)

According to https://framework.zend.com/long-term-support 1.7 is the long term support version of zend-diactoros, however the Symfony security scanner shows that 1.7.2 is missing the fix for the URL Rewrite vulnerability [CVE-NONE-0001]: https://framework.zend.com/security/advisory/ZF2018-01

I've tried to be helpful and backport this in https://github.com/alexpott/zend-diactoros/tree/1.7.x-CVE-NONE-0001 but I can't create a PR because there is no 1.7 release branch.

Code to reproduce the issue

        $server = [
            'REQUEST_URI' => 'https://example.com/requested/path',
            'HTTP_X_ORIGINAL_URL' => '/hijack-attempt'
        ];
        $path = ServerRequestFactory::marshalRequestUri($server);

Expected results

        $path === '/requested/path';

Actual results

        $path === '/hijack-attempt';

alexpott avatar Oct 17 '19 09:10 alexpott

The LTS page is a bit misleading. While 1.7 is listed as the LTS version, you can safely upgrade to any other release in the 1.X series without issue since we follow semver. Since 1.8 has received those fixes, update your version constraint to use ^1.7 (which will get anything from 1.7.0 forward in the 1.X series).

weierophinney avatar Oct 17 '19 14:10 weierophinney

@weierophinney Well if we want support until 2022-03-15 then looking at https://framework.zend.com/long-term-support we need to stay on 1.7 since support for 1.8 ends in 2019-09-27.

Are you saying that because 1.7 is supported until 2022-03-15 then because you follow semver 1.8 will supported till then as well? If so yep the LTS page does seem misleading.

But also if there are known security issues against 1.7 what does LTS mean?

alexpott avatar Oct 17 '19 14:10 alexpott

If we follow the release notes then the release-1.8 branch has not received any changes other than the fixes since September last year so I think we can assume 1.8 is an LTS as well but yeah having an actual confirmation will help.

jibran avatar Oct 24 '19 10:10 jibran

@jibran @alexpott

Version 1.8 is LTS version, not 1.7. The issue is in the table - we will try to update it shortly. Please note that there is a paragraph how to adapt LTS version:

Adopting an LTS version

Opting-in to an LTS version of a component can be done using Composer:

$ composer require "{package}:^{version}"

The above will modify your composer.json to provide a semantic version constraint, ensuring you only get backwards-compatible updates to the given package.

and, paragraph before we have:

During the LTS period, all direct dependencies of the skeleton will receive security support in the latest versions possible under the version constraints as listed in the skeleton application's composer.json file.

so, when we use ^1.7.0, version 1.8 will be installed as well and this one should be marked as LTS.

michalbundyra avatar Oct 24 '19 10:10 michalbundyra

This repository has been closed and moved to laminas/laminas-diactoros; a new issue has been opened at https://github.com/laminas/laminas-diactoros/issues/4.

weierophinney avatar Dec 31 '19 22:12 weierophinney