Bug#1011942: [pkg-php-pear] Bug#1011942: bullseye-pu: package php-guzzlehttp-psr7/1.7.0-1+deb11u1
Hi,
Le 27/05/2022 à 14:19, David Prévot a écrit :
[…]
[x] attach debdiff against the package in (old)stable
lalala
diff --git a/debian/changelog b/debian/changelog
index f3eb5e4..8635876 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+php-guzzlehttp-psr7 (1.7.0-1+deb11u1) bullseye; urgency=medium
+
+ * Track Bullseye
+ * Backport fixes for improper header parsing [CVE-2022-24775]
+ (Closes: #1008236)
+
+ -- David Prévot <taffit@debian.org> Fri, 27 May 2022 13:29:47 +0200
+
php-guzzlehttp-psr7 (1.7.0-1) unstable; urgency=medium
* Revert "Bundle php-getallheaders being processed in NEW"
diff --git a/debian/gbp.conf b/debian/gbp.conf
index 915477f..aed5a6c 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,7 +1,7 @@
[DEFAULT]
pristine-tar = True
pristine-tar-commit = True
-debian-branch = debian/latest
+debian-branch = debian/bullseye
## Once --filter support gets added to gbp import-ref, we should be able
## to simplify the workflow and ignore the upstream branch.
diff --git a/debian/patches/0002-Release-1.8.4-486.patch b/debian/patches/0002-Release-1.8.4-486.patch
new file mode 100644
index 0000000..1d08392
--- /dev/null
+++ b/debian/patches/0002-Release-1.8.4-486.patch
@@ -0,0 +1,188 @@
+From: Graham Campbell <GrahamCampbell@users.noreply.github.com>
+Date: Sun, 20 Mar 2022 13:44:44 +0000
+Subject: Release 1.8.4 (#486)
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Co-authored-by: Tim Düsterhus <tim@bastelstu.be>
+
+Origin: backport, https://github.com/guzzle/psr7/commit/902db15a551a4a415e732b622282e21ce1b508b4
+---
+ src/MessageTrait.php | 66 +++++++++++++++++++++++++++++++++++++++++++++++----
+ tests/RequestTest.php | 50 ++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 111 insertions(+), 5 deletions(-)
+
+diff --git a/src/MessageTrait.php b/src/MessageTrait.php
+index 99203bb..459b104 100644
+--- a/src/MessageTrait.php
++++ b/src/MessageTrait.php
+@@ -157,17 +157,22 @@ trait MessageTrait
+ }
+ }
+
++ /**
++ * @param mixed $value
++ *
++ * @return string[]
++ */
+ private function normalizeHeaderValue($value)
+ {
+ if (!is_array($value)) {
+- return $this->trimHeaderValues([$value]);
++ return $this->trimAndValidateHeaderValues([$value]);
+ }
+
+ if (count($value) === 0) {
+ throw new \InvalidArgumentException('Header value can not be an empty array.');
+ }
+
+- return $this->trimHeaderValues($value);
++ return $this->trimAndValidateHeaderValues($value);
+ }
+
+ /**
+@@ -178,13 +183,13 @@ trait MessageTrait
+ * header-field = field-name ":" OWS field-value OWS
+ * OWS = *( SP / HTAB )
+ *
+- * @param string[] $values Header values
++ * @param mixed[] $values Header values
+ *
+ * @return string[] Trimmed header values
+ *
+ * @see https://tools.ietf.org/html/rfc7230#section-3.2.4
+ */
+- private function trimHeaderValues(array $values)
++ private function trimAndValidateHeaderValues(array $values)
+ {
+ return array_map(function ($value) {
+ if (!is_scalar($value) && null !== $value) {
+@@ -194,10 +199,20 @@ trait MessageTrait
+ ));
+ }
+
+- return trim((string) $value, " \t");
++ $trimmed = trim((string) $value, " \t");
++ $this->assertValue($trimmed);
++
++ return $trimmed;
+ }, array_values($values));
+ }
+
++ /**
++ * @see https://tools.ietf.org/html/rfc7230#section-3.2
++ *
++ * @param mixed $header
++ *
++ * @return void
++ */
+ private function assertHeader($header)
+ {
+ if (!is_string($header)) {
+@@ -210,5 +225,46 @@ trait MessageTrait
+ if ($header === '') {
+ throw new \InvalidArgumentException('Header name can not be empty.');
+ }
++
++ if (! preg_match('/^[a-zA-Z0-9\'`#$%&*+.^_|~!-]+$/', $header)) {
++ throw new \InvalidArgumentException(
++ sprintf(
++ '"%s" is not valid header name',
++ $header
++ )
++ );
++ }
++ }
++
++ /**
++ * @param string $value
++ *
++ * @return void
++ *
++ * @see https://tools.ietf.org/html/rfc7230#section-3.2
++ *
++ * field-value = *( field-content / obs-fold )
++ * field-content = field-vchar [ 1*( SP / HTAB ) field-vchar ]
++ * field-vchar = VCHAR / obs-text
++ * VCHAR = %x21-7E
++ * obs-text = %x80-FF
++ * obs-fold = CRLF 1*( SP / HTAB )
++ */
++ private function assertValue($value)
++ {
++ // The regular expression intentionally does not support the obs-fold production, because as
++ // per RFC 7230#3.2.4:
++ //
++ // A sender MUST NOT generate a message that includes
++ // line folding (i.e., that has any field-value that contains a match to
++ // the obs-fold rule) unless the message is intended for packaging
++ // within the message/http media type.
++ //
++ // Clients must not send a request with line folding and a server sending folded headers is
++ // likely very rare. Line folding is a fairly obscure feature of HTTP/1.1 and thus not accepting
++ // folding is not likely to break any legitimate use case.
++ if (! preg_match('/^(?:[\x21-\x7E\x80-\xFF](?:[\x20\x09]+[\x21-\x7E\x80-\xFF])?)*$/', $value)) {
++ throw new \InvalidArgumentException(sprintf('"%s" is not valid header value', $value));
++ }
+ }
+ }
+diff --git a/tests/RequestTest.php b/tests/RequestTest.php
+index cae5933..e2b9e69 100644
+--- a/tests/RequestTest.php
++++ b/tests/RequestTest.php
+@@ -229,4 +229,54 @@ class RequestTest extends BaseTest
+ $r = $r->withUri(new Uri('http://foo.com:8125/bar'));
+ $this->assertSame('foo.com:8125', $r->getHeaderLine('host'));
+ }
++
++ /**
++ * @dataProvider provideHeaderValuesContainingNotAllowedChars
++ */
++ public function testContainsNotAllowedCharsOnHeaderValue($value)
++ {
++ $this->expectExceptionGuzzle('InvalidArgumentException', sprintf('"%s" is not valid header value', $value));
++ $r = new Request(
++ 'GET',
++ 'http://foo.com/baz?bar=bam',
++ [
++ 'testing' => $value
++ ]
++ );
++ }
++
++ /**
++ * @return iterable
++ */
++ public function provideHeaderValuesContainingNotAllowedChars()
++ {
++ // Explicit tests for newlines as the most common exploit vector.
++ $tests = [
++ ["new\nline"],
++ ["new\r\nline"],
++ ["new\rline"],
++ // Line folding is technically allowed, but deprecated.
++ // We don't support it.
++ ["new\r\n line"],
++ ];
++
++ for ($i = 0; $i <= 0xff; $i++) {
++ if (\chr($i) == "\t") {
++ continue;
++ }
++ if (\chr($i) == " ") {
++ continue;
++ }
++ if ($i >= 0x21 && $i <= 0x7e) {
++ continue;
++ }
++ if ($i >= 0x80) {
++ continue;
++ }
++
++ $tests[] = ["foo" . \chr($i) . "bar"];
++ }
++
++ return $tests;
++ }
+ }
diff --git a/debian/patches/0003-Release-1.8.5-491.patch b/debian/patches/0003-Release-1.8.5-491.patch
new file mode 100644
index 0000000..08787d0
--- /dev/null
+++ b/debian/patches/0003-Release-1.8.5-491.patch
@@ -0,0 +1,45 @@
+From: Graham Campbell <GrahamCampbell@users.noreply.github.com>
+Date: Sun, 20 Mar 2022 21:51:18 +0000
+Subject: Release 1.8.5 (#491)
+
+Origin: backport, https://github.com/guzzle/psr7/commit/337e3ad8e5716c15f9657bd214d16cc5e69df268
+---
+ src/MessageTrait.php | 2 +-
+ tests/RequestTest.php | 11 +++++++++++
+ 2 files changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/src/MessageTrait.php b/src/MessageTrait.php
+index 459b104..0ac8663 100644
+--- a/src/MessageTrait.php
++++ b/src/MessageTrait.php
+@@ -263,7 +263,7 @@ trait MessageTrait
+ // Clients must not send a request with line folding and a server sending folded headers is
+ // likely very rare. Line folding is a fairly obscure feature of HTTP/1.1 and thus not accepting
+ // folding is not likely to break any legitimate use case.
+- if (! preg_match('/^(?:[\x21-\x7E\x80-\xFF](?:[\x20\x09]+[\x21-\x7E\x80-\xFF])?)*$/', $value)) {
++ if (! preg_match('/^[\x20\x09\x21-\x7E\x80-\xFF]*$/', $value)) {
+ throw new \InvalidArgumentException(sprintf('"%s" is not valid header value', $value));
+ }
+ }
+diff --git a/tests/RequestTest.php b/tests/RequestTest.php
+index e2b9e69..10ac92a 100644
+--- a/tests/RequestTest.php
++++ b/tests/RequestTest.php
+@@ -174,6 +174,17 @@ class RequestTest extends BaseTest
+ ], $r->getHeaders());
+ }
+
++ public function testHeaderValueWithWhitespace()
++ {
++ $r = new Request('GET', 'https://example.com/', [
++ 'User-Agent' => 'Linux f0f489981e90 5.10.104-linuxkit 1 SMP Wed Mar 9 19:05:23 UTC 2022 x86_64'
++ ]);
++ self::assertSame([
++ 'Host' => ['example.com'],
++ 'User-Agent' => ['Linux f0f489981e90 5.10.104-linuxkit 1 SMP Wed Mar 9 19:05:23 UTC 2022 x86_64']
++ ], $r->getHeaders());
++ }
++
+ public function testCanGetHeaderAsCsv()
+ {
+ $r = new Request('GET', 'http://foo.com/baz?bar=bam', [
diff --git a/debian/patches/series b/debian/patches/series
index 4b61c69..3301656 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,3 @@
0002-Fixed-bad-test-355.patch
+0002-Release-1.8.4-486.patch
+0003-Release-1.8.5-491.patch
Reply to: