Headline
CVE-2021-3007: History for src/Response/Stream.php - laminas/laminas-http
** DISPUTED ** Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\Http\Response\Stream class in Stream.php. NOTE: Zend Framework is no longer supported by the maintainer. NOTE: the laminas-http vendor considers this a “vulnerability in the PHP language itself” but has added certain type checking as a way to prevent exploitation in (unrecommended) use cases where attacker-supplied data can be deserialized.
Commits on Sep 9, 2021
Commits on Jan 5, 2021
fix: do not unlink file if it is not a file
Per https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3007 there is a possibility IF A USER HAS USED UNSERIALIZE() ON UNTRUSTED DATA of the stream response destructor potentially invoking a class `__toString()` implementation, and thus triggering a vulnerability.
This patch ensures that given that scenario, the stream response destructor does not use an object as a string for purposes of unlinking a potential stream filename.
Signed-off-by: Matthew Weier O’Phinney [email protected]
Commits on Dec 31, 2019
Commits on Dec 4, 2019
Commits on Oct 13, 2017
Commits on Mar 5, 2017
Commits on Nov 20, 2016
Commits on Jun 5, 2015
Commits on May 4, 2015
Commits on Apr 3, 2015
Commits on Jan 1, 2015
Commits on Apr 2, 2014
Commits on Jan 2, 2014
Commits on Mar 19, 2013
Commits on Jan 21, 2013
Commits on Jan 20, 2013
Commits on Jan 7, 2013
Commits on Jan 4, 2013
Commits on Jan 1, 2013
Commits on Aug 31, 2012