2.2.5 (2013-10-31)

Zend Framework 2.2.5 (2013-10-31)

Total issues resolved: 73

An issue with Zend\Http\PhpEnvironment\RemoteAddress was reported in #5374. Essentially, the class was not checking if $_SERVER['REMOTE_ADDR'] was one of the trusted proxies configured, and as a result, getIpAddressFromProxy() could return an untrusted IP address.

The class was updated to check if $_SERVER['REMOTE_ADDR'] is in the list of trusted proxies, and, if so, will return that value immediately before consulting the values in the X-Forwarded-For header.

If you use the RemoteAddr Zend\Session validator, and are configuring trusted proxies, we recommend updating to 2.2.5 or later immediately.

  • #5343 removed the DateTimeFormatter filter from DateTime form elements. This was done due to the fact that it led to unexpected behavior when non-date inputs were provided. However, since the DateTime element already incorporates a DateValidator that accepts a date format, validation can still work as expected.


© 2006-2018 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.