Conversation
- SDF-56: Escape output in 404/405 error handlers, set Content-Type - SDF-58: Wire Cache::normalizeKey() into all facade methods + empty-key guard - SDF-60: Use EXTR_SKIP in Fuse/Loader extract() to prevent LFI via variable overwrite - SDF-61: Invert X-Forwarded-For trust default (deny when no trusted proxy) - Bump version 2.3.0 -> 2.3.1
|
Hey you lil-interested fella. I wanted to write an informal comment for you; If you haven't noticed yet, sdf is getting better and better day by day and I have great plans for v3. Before I can start working on that, I need to fix some issues; most of them I found myself, some coming from users of the framework and some coming from oss llm reviews; fyi I am mostly writing the code myself and doing the code review by hand. Recently I tried using copilot (hosted by GitHub) to automate this process but believe me, it sucked. So, from now on I will be using my intelligence and some experimental llms engineered and created by me (not trained, developed from scratch! - it's called Saddle!) Thank you for your interest in my little project; I have been working on this framework starting from when I was in middle school! It's just too enjoyable!!! |
|
All checks have passed, lgtm! After code review, we can merge. |
|
Review complete, lgtm! Let's merge! |
Summary
Resolves 4 of 6 critical security findings from the deep security audit (SDF-56 to SDF-100). Non-breaking patch release bumping 2.3.0 → 2.3.1.
Fixes
app/handlers/errors.php$requestPath/$requestMethodwithhtmlspecialchars(ENT_QUOTES|ENT_SUBSTITUTE|ENT_HTML5, 'UTF-8'); set explicitContent-Type: text/html; charset=UTF-8and HTTP status before outputsdf/core/Cache/Cache.phpCache::normalizeKey()was defined but never invoked. Wired it into all 9 facade methods (get,set,delete,has,forget,getMultiple,setMultiple,deleteMultiple). Added PSR-16 empty-key guard throwingInvalidArgumentExceptionsdf/core/Fuse.php,sdf/core/Loader.phpextract()usedEXTR_OVERWRITEdefault - view data keys likecacheFile/viewNamecould hijack therequirepath (LFI/RCE). Changed toEXTR_SKIPin both. RenamedLoader::view()param$name→$viewsoEXTR_SKIPdoesn't block the common['name' => ...]view variable (positional, no caller breakage)sdf/core/Request.phpX-Forwarded-Forwas trusted by default whenSDF_TRUSTED_PROXIESunset - any client could spoof IP and bypass rate limiting. Inverted to default-deny: returnsREMOTE_ADDRonly unless trusted proxy configured. RemovedHTTP_CLIENT_IPfallback entirelyVersion bump
2.3.0→2.3.1insdf/__init.php(SDF_VERSION constant) andindex.phpdocblock.Verification
Wiki updates
Updated 6 wiki pages to reflect v2.3.1 changes:
app/handlers.md- new Error Handlers section with escaping patternlibraries/caching.md- Key normalization subsection,allowed_classescaveatlibraries/fuse.md- Safe variable extraction (EXTR_SKIP), htmlspecialchars noteslibraries/middleware.md- Default-deny X-Forwarded-For with behavior table + upgrade notelibraries/request.md-ip()signature updatedsdf/core.md- Loader::view() param rename note