The Drupal Security Team notified us of a potential issue with the Diactoros URI implementation. Diactoros is a PSR-7 implementation of HTTP messages.
If the path from a Zend\Diactoros\Uri instance is used to generate links, form
targets, or headers, and omits the scheme and authority, a potential XSS and/or
open redirect vector is possible if the path starts with double slashes and a
path segment that validates as a hostname; in such a situation, it may be
interpreted as a scheme-relative link.
The vulnerability exists in all stable versions of zend-diactoros prior to 1.0.4.
Zend\Diactoros\Uri::filterPath() was updated to ensure that the returned path
will never begin with double slashes. Tests were also added to prevent a
regression in the future.
The patch fixing the issues has been applied in the following versions:
This vulnerability has also been disclosed as CVE-2015-3257.
If you are using Zend\Diactoros\Uri to generate links, form targets, or
headers without including the scheme and authority, we recommend:
Uri instance to a string).The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:
Released 2015-06-25
Have you identified a security vulnerability?
Please report it to us at zf-security@zend.com