If the path from a
Zend\Diactoros\Uri instance is used to generate links, form
targets, or headers, and omits the scheme and authority, a potential XSS and/or
open redirect vector is possible if the path starts with double slashes and a
path segment that validates as a hostname; in such a situation, it may be
interpreted as a scheme-relative link.
The vulnerability exists in all stable versions of zend-diactoros prior to 1.0.4.
Zend\Diactoros\Uri::filterPath() was updated to ensure that the returned path
will never begin with double slashes. Tests were also added to prevent a
regression in the future.
The patch fixing the issues has been applied in the following versions:
This vulnerability has also been disclosed as CVE-2015-3257.
If you are using
Zend\Diactoros\Uri to generate links, form targets, or
headers without including the scheme and authority, we recommend:
Uriinstance to a string).
The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:
Have you identified a security vulnerability?
Please report it to us at firstname.lastname@example.org