65e5640810
Fix #17932 : Fix regression in detection of AJAX requests ( #17937 )
2020-03-26 12:30:56 +03:00
7f88acb313
Fix #17878 : Detect CORS AJAX requests without X-Requested-With in Request::getIsAjax()
2020-03-24 19:01:52 +03:00
7ec7fd11ee
Fix #17878 : Added note about fetch() to Request::getIsAjax() phpdoc [skip ci]
2020-02-20 01:10:59 +03:00
038ce9f77e
Fix #17755 : Fix a bug for web request with trustedHosts set to format ['10.0.0.1' => ['X-Forwarded-For']]
2020-01-15 15:51:57 +03:00
5e71b11d8d
#17733 : Additional fixes for #17665 , Forwarded header parsing in Request
...
- Remove header from secure headers
- Regexp and return null fix
- Fix tests, fix in array case sensitivity, rx duplicated group name
- Simplify code
- Add phpdoc
Co-Authored-By: Alexander Makarov <sam@rmcreative.ru>
2019-12-17 21:53:55 +03:00
83055dcc33
Fix #17665 : Implement RFC 7239 Forwarded header parsing in Request
2019-12-12 23:29:54 +03:00
9054cdfdcc
Fixes #17521 : Request::getUserHost() and request::getUserIp() ( #17593 )
2019-10-05 22:33:29 +03:00
c87855b31c
Fix #17573 : Request::getUserIP() security fix for the case when Request::$trustedHost and Request::$ipHeaders are used
2019-10-03 14:56:20 +03:00
55418776d4
Fixes #17215 : Improved security for servers running PHP 7.0.0+
2019-03-20 14:38:12 +03:00
bdb7c64910
Update to https protocol for php.net links ( #17168 ) [skip ci]
...
* Updated php.net link for some MemCache properties [skip ci]
* Changed protocol to https for links to php.net in comments
* Changed protocol to https for links to php.net in code
* Changed www.php.net (http) to secure.php.net (https) in comments
* Changed www.php.net (http) to secure.php.net (https) in code
* Changed protocol to https for links to php.net in UPGRADE.md
* Changed protocol to https for links to pecl.php.net in comments
* Changed us.php.net to secure.php.net (https) in comments
* Changed protocol to https for links to php.net in docs
* Changed www.php.net (http) to secure.php.net (https) in docs
* Changed protocol to https for links to pecl.php.net in docs
* Changed ru/jp.php.net to secure.php.net (https) in docs
Don't sure about russian guide: is this links meant to be for guide on russian, or not?
2019-02-28 13:09:27 +03:00
e4eaccc14d
Merge branch 'security'
2019-01-28 22:50:38 +02:00
a140b2b468
Fixes #16991 : Removed usage of utf8_encode() from Request::resolvePathInfo()
2019-01-03 17:36:16 -05:00
1e13bfd13d
Fixed CSRF token check bypassing in Request::getMethod()
2018-11-23 12:55:16 +02:00
15dfbb0875
Fixes #16322 : Fixed strings were not were not compared using timing attack resistant approach while CSRF token validation
2018-05-30 22:48:07 +03:00
6dd2aec011
[minor]: SCA ( #16269 )
...
* Php Inspections (EA Ultimate): minor code tweaks
* Php Inspections (EA Ultimate): code style
* Php Inspections (EA Ultimate): code style
* Php Inspections (EA Ultimate): code style
2018-05-14 12:00:01 +03:00
35ac718110
Fixes #16006 : Handle case when X-Forwarded-Host header have multiple hosts separated with a comma
2018-03-31 16:17:16 +03:00
1a74b3d4f8
[minor] SCA with Php Inspections (EA Ultimate) ( #15871 )
...
* Php Inspections (EA Ultimate): use type casting where applicable
* Php Inspections (EA Ultimate): use constants where applicable
* Php Inspections (EA Ultimate): CS
* Php Inspections (EA Ultimate): address some of one-time used variables
* Php Inspections (EA Ultimate): address some of performance-related findings
* Php Inspections (EA Ultimate): address some of performance-related findings
* Php Inspections (EA Ultimate): revert a constant usage
* Php Inspections (EA Ultimate): revert sequential assignments
* Php Inspections (EA Ultimate): build is green again
* Php Inspections (EA Ultimate): revert array_merge tweaks
* Php Inspections (EA Ultimate): revert BC-incompatible one-time used variable tweak
* Update description [skip ci]
* Php Inspections (EA Ultimate): CS
2018-03-12 01:37:19 +03:00
f10cb6aeee
SCA with Php Inspections (EA Ultimate)
2018-02-27 19:13:22 +01:00
e493843b1c
improve @deprecated annotations
2018-02-16 11:19:00 +01:00
7bafb7bf09
Fixes #14488 : Added support for X-Forwarded-Host to yii\web\Request, fixed getServerPort() usage
2018-02-07 00:01:50 +03:00
acce1db53b
Fixes #14135 : Fixed yii\web\Request::getBodyParam() crashes on object type body params
2018-01-18 00:33:41 +03:00
0b413b0e08
Fixed PHP 5.4 compatibility
2017-12-14 14:12:50 +03:00
4d388f6cd2
Fixes #15317 : Regenerate CSRF token if an empty value is given
2017-12-14 12:14:51 +03:00
2d672b6722
release version 2.0.13
2017-11-03 01:09:29 +03:00
d11bed5340
Minor, added strict comparsion
2017-10-08 23:35:36 +03:00
ea2c475ea7
Moved HTTP_AUTHORIZATION header check to \yii\web\Request, added docs
...
Closes #13564
2017-10-08 23:22:11 +03:00
3ee7629f13
Fixes #13486 : Use DI container to instantiate cookies in order to be able to set defaults
2017-10-05 14:41:46 +02:00
1ce796ef0f
Removed ability to define a hostname as trusted because of possible security issues
...
Closes #14691
2017-09-12 23:28:29 +03:00
1278b018fa
Add IIS specific header to secure headers ( #14715 )
...
See https://github.com/yiisoft/yii2/issues/14400#issuecomment-324233065
for more details.
2017-08-25 13:31:27 +03:00
9e713dba29
break if a matching trusted host is found
...
fix for https://github.com/yiisoft/yii2/pull/13780#discussion_r134186910
thanks to @krukru !
PR #13780
2017-08-21 16:37:01 +02:00
5a8c3d537b
Enable phpdoc_summary rule in php-cs-fixer config ( #14675 )
...
* Enable `phpdoc_summary` rule in php-cs-fixer config.
* Fix case in "PHPDoc".
2017-08-21 11:19:35 +02:00
1501c659ac
Add empty lines before return statements. ( #14682 ) [skip ci]
2017-08-21 01:58:49 +03:00
b99e955627
Fix CS ( #14665 )
...
* Run php-cs-fixer.
* Enable phpdoc_types rule.
2017-08-18 12:10:42 +02:00
0017d9c660
Fixes #13780 : Added support for trusted proxies in yii\web\Request
2017-08-17 13:14:51 +03:00
648971a82b
Fixes #14542 : Ensured only ASCII characters are in CSRF cookie value since binary data causes issues with ModSecurity and some browsers
2017-08-07 13:55:10 +03:00
8a6f5829d4
Fix for invalid example in Request phpdoc [skip ci]
2017-07-23 23:28:54 +03:00
d38908fc13
Fixed #14469 : updated RFC links
2017-07-17 16:21:49 +03:00
46bf3c410a
Add yii\web\Request::getOrigin() method that returns HTTP_ORIGIN of current CORS request
...
>The Origin request header indicates where a fetch originates from. It doesn't include any path information, but only the server name. It is sent with CORS requests, as well as with POST requests. It is similar to the Referer header, but, unlike this header, it doesn't disclose the whole path.
From https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin
Working code samples
```php
<?php
// We'll be granting access to only the arunranga.com domain
// which we think is safe to access this resource as application/xml
if($_SERVER['HTTP_ORIGIN'] == "http://arunranga.com ") {
header('Access-Control-Allow-Origin: http://arunranga.com ');
header('Content-type: application/xml');
readfile('arunerDotNetResource.xml');
} else {
header('Content-Type: text/html');
echo "<html>";
echo "<head>";
echo " <title>Another Resource</title>";
echo "</head>";
echo "<body>",
"<p>This resource behaves two-fold:";
echo "<ul>",
"<li>If accessed from <code>http://arunranga.com </code> it returns an XML document</li>";
echo "<li>If accessed from any other origin including from simply typing in the URL into the browser's address bar,";
echo "you get this HTML document</li>",
"</ul>",
"</body>",
"</html>";
}
?>
```
See https://developer.mozilla.org/en-US/docs/Web/HTTP/Server-Side_Access_Control for more info.
close #13835
2017-07-12 11:10:21 +02:00
ba0ab403b5
Added php-cs-fixer coding standards validation to Travis CI ( #14100 )
...
* php-cs-fixer: PSR2 rule.
* php-cs-fixer: PSR2 rule - fix views.
* Travis setup refactoring.
* Add php-cs-fixer to travis cs tests.
* Fix tests on hhvm-3.12
* improve travis config
* composer update
* revert composer update
* improve travis config
* Fix CS.
* Extract config to separate classes.
* Extract config to separate classes.
* Add file header.
* Force short array syntax.
* binary_operator_spaces fixer
* Fix broken tests
* cast_spaces fixer
* concat_space fixer
* dir_constant fixer
* ereg_to_preg fixer
* function_typehint_space fixer
* hash_to_slash_comment fixer
* is_null fixer
* linebreak_after_opening_tag fixer
* lowercase_cast fixer
* magic_constant_casing fixer
* modernize_types_casting fixer
* native_function_casing fixer
* new_with_braces fixer
* no_alias_functions fixer
* no_blank_lines_after_class_opening fixer
* no_blank_lines_after_phpdoc fixer
* no_empty_comment fixer
* no_empty_phpdoc fixer
* no_empty_statement fixer
* no_extra_consecutive_blank_lines fixer
* no_leading_import_slash fixer
* no_leading_namespace_whitespace fixer
* no_mixed_echo_print fixer
* no_multiline_whitespace_around_double_arrow fixer
* no_multiline_whitespace_before_semicolons fixer
* no_php4_constructor fixer
* no_short_bool_cast fixer
* no_singleline_whitespace_before_semicolons fixer
* no_spaces_around_offset fixer
* no_trailing_comma_in_list_call fixer
* no_trailing_comma_in_singleline_array fixer
* no_unneeded_control_parentheses fixer
* no_unused_imports fixer
* no_useless_return fixer
* no_whitespace_before_comma_in_array fixer
* no_whitespace_in_blank_line fixer
* not_operator_with_successor_space fixer
* object_operator_without_whitespace fixer
* ordered_imports fixer
* php_unit_construct fixer
* php_unit_dedicate_assert fixer
* php_unit_fqcn_annotation fixer
* phpdoc_indent fixer
* phpdoc_no_access fixer
* phpdoc_no_empty_return fixer
* phpdoc_no_package fixer
* phpdoc_no_useless_inheritdoc fixer
* Fix broken tests
* phpdoc_return_self_reference fixer
* phpdoc_single_line_var_spacing fixer
* phpdoc_single_line_var_spacing fixer
* phpdoc_to_comment fixer
* phpdoc_trim fixer
* phpdoc_var_without_name fixer
* psr4 fixer
* self_accessor fixer
* short_scalar_cast fixer
* single_blank_line_before_namespace fixer
* single_quote fixer
* standardize_not_equals fixer
* ternary_operator_spaces fixer
* trailing_comma_in_multiline_array fixer
* trim_array_spaces fixer
* protected_to_private fixer
* unary_operator_spaces fixer
* whitespace_after_comma_in_array fixer
* `parent::setRules()` -> `$this->setRules()`
* blank_line_after_opening_tag fixer
* Update finder config.
* Revert changes for YiiRequirementChecker.
* Fix array formatting.
* Add missing import.
* Fix CS for new code merged from master.
* Fix some indentation issues.
2017-06-12 12:25:45 +03:00
be658f82bf
release version 2.0.12
2017-06-05 16:33:41 +02:00
b04ff959ce
Fixed misleading docs about encoded URIs [skip ci]
2017-04-07 15:59:59 +03:00
43edf24123
Eliminated else branches in yii\web\Request
2017-04-02 02:15:39 +03:00
8ae207c3a1
Fixes #13837 : Refactored masking of CSRF tokens
2017-04-02 02:10:16 +03:00
c19b2f7dc8
release version 2.0.11
2017-02-01 17:46:29 +01:00
7da77c3d5a
created HostControl filter to prevent Host header attacks
...
fixes #13050
close #13063
2016-12-01 00:59:26 +01:00
a498dedb5c
Added documentation about Host header attack ( #13073 )
...
* Added documentation about Host header attack
Added info about Host header attack (#13050 ) to the guide and the Request class.
When we introduce a filter or property to protect against this, these
sections should be updated to link to that option.
2016-11-26 21:57:52 +01:00
4aa935e69e
Fixes #12055 : Changed boolean to bool and integer to int in phpdoc
2016-11-07 02:51:39 +03:00
32f4dc8997
Fixes #5385 : links created from classes to corresponding guide articles ( #12920 )
2016-11-04 18:55:14 +03:00
11fe407ad0
release version 2.0.10
2016-10-20 14:02:50 +02:00
63f95fa3ad
Fixes #11309 : Added yii\web\Request::getHostName() method that returns hostname of current request
2016-10-07 01:00:14 +03:00
