Framework

Repository Author Commit message Committed SHA  
 
http by dg uses #Deprecated wip
http by dg removed samesite check using cookie (BC break)
http by dg IRequest, IResponse: added typehints, unification (BC break)
http by dg SessionSection: removed $warnOnUndefined (BC break)
http by dg Response: passing 0 as the expiration to setCookie() is deprecated

0 historically meant a session cookie; null now expresses that explicitly.
0 is still accepted for BC but emits a deprecation notice.

http by dg silently deprecated methods trigger E_USER_DEPRECATED
http by dg removed deprecated stuff
http by dg opened 4.0-dev
http by dg HttpExtension: default to trusting X-Forwarded-For only (BC break!)

Changes the configured default of `proxyHeaders` from "both" to "xForwarded",
so an application behind a proxy no longer trusts a client-supplied "Forwarded"
header by default (the common proxy sets X-Forwarded-For). The RequestFactory
PHP default is intentionally left at "both" for BC; this hardens only the
framework configuration.

BC: deployments whose proxy uses the "Forwarded" header must now set
`proxyHeaders: forwarded` (or `both`).

http by dg RequestFactory: configurable trust of forwarding headers

Adds a choice of which forwarding headers to trust from a trusted proxy:
setProxy() gains $forwarded and $xForwarded flags, and the DI extension
exposes it as `proxyHeaders: both|xForwarded|forwarded|none`, mapped to the
two flags. Lets a deployment ignore a header its proxy does not manage (e.g.
a client-supplied "Forwarded" while the proxy only sets "X-Forwarded-For").

Default stays "both" (Forwarded preferred) — no behaviour change.

http by dg RequestFactory: reworks trusted-proxy forwarding resolution

Resolves the real client address, scheme and host from forwarding headers
correctly and consistently for both "Forwarded" and "X-Forwarded-*":

- Parses "Forwarded" into RFC 7239 hops instead of flattening "," and ";"
together, so proto/host are taken from the same hop as the selected client
address (removes the crude single-value guard that discarded them on any
multi-hop header).
- Picks the client address by stripping trailing trusted proxies and taking
the rightmost remaining hop, instead of blindly trusting the leftmost,
client-spoofable "for" value.
- Validates the resolved address as an IP; an unknown/obfuscated identifier
or a broken chain now yields null instead of a non-IP string. The stripping
and validation is shared by both paths via findClientHop().

Note: as before, this trusts whatever forwarding header the request carries.
The trusted proxy must set the header it uses and strip any client-supplied
forwarding header it does not, otherwise a passed-through header (e.g. a
client "Forwarded" while the proxy only manages "X-Forwarded-For") is trusted.

BC: getRemoteAddress() now returns null (not a non-IP string) when the
innermost forwarded value is not a valid IP address.

http by dg added AGENTS.md & DOCS
safe-stream by dg added AGENTS.md & DOCS
schema by dg DOCS
schema by dg used #Deprecated
schema by dg removed support for key PreventMerging (BC break)
schema by dg Type::merge() merges arrays only according to the schema (BC break)
schema by dg Type: added mergeMode() [WIP]

TODO: Type should not support the array at all

schema by dg Expect::from() works with class names
schema by dg Type: mergeDefaults() are disabled by default (BC break) [Closes #28, Closes #31]
schema by dg Expect::from() removed support for phpDoc annotations (BC break)
schema by dg Schema: added return type hints (BC break)
schema by dg opened 2.0-dev
schema by dg added AGENTS.md & DOCS
security by dg deprecated wip
security by dg CookieIdentity WIP
security by dg IdentityHandler: make getGuestIdentity() a regular interface method (BC break)

Promotes the optional @method to a required method, so User no longer needs method_exists() to call it. BC break: existing IdentityHandler implementations must now declare getGuestIdentity().

security by dg User: deprecated magic properties (BC break)
security by dg SimpleIdentity: reading an undeclared property throws (BC break)

Until now __get() returned null for an unknown key and, because it returns
by reference, silently created that key in the data (and thus in the storage).
It now throws MemberAccessException, like any other Nette object.

This also ends the by-ref write pattern $identity->cart[] = $item on a key
that has not been set yet.

security by dg SimpleIdentity: uses __serialize & __unserialize
security by dg Identity -> SimpleIdentity

Identity class must exist as an alias in order to read it from session

security by dg IIdentity: added return typehint (BC break)

Last synchronization: 2026-07-16 02:02:42