| http | by dg | uses #Deprecated wip | | | |
| http | by dg | removed samesite check using cookie (BC break) | | | |
| http | by dg | IRequest, IResponse: added typehints, unification (BC break) | | | |
| http | by dg | SessionSection: removed $warnOnUndefined (BC break) | | | |
| http | by dg | Response: passing 0 as the expiration to setCookie() is deprecated 0 historically meant a session cookie; null now expresses that explicitly. 0 is still accepted for BC but emits a deprecation notice. | | | |
| http | by dg | silently deprecated methods trigger E_USER_DEPRECATED | | | |
| http | by dg | removed deprecated stuff | | | |
| http | by dg | opened 4.0-dev | | | |
| http | by dg | HttpExtension: default to trusting X-Forwarded-For only (BC break!) Changes the configured default of `proxyHeaders` from "both" to "xForwarded", so an application behind a proxy no longer trusts a client-supplied "Forwarded" header by default (the common proxy sets X-Forwarded-For). The RequestFactory PHP default is intentionally left at "both" for BC; this hardens only the framework configuration. BC: deployments whose proxy uses the "Forwarded" header must now set `proxyHeaders: forwarded` (or `both`). | | | |
| http | by dg | RequestFactory: configurable trust of forwarding headers Adds a choice of which forwarding headers to trust from a trusted proxy: setProxy() gains $forwarded and $xForwarded flags, and the DI extension exposes it as `proxyHeaders: both|xForwarded|forwarded|none`, mapped to the two flags. Lets a deployment ignore a header its proxy does not manage (e.g. a client-supplied "Forwarded" while the proxy only sets "X-Forwarded-For"). Default stays "both" (Forwarded preferred) — no behaviour change. | | | |
| http | by dg | RequestFactory: reworks trusted-proxy forwarding resolution Resolves the real client address, scheme and host from forwarding headers correctly and consistently for both "Forwarded" and "X-Forwarded-*": - Parses "Forwarded" into RFC 7239 hops instead of flattening "," and ";" together, so proto/host are taken from the same hop as the selected client address (removes the crude single-value guard that discarded them on any multi-hop header). - Picks the client address by stripping trailing trusted proxies and taking the rightmost remaining hop, instead of blindly trusting the leftmost, client-spoofable "for" value. - Validates the resolved address as an IP; an unknown/obfuscated identifier or a broken chain now yields null instead of a non-IP string. The stripping and validation is shared by both paths via findClientHop(). Note: as before, this trusts whatever forwarding header the request carries. The trusted proxy must set the header it uses and strip any client-supplied forwarding header it does not, otherwise a passed-through header (e.g. a client "Forwarded" while the proxy only manages "X-Forwarded-For") is trusted. BC: getRemoteAddress() now returns null (not a non-IP string) when the innermost forwarded value is not a valid IP address. | | | |
| http | by dg | added AGENTS.md & DOCS | | | |
| safe-stream | by dg | added AGENTS.md & DOCS | | | |
| schema | by dg | DOCS | | | |
| schema | by dg | used #Deprecated | | | |
| schema | by dg | removed support for key PreventMerging (BC break) | | | |
| schema | by dg | Type::merge() merges arrays only according to the schema (BC break) | | | |
| schema | by dg | Type: added mergeMode() [WIP] TODO: Type should not support the array at all | | | |
| schema | by dg | Expect::from() works with class names | | | |
| schema | by dg | Type: mergeDefaults() are disabled by default (BC break) [Closes #28, Closes #31] | | | |
| schema | by dg | Expect::from() removed support for phpDoc annotations (BC break) | | | |
| schema | by dg | Schema: added return type hints (BC break) | | | |
| schema | by dg | opened 2.0-dev | | | |
| schema | by dg | added AGENTS.md & DOCS | | | |
| security | by dg | deprecated wip | | | |
| security | by dg | CookieIdentity WIP | | | |
| security | by dg | IdentityHandler: make getGuestIdentity() a regular interface method (BC break) Promotes the optional @method to a required method, so User no longer needs method_exists() to call it. BC break: existing IdentityHandler implementations must now declare getGuestIdentity(). | | | |
| security | by dg | User: deprecated magic properties (BC break) | | | |
| security | by dg | SimpleIdentity: reading an undeclared property throws (BC break) Until now __get() returned null for an unknown key and, because it returns by reference, silently created that key in the data (and thus in the storage). It now throws MemberAccessException, like any other Nette object. This also ends the by-ref write pattern $identity->cart[] = $item on a key that has not been set yet. | | | |
| security | by dg | SimpleIdentity: uses __serialize & __unserialize | | | |
| security | by dg | Identity -> SimpleIdentity Identity class must exist as an alias in order to read it from session | | | |
| security | by dg | IIdentity: added return typehint (BC break) | | | |