All notable changes to this project will be documented in this file, in reverse chronological order by release.
- Nothing.
- Nothing.
- Nothing.
- Nothing.
- Nothing.
- Nothing.
- Nothing.
- Nothing.
- Nothing.
- #207 fixes case sensitivity for SameSite directive.
- Nothing.
- Nothing.
- Nothing.
- Nothing.
-
#204 fixes numerous header classes to cast field value to string (since
HeaderInterface::getFieldValue()
specifies a return value of a string). -
#182 fixes detecting base uri in Request. Now
argv
is used only for CLI request as a fallback to detect script filename.
-
#175 adds support for Content Security Policy Level 3 Header directives.
-
#200 adds support for additional directives in Content Security Policy header:
block-all-mixed-content
,require-sri-for
,trusted-types
,upgrade-insecure-requests
.
-
#177 adds support for Feature Policy header.
-
#186 adds support for SameSite directive in Set-Cookie header.
- #194 changes range of valid HTTP status codes to 100-599 (inclusive).
- Nothing.
- Nothing.
- #200 fixes support for directives without value in Content Security Policy header.
- Nothing.
- #190 changes
ContentSecurityPolicy
to allow multiple values. Before it was not possible to provide multiple headers of that type.
- Nothing.
- Nothing.
-
#184 fixes responses for request through the proxy with
HTTP/1.1 200 Connection established
header. -
#187 fixes infinite recursion on invalid header. Now
InvalidArgumentException
exception is thrown. -
#188 fixes
Client::setCookies
method to properly handle array ofSetCookie
objects. Per documentation it should be allowed. -
#189 fixes
Headers::toArray
method to properly handle headers of the same type. Behaviour was different depends how header has been attached (addHeader
oraddHeaderLine
broken before). -
#198 fixes merging options in Curl adapter. It was not possible to override integer-key options (constants) set via constructor with method
setOptions
. -
#198 fixes allowed options type in
Proxy::setOptions
.Traversable
,array
orZend\Config
object is expected. -
#198 fixes various issues with
Proxy
adapter. -
#199 fixes saving resource to the file when streaming while client supports compression. Before, incorrectly, compressed resource was saved into the file.
- #173 adds support for HTTP/2 requests and responses.
- Nothing.
- Nothing.
- Nothing.
- Nothing.
- Nothing.
- Nothing.
- Nothing.
- Nothing.
- #168 fixes a problem when validating the connection timeout for the
Curl
andSocket
client adapters; it now correctly identifies both integer and string integer values.
-
#154 adds the method
SetCookie::setEncodeValue()
. By default, Set-Cookie values are passed throughurlencode()
; when a booleanfalse
is provided to this new method, the raw value will be used instead. -
#166 adds support for PHP 7.3.
-
#154 changes the behavior of
SetCookie::fromString()
slightly: if the parsed cookie value is the same as the one passed throughurldecode()
, theSetCookie
header's$encodeValue
property will be toggled off to ensure the value is not encoded in subsequent serializations, thus retaining the integrity of the value between usages. -
#161 changes how the Socket and Test adapters aggregate headers. Previously, they would
ucfirst()
the header name; now, they correctly leave the header names untouched, as header names should be considered case-insensitive. -
#156 changes how gzip and deflate decompression occur in responses, ensuring that if the Content-Length header reports 0, no decompression is attempted, and an empty string is returned.
- Nothing.
- #166 removes support for zend-stdlib v2 releases.
- Nothing.
- Nothing.
- Nothing.
- Nothing.
- Nothing.
-
#165 fixes detection of the base URL when operating under a CLI environment.
-
#149 provides fixes to
Client::setUri()
to ensure its status as a relative or absolute URI is correctly memoized. -
#162 fixes a typo in an exception message raised within
Cookies::fromString()
. -
#121 adds detection for non-numeric connection timeout values as well as integer casting to ensure the timeout is set properly in both the Curl and Socket adapters.
- Nothing.
- #153 changes the reason phrase associated with the status code 425 from "Unordered Collection" to "Too Early", corresponding to a new definition of the code as specified by the IANA.
- Nothing.
- Nothing.
- #151 fixes how Referer and other location-based headers report problems with
invalid URLs provided in the header value, raising a
Zend\Http\Exception\InvalidArgumentException
in such cases. This change ensures the behavior is consistent with behavior prior to the 2.8.0 release.
- Nothing.
-
This release modifies how
Zend\Http\PhpEnvironment\Request
marshals the request URI. In prior releases, we would attempt to inspect theX-Rewrite-Url
andX-Original-Url
headers, using their values, if present. These headers are issued by the ISAPI_Rewrite module for IIS (developed by HeliconTech). However, we have no way of guaranteeing that the module is what issued the headers, making it an unreliable source for discovering the URI. As such, we have removed this feature in this release of zend-http.If you are developing a zend-mvc application, you can mimic the functionality by adding a bootstrap listener like the following:
public function onBootstrap(MvcEvent $mvcEvent) { $request = $mvcEvent->getRequest(); $requestUri = null; $httpXRewriteUrl = $request->getHeader('X-Rewrite-Url'); if ($httpXRewriteUrl) { $requestUri = $httpXRewriteUrl->getFieldValue(); } $httpXOriginalUrl = $request->getHeader('X-Original-Url'); if ($httpXOriginalUrl) { $requestUri = $httpXOriginalUrl->getFieldValue(); } if ($requestUri) { $request->setUri($requestUri) } }
If you use a listener such as the above, make sure you also instruct your web server to strip any incoming headers of the same name so that you can guarantee they are issued by the ISAPI_Rewrite module.
- Nothing.
- Nothing.
- Nothing.
-
#135 adds a package suggestion of paragonie/certainty, which provides automated management of cacert.pem files.
-
#143 adds support for PHP 7.2.
- Nothing.
- Nothing.
- Nothing.
-
#140 fixes retrieval of headers when multiple headers of the same name are added to the
Headers
instance; it now ensures that the last header added of the same type is retrieved when it is not a multi-value type. Previous values are overwritten. -
#112 provides performance improvements when parsing large chunked messages.
-
introduces changes to
Response::fromString()
to pull the next line of the response and parse it for the status when a 100 status code is initially encountered, per https://tools.ietf.org/html/rfc7231\#section-6.2.1 -
#122 fixes an issue with the stream response whereby if the
outputstream
option is set, the output file was opened twice; it is now opened exactly once. -
#147 fixes an issue with header retrieval when the header line is malformed. Previously, an exception would be raised if a specific
HeaderInterface
implementation determined the header line was invalid. Now,Header::has()
will return false for such headers, allowingRequest::getHeader()
to returnfalse
or the provided default value. Additionally, in cases where the header name is malformed (e.g.,Useragent
instead ofUser-Agent
, users can still retrieve by the submitted header name; they will receive aGenericHeader
instance in such cases, however. -
#133 Adds back missing sprintf placeholder in CacheControl exception message
- #110 Adds status codes 226, 308, 444, 499, 510, 599 with their corresponding constants and reason phrases.
- #120 Changes handling of Cookie Max-Age parameter to conform to specification rfc6265#section-5.2.2. Specifically, non-numeric values are ignored and negative numbers are changed to 0.
- Nothing.
- #115 dropped php 5.5 support
- #130 Fixed cURL adapter not resetting headers from previous request when used with output stream.
- #99 added TimeoutException for cURL adapter.
- #98 added connection
timeout (
connecttimeout
) for cURL and Socket adapters. - #97 added support to
sslcafile
andsslcapath
to cURL adapter.
- Nothing.
- Nothing.
- Nothing.
- Nothing.
- Nothing.
- Nothing.
- #107 fixes the
Expires
header to allow values of0
or'0'
; these now resolve to the start of the unix epoch (1970-01-01). - #102 fixes the Curl adapter timeout detection.
- #93 fixes the Content
Security Policy CSP HTTP header when it is
none
(empty value). - #92 fixes the flatten cookies value for array value (also multidimensional).
- #34 fixes the standard separator (&) for application/x-www-form-urlencoded.
- #44, #45, #46, #47, #48, and #49 prepare the documentation for publication at https://zendframework.github.io/zend-http/
- Nothing.
- Nothing.
- #87 fixes the
ContentLength
constructor to test for a non null value (vs a falsy value) before validating the value; this ensures 0 values may be specified for the length. - #85 fixes infinite recursion on AbstractAccept. If you create a new Accept and try to call getFieldValue(), an infinite recursion and a fatal error happens.
- #58 avoid triggering a notice with special crafted accept headers. In the case the value of an accept header does not contain an equal sign, an "Undefined offset" notice is triggered.
- Nothing.
- Nothing.
- Nothing.
- #42 updates dependencies to ensure it can work with PHP 5.5+ and 7.0+, as well as zend-stdlib 2.5+/3.0+.
- Nothing.
- Nothing.
- Nothing.
- #23 fixes a BC break
introduced with fixes for ZF2015-04,
pertaining specifically to the
SetCookie
header. The fix backs out a check for message splitting syntax, as that particular class already encodes the value in a manner that prevents the attack. It also adds tests to ensure the security vulnerability remains patched.
- Nothing.
- Nothing.
- Nothing.
- #7 fixes a call in the
proxy adapter to
Response::extractCode()
, which does not exist, toResponse::fromString()->getStatusCode()
, which does. - #8 ensures that the Curl
client adapter enables the
CURLINFO_HEADER_OUT
, which is required to ensure we can fetch the raw request after it is sent. - #14 fixes
Zend\Http\PhpEnvironment\Request
to ensure that emptySCRIPT_FILENAME
andSCRIPT_NAME
values which result in an empty$baseUrl
will not raise anE_WARNING
when used to do astrpos()
check during base URI detection.