We are pleased to have released Slim 4.14.0. As a mature release, there aren’t many changes and all are minor and can be seen here.
This release introduces of template generic docblocks into Slim.
As Slim\App has a getContainer(): ?ContainerInterface method, the generics docblock enables you to specify what type is actually returned when this method is called. i.e. consider that you are using PHP-DI and have this code:
$container = $this->app->getContainer();
$entries = $container->getKnownEntryNames();
Psalm or PHPStan have no way of knowing that $container is an instance of DI\Container which has a getKnownEntryNames() method and so will complain.
To inform the static analyzer that we created Slim\App with PHP-DI, we change: /** @var \Slim\App $app */ to /** @var \Slim\App<DI\Container> $app */ and now PHPStan knows that getKnownEntryNames() is a valid method call on $container.
For your codebase, if you type hint Slim\App instance variables using /** @var \Slim\App $app */, then you will need to change it to either:
As noted above, you can also type hint to the concrete instance of the container you are using too.
]]>We are excited to announce the Slim 4.13.0 release. The docs are located here.
We are excited to announce the Slim 4.12.0 release. The docs are located here.
A security issue has recently been reported in Slim-Psr7 with the handling of new lines in headers.
An attacker could sneak in a newline (\n) into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many servers in the wild will also accept \n\n. An attacker that is able to control the header names that are passed to Slilm-Psr7 would be able to intentionally craft invalid messages, possibly causing application errors or invalid HTTP requests being sent out with an PSR-18 HTTP client. The latter might present a denial of service vector if a remote service’s web application firewall bans the application due to the receipt of malformed requests.
All versions less than 1.6.1.
The issue is patched in version 1.6.1.
In Slim-Psr7 1.6.0 and below, validate HTTP header keys and/or values, and if using user-supplied values, filter them to strip off leading or trailing newline characters before calling withHeader().
For example:
$request = $request->withHeader(trim($headerName), trim($headerValue));
We are very grateful to and thank Graham Campbell for reporting this issue, providing a patch and working with us on this issue.
We are excited to announce the Slim 4.11.0 release. The docs are located here.
We are excited to announce the Slim 4.10.0 release. The docs are located here.
RequestResponseNamedArgs route strategy thanks to @adoyRouteParserInterface thanks to @jeroworkWe are excited to announce the Slim 4.9.0 release. The docs are located here.
We are excited to announce the Slim 4.8.0 release. The docs are located here.
| [3063: Allow ^1.0 | ^2.0 in psr/container](https://github.com/slimphp/Slim/pull/3063) thanks to @Ayesh |
We are excited to announce the Slim 4.7.0 release. Please direct all your feedback for this release to the Slim 4 Release Feedback Thread. The new docs are located here.
We are excited to announce the Slim 4.6.0 release. Please direct all your feedback for this release to the Slim 4 Release Feedback Thread. The new docs are located here.
$strategy parameter in a Route test thanks to @pawel-slowik