Skip to content

4.3.0
Compare
Choose a tag to compare
@laminas-bot laminas-bot released this 25 Jul 19:24
· 92 commits to 4.11.x since this release
4.3.0
This tag was signed with the committer’s verified signature.
laminas-bot Laminas Bot
GPG key ID: EE6BC8F3E070039C
Learn about vigilant mode.
0c049ba

Release Notes for 4.3.0

This is a SECURITY release. All users are encouraged to upgrade immediately.

Changed

  • This release bumps the minimum-supported version of laminas/laminas-diactoros to 2.11.2 in order to pick up security updates. Users who are still pinning to Diactoros 1.x versions will need to update to the later release.

  • Modifies the Mezzio\Swoole\ServerRequestSwooleFactory such that it checks the container for a Laminas\Diactoros\ServerRequestFilter\FilterServerRequestInterface service, creating one via Laminas\Diactoros\ServerRequestFilter\FilterUsingXForwardedHeaders::trustReservedSubnets() if none is present. This change ensures that X-Forwarded-* request headers are only honored when the request comes from a reserved, private subnet (localhost; classes A, B, and C subnets; and IPv6 private and local-link subnets). If you need to trust from any source, or never want to trust these headers, you may provide an alternate server request filter by registering an alternate implementation of the Laminas\Diactoros\ServerRequestFilter\FilterServerRequestInterface service.

    • The new FilterServerRequestInterface capabilities can also be used to accomplish addition of features like request identifiers to incoming requests, and we have updated our cookbook recipes to detail such usage.

4.3.0

  • Total issues resolved: 0
  • Total pull requests resolved: 1
  • Total contributors: 1

Enhancement

Contributors

ghostwriter
Assets 2
Loading