Version in base suite: 1.3.2-2 Base version: php-nyholm-psr7_1.3.2-2 Target version: php-nyholm-psr7_1.3.2-2+deb11u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/php-nyholm-psr7/php-nyholm-psr7_1.3.2-2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/p/php-nyholm-psr7/php-nyholm-psr7_1.3.2-2+deb11u1.dsc changelog | 7 control | 2 gbp.conf | 2 patches/0001-Merge-pull-request-from-GHSA-wjfc-pgfp-pv9c.patch | 131 ++++++++++ patches/series | 1 5 files changed, 141 insertions(+), 2 deletions(-) diff -Nru php-nyholm-psr7-1.3.2/debian/changelog php-nyholm-psr7-1.3.2/debian/changelog --- php-nyholm-psr7-1.3.2/debian/changelog 2020-12-13 13:32:52.000000000 +0000 +++ php-nyholm-psr7-1.3.2/debian/changelog 2023-04-22 10:22:36.000000000 +0000 @@ -1,3 +1,10 @@ +php-nyholm-psr7 (1.3.2-2+deb11u1) bullseye; urgency=medium + + * Fix improper input validation [CVE-2023-29197] (Closes: #1034597) + * Use debian/bullseye branch + + -- David Prévot Sat, 22 Apr 2023 12:22:36 +0200 + php-nyholm-psr7 (1.3.2-2) unstable; urgency=medium * Fix d/clean diff -Nru php-nyholm-psr7-1.3.2/debian/control php-nyholm-psr7-1.3.2/debian/control --- php-nyholm-psr7-1.3.2/debian/control 2020-12-13 13:22:01.000000000 +0000 +++ php-nyholm-psr7-1.3.2/debian/control 2023-04-22 10:22:03.000000000 +0000 @@ -13,7 +13,7 @@ pkg-php-tools Standards-Version: 4.5.1 Homepage: https://github.com/Nyholm/psr7 -Vcs-Git: https://salsa.debian.org/php-team/pear/php-nyholm-psr7.git -b debian/latest +Vcs-Git: https://salsa.debian.org/php-team/pear/php-nyholm-psr7.git -b debian/bullseye Vcs-Browser: https://salsa.debian.org/php-team/pear/php-nyholm-psr7 Rules-Requires-Root: no diff -Nru php-nyholm-psr7-1.3.2/debian/gbp.conf php-nyholm-psr7-1.3.2/debian/gbp.conf --- php-nyholm-psr7-1.3.2/debian/gbp.conf 2020-11-21 20:52:23.000000000 +0000 +++ php-nyholm-psr7-1.3.2/debian/gbp.conf 2023-04-22 10:21:53.000000000 +0000 @@ -1,5 +1,5 @@ [DEFAULT] -debian-branch = debian/latest +debian-branch = debian/bullseye pristine-tar = True pristine-tar-commit = True diff -Nru php-nyholm-psr7-1.3.2/debian/patches/0001-Merge-pull-request-from-GHSA-wjfc-pgfp-pv9c.patch php-nyholm-psr7-1.3.2/debian/patches/0001-Merge-pull-request-from-GHSA-wjfc-pgfp-pv9c.patch --- php-nyholm-psr7-1.3.2/debian/patches/0001-Merge-pull-request-from-GHSA-wjfc-pgfp-pv9c.patch 1970-01-01 00:00:00.000000000 +0000 +++ php-nyholm-psr7-1.3.2/debian/patches/0001-Merge-pull-request-from-GHSA-wjfc-pgfp-pv9c.patch 2023-04-22 10:20:36.000000000 +0000 @@ -0,0 +1,131 @@ +From: Tobias Nyholm +Date: Mon, 17 Apr 2023 18:00:04 +0200 +Subject: Merge pull request from GHSA-wjfc-pgfp-pv9c + +Improper Input Validation in headers + +Origin: backport, https://github.com/Nyholm/psr7/commit/1029a2671cbdd3e075a21952082c2be7c8018426 +Bug-Debian: https://bugs.debian.org/1034597 https://security-tracker.debian.org/tracker/CVE-2023-29197 +--- + src/MessageTrait.php | 4 ++-- + tests/RequestTest.php | 46 ++++++++++++++++++++++++++++++++++++++++++++++ + tests/ResponseTest.php | 31 +++++++++++++++++++++++++++++++ + 3 files changed, 79 insertions(+), 2 deletions(-) + +diff --git a/src/MessageTrait.php b/src/MessageTrait.php +index 2da949d..4977583 100644 +--- a/src/MessageTrait.php ++++ b/src/MessageTrait.php +@@ -177,7 +177,7 @@ trait MessageTrait + */ + private function validateAndTrimHeader($header, $values): array + { +- if (!\is_string($header) || 1 !== \preg_match("@^[!#$%&'*+.^_`|~0-9A-Za-z-]+$@", $header)) { ++ if (!\is_string($header) || 1 !== \preg_match("@^[!#$%&'*+.^_`|~0-9A-Za-z-]+$@D", $header)) { + throw new \InvalidArgumentException('Header name must be an RFC 7230 compatible string.'); + } + +@@ -197,7 +197,7 @@ trait MessageTrait + // Assert Non empty array + $returnValues = []; + foreach ($values as $v) { +- if ((!\is_numeric($v) && !\is_string($v)) || 1 !== \preg_match("@^[ \t\x21-\x7E\x80-\xFF]*$@", (string) $v)) { ++ if ((!\is_numeric($v) && !\is_string($v)) || 1 !== \preg_match("@^[ \t\x21-\x7E\x80-\xFF]*$@D", (string) $v)) { + throw new \InvalidArgumentException('Header values must be RFC 7230 compatible strings.'); + } + +diff --git a/tests/RequestTest.php b/tests/RequestTest.php +index ddac6d2..8d5d53e 100644 +--- a/tests/RequestTest.php ++++ b/tests/RequestTest.php +@@ -294,4 +294,50 @@ class RequestTest extends TestCase + $request = $request->withUri(new Uri('https://nyholm.tech:443')); + $this->assertEquals('nyholm.tech', $request->getHeaderLine('Host')); + } ++ ++ /** ++ * @dataProvider provideHeaderValuesContainingNotAllowedChars ++ */ ++ public function testCannotHaveHeaderWithInvalidValue(string $name) ++ { ++ $this->expectException(\InvalidArgumentException::class); ++ $this->expectExceptionMessage('Header name must be an RFC 7230 compatible string'); ++ $r = new Request('GET', 'https://example.com/'); ++ $r->withHeader($name, 'Bar'); ++ } ++ ++ public static function provideHeaderValuesContainingNotAllowedChars(): array ++ { ++ // Explicit tests for newlines as the most common exploit vector. ++ $tests = [ ++ ["new\nline"], ++ ["new\r\nline"], ++ ["new\rline"], ++ ["new\r\n line"], ++ ["newline\n"], ++ ["\nnewline"], ++ ["newline\r\n"], ++ ["\n\rnewline"], ++ ]; ++ ++ for ($i = 0; $i <= 0xFF; ++$i) { ++ if ("\t" == \chr($i)) { ++ continue; ++ } ++ if (' ' == \chr($i)) { ++ continue; ++ } ++ if ($i >= 0x21 && $i <= 0x7E) { ++ continue; ++ } ++ if ($i >= 0x80) { ++ continue; ++ } ++ ++ $tests[] = ['foo' . \chr($i) . 'bar']; ++ $tests[] = ['foo' . \chr($i)]; ++ } ++ ++ return $tests; ++ } + } +diff --git a/tests/ResponseTest.php b/tests/ResponseTest.php +index e6e109e..effc81d 100644 +--- a/tests/ResponseTest.php ++++ b/tests/ResponseTest.php +@@ -266,4 +266,35 @@ class ResponseTest extends TestCase + $this->assertSame('Foo', $r->getHeaderLine('OWS')); + $this->assertSame(['Foo'], $r->getHeader('OWS')); + } ++ ++ /** ++ * @dataProvider invalidWithHeaderProvider ++ */ ++ public function testWithInvalidHeader($header, $headerValue, $expectedMessage): void ++ { ++ $r = new Response(); ++ $this->expectException(\InvalidArgumentException::class); ++ $this->expectExceptionMessage($expectedMessage); ++ $r->withHeader($header, $headerValue); ++ } ++ ++ public function invalidWithHeaderProvider(): iterable ++ { ++ return [ ++ ['foo', [], 'Header values must be a string or an array of strings, empty array given'], ++ ['foo', new \stdClass(), 'Header values must be RFC 7230 compatible strings'], ++ [[], 'foo', 'Header name must be an RFC 7230 compatible string'], ++ [false, 'foo', 'Header name must be an RFC 7230 compatible string'], ++ [new \stdClass(), 'foo', 'Header name must be an RFC 7230 compatible string'], ++ ['', 'foo', 'Header name must be an RFC 7230 compatible string'], ++ ["Content-Type\r\n\r\n", 'foo', 'Header name must be an RFC 7230 compatible string'], ++ ["Content-Type\r\n", 'foo', 'Header name must be an RFC 7230 compatible string'], ++ ["Content-Type\n", 'foo', 'Header name must be an RFC 7230 compatible string'], ++ ["\r\nContent-Type", 'foo', 'Header name must be an RFC 7230 compatible string'], ++ ["\nContent-Type", 'foo', 'Header name must be an RFC 7230 compatible string'], ++ ["\n", 'foo', 'Header name must be an RFC 7230 compatible string'], ++ ["\r\n", 'foo', 'Header name must be an RFC 7230 compatible string'], ++ ["\t", 'foo', 'Header name must be an RFC 7230 compatible string'], ++ ]; ++ } + } diff -Nru php-nyholm-psr7-1.3.2/debian/patches/series php-nyholm-psr7-1.3.2/debian/patches/series --- php-nyholm-psr7-1.3.2/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ php-nyholm-psr7-1.3.2/debian/patches/series 2023-04-22 10:20:36.000000000 +0000 @@ -0,0 +1 @@ +0001-Merge-pull-request-from-GHSA-wjfc-pgfp-pv9c.patch