All notable changes to this project will be documented in this file, in reverse chronological order by release.
- Nothing.
- Nothing.
- Nothing.
- Nothing.
- Nothing.
- Nothing.
- Nothing.
- #160 fixes HTTP
protocol detection in the
ServerRequestFactoryto work correctly with HTTP/2.
- #119 adds the 451
(Unavailable for Legal Reasons) status code to the
Responseclass.
- Nothing.
- Nothing.
- #117 provides validation of the HTTP protocol version.
- #127 now properly
removes attributes with
nullvalues when callingwithoutAttribute(). - #132 updates the
ServerRequestFactoryto marshal the request path fragment, if present. - #142 updates the
exceptions thrown by
HeaderSecurityto include the header name and/or value. - #148 fixes several stream operations to ensure they raise exceptions when the internal pointer is at an invalid position.
- #151 ensures URI fragments are properly encoded.
- Nothing.
- Nothing.
- Nothing.
- #135 fixes the
behavior of
ServerRequestFactory::marshalHeaders()to no longer omitCookieheaders from the aggregated headers. While the values are parsed and injected into the cookie params, it's useful to have access to the raw headers as well.
- #124 adds four
more optional arguments to the
ServerRequestconstructor:array $cookiesarray $queryParamsnull|array|object $parsedBodystring $protocolVersionServerRequestFactorywas updated to pass values for each of these parameters when creating an instance, instead of using the relatedwith*()methods on an instance.
- Nothing.
- Nothing.
- #122 updates the
ServerRequestFactoryto retrieve the HTTP protocol version and inject it in the generatedServerRequest, which previously was not performed.
- Nothing.
- Nothing.
- Nothing.
- #113 fixes an issue in the response serializer, ensuring that the status code in the deserialized response is an integer.
- #115 fixes an
issue in the various text-basd response types (
TextResponse,HtmlResponse, andJsonResponse); due to the fact that the constructor was not rewinding the message body stream,getContents()was thus returningnull, as the pointer was at the end of the stream. The constructor now rewinds the stream after populating it in the constructor.
- #110 adds
Zend\Diactoros\Response\SapiEmitterTrait, which provides the following private method definitions:injectContentLength()emitStatusLine()emitHeaders()flush()filterHeader()TheSapiEmitterimplementation has been updated to remove those methods and instead compose the trait.
- #111 adds
a new emitter implementation,
SapiStreamEmitter; this emitter type will loop through the stream instead of emitting it in one go, and supports content ranges.
- Nothing.
- Nothing.
- Nothing.
- Nothing.
- Nothing.
- Nothing.
- #101 fixes the
withHeader()implementation to ensure that if the header existed previously but using a different casing strategy, the previous version will be removed in the cloned instance. - #103 fixes the
constructor of
Responseto ensure that null status codes are not possible. - #99 fixes
validation of header values submitted via request and response constructors as
follows:
- numeric (integer and float) values are now properly allowed (this solves some reported issues with setting Content-Length headers)
- invalid header names (non-string values or empty strings) now raise an exception.
- invalid individual header values (non-string, non-numeric) now raise an exception.
- #88 updates the
SapiEmitterto emit aContent-Lengthheader with the content length as reported by the response body stream, assuming thatStreamInterface::getSize()returns an integer. - #77 adds a new
response type,
Zend\Diactoros\Response\TextResponse, for returning plain text responses. By default, it sets the content type totext/plain; charset=utf-8; per the other response types, the signature isnew TextResponse($text, $status = 200, array $headers = []). - #90 adds a new
Zend\Diactoros\CallbackStream, allowing you to back a stream with a PHP callable (such as a generator) to generate the message content. Its constructor accepts the callable:$stream = new CallbackStream($callable);
- Nothing.
- Nothing.
- #77 updates the
HtmlResponseto set the charset to utf-8 by default (if no content type header is provided at instantiation).
- #98 adds
JSON_UNESCAPED_SLASHESto the defaultjson_encodeflags used byZend\Diactoros\Response\JsonResponse.
- Nothing.
- Nothing.
- #96 updates
withPort()to allownullport values (indicating usage of default for the given scheme). - #91 fixes the
logic of
withUri()to do a case-insensitive check for an existingHostheader, replacing it with the new one.
- #73 adds caching of the vendor directory to the Travis-CI configuration, to speed up builds.
- Nothing.
- Nothing.
- #71 fixes the
docblock of the
JsonResponseconstructor to typehint the$dataargument asmixed. - #73 changes the
behavior in
Requestsuch that if it marshals a stream during instantiation, the stream is marked as writeable (specifically, modewb+). - #85 updates the
behavior of
Zend\Diactoros\Uri's variouswith*()methods that are documented as accepting strings to raise exceptions on non-string input. Previously, several simply passed non-string input on verbatim, others normalized the input, and a few correctly raised the exceptions. Behavior is now consistent across each. - #87 fixes
UploadedFileto ensure thatmoveTo()works correctly in non-SAPI environments when the file provided to the constructor is a path.
- Nothing.
- Nothing.
- Nothing.
- #67 ensures that
the
Streamclass only acceptsstreamresources, not any resource.
- Nothing.
- Nothing.
- Nothing.
- #64 fixes the
behavior of
JsonResponsewith regards to serialization ofnulland scalar values; the new behavior is to serialize them verbatim, without any casting.
-
#52, #58, #59, and #61 create several custom response types for simplifying response creation:
Zend\Diactoros\Response\HtmlResponseaccepts HTML content via its constructor, and sets theContent-Typetotext/html.Zend\Diactoros\Response\JsonResponseaccepts data to serialize to JSON via its constructor, and sets theContent-Typetoapplication/json.Zend\Diactoros\Response\EmptyResponseallows creating empty, read-only responses, with a default status code of 204.Zend\Diactoros\Response\RedirectResponseallows specifying a URI for theLocationheader in the constructor, with a default status code of 302.
Each also accepts an optional status code, and optional headers (which can also be used to provide an alternate
Content-Typein the case of the HTML and JSON responses).
- Nothing.
- #43 removed both
ServerRequestFactory::marshalUri()andServerRequestFactory::marshalHostAndPort(), which were deprecated prior to the 1.0 release.
- #29 fixes request method validation to allow any valid token as defined by RFC 7230. This allows usage of custom request methods, vs a static, hard-coded list.
- Nothing.
- Nothing.
- Nothing.
- #60 fixes
the behavior of
UploadedFilewhen the$errorStatusprovided at instantiation is notUPLOAD_ERR_OK. Prior to the fix, anInvalidArgumentExceptionwould occur at instantiation due to the fact that the upload file was missing or invalid. With the fix, no exception is raised until a call tomoveTo()orgetStream()is made.
This is a security release.
A patch has been applied to Zend\Diactoros\Uri::filterPath() that ensures that
paths can only begin with a single leading slash. This prevents the following
potential security issues:
- XSS vectors. If the URI path is used for links or form targets, this prevents
cases where the first segment of the path resembles a domain name, thus
creating scheme-relative links such as
//example.com/foo. With the patch, the leading double slash is reduced to a single slash, preventing the XSS vector. - Open redirects. If the URI path is used for
LocationorLinkheaders, without a scheme and authority, potential for open redirects exist if clients do not prepend the scheme and authority. Again, preventing a double slash corrects the vector.
If you are using Zend\Diactoros\Uri for creating links, form targets, or
redirect paths, and only using the path segment, we recommend upgrading
immediately.
- #25 adds documentation. Documentation is written in markdown, and can be converted to HTML using bookdown. New features now MUST include documentation for acceptance.
- Nothing.
- Nothing.
- #51 fixes
MessageTrait::getHeaderLine()to return an empty string instead ofnullif the header is undefined (which is the behavior specified in PSR-7). - #57 fixes the
behavior of how the
ServerRequestFactorymarshals upload files when they are represented as a nested associative array. - #49 provides several
fixes that ensure that Diactoros complies with the PSR-7 specification:
MessageInterface::getHeaderLine()MUST return a string (that string CAN be empty). Previously, Diactoros would returnnull.- If no
Hostheader is set, the$preserveHostflag MUST be ignored when callingwithUri()(previously, Diactoros would not set theHostheader if$preserveHostwastrue, but noHostheader was present). - The request method MUST be a string; it CAN be empty. Previously, Diactoros
would return
null. - The request MUST return a
UriInterfaceinstance fromgetUri(); that instance CAN be empty. Previously, Diactoros would returnnull; now it lazy-instantiates an emptyUriinstance on initialization.
- ZF2015-05 was
addressed by altering
Uri::filterPath()to prevent emitting a path prepended with multiple slashes.
- #48 drops the minimum supported PHP version to 5.4, to allow an easier upgrade path for Symfony 2.7 users, and potential Drupal 8 usage.
- Nothing.
- Nothing.
- Nothing.
- #27 adds phonetic pronunciation of "Diactoros" to the README file.
- #36 adds property
annotations to the class-level docblock of
Zend\Diactoros\RequestTraitto ensure properties inherited from theMessageTraitare inherited by implementations.
- Nothing.
- Nothing.
- #41 fixes the
namespace for test files to begin with
ZendTestinstead ofZend. - #46 ensures that
the cookie and query params for the
ServerRequestimplementation are initialized as arrays. - #47 modifies the
internal logic in
HeaderSecurity::isValid()to use a regular expression instead of character-by-character comparisons, improving performance.
- #10 adds
Zend\Diactoros\RelativeStream, which will return stream contents relative to a given offset (i.e., a subset of the stream).AbstractSerializerwas updated to create aRelativeStreamwhen creating the body of a message, which will prevent duplication of the stream in-memory. - #21 adds a
.gitattributesfile that excludes directories and files not needed for production; this will further minify the package for production use cases.
- Nothing.
- Nothing.
- #9 ensures that attributes are initialized to an empty array, ensuring that attempts to retrieve single attributes when none are defined will not produce errors.
- #14 updates
Zend\Diactoros\Requestto use aphp://tempstream by default instead ofphp://memory, to ensure requests do not create an out-of-memory condition. - #15 updates
Zend\Diactoros\Streamto ensure that write operations trigger an exception if the stream is not writeable. Additionally, it adds more robust logic for determining if a stream is writeable.
First stable release, and first release as zend-diactoros.
- Nothing.
- Nothing.
- Nothing.
- Nothing.