Version in base suite: 1.7.0-1 Base version: php-guzzlehttp-psr7_1.7.0-1 Target version: php-guzzlehttp-psr7_1.7.0-1+deb11u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/php-guzzlehttp-psr7/php-guzzlehttp-psr7_1.7.0-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/p/php-guzzlehttp-psr7/php-guzzlehttp-psr7_1.7.0-1+deb11u1.dsc changelog | 8 + gbp.conf | 2 patches/0002-Release-1.8.4-486.patch | 188 +++++++++++++++++++++++++++++++++++ patches/0003-Release-1.8.5-491.patch | 45 ++++++++ patches/series | 2 5 files changed, 244 insertions(+), 1 deletion(-) diff -Nru php-guzzlehttp-psr7-1.7.0/debian/changelog php-guzzlehttp-psr7-1.7.0/debian/changelog --- php-guzzlehttp-psr7-1.7.0/debian/changelog 2021-01-26 02:21:04.000000000 +0000 +++ php-guzzlehttp-psr7-1.7.0/debian/changelog 2022-05-27 11:29:47.000000000 +0000 @@ -1,3 +1,11 @@ +php-guzzlehttp-psr7 (1.7.0-1+deb11u1) bullseye; urgency=medium + + * Track Bullseye + * Backport fixes for improper header parsing [CVE-2022-24775] + (Closes: #1008236) + + -- David Prévot Fri, 27 May 2022 13:29:47 +0200 + php-guzzlehttp-psr7 (1.7.0-1) unstable; urgency=medium * Revert "Bundle php-getallheaders being processed in NEW" diff -Nru php-guzzlehttp-psr7-1.7.0/debian/gbp.conf php-guzzlehttp-psr7-1.7.0/debian/gbp.conf --- php-guzzlehttp-psr7-1.7.0/debian/gbp.conf 2021-01-08 03:18:22.000000000 +0000 +++ php-guzzlehttp-psr7-1.7.0/debian/gbp.conf 2022-05-27 11:29:47.000000000 +0000 @@ -1,7 +1,7 @@ [DEFAULT] pristine-tar = True pristine-tar-commit = True -debian-branch = debian/latest +debian-branch = debian/bullseye ## Once --filter support gets added to gbp import-ref, we should be able ## to simplify the workflow and ignore the upstream branch. diff -Nru php-guzzlehttp-psr7-1.7.0/debian/patches/0002-Release-1.8.4-486.patch php-guzzlehttp-psr7-1.7.0/debian/patches/0002-Release-1.8.4-486.patch --- php-guzzlehttp-psr7-1.7.0/debian/patches/0002-Release-1.8.4-486.patch 1970-01-01 00:00:00.000000000 +0000 +++ php-guzzlehttp-psr7-1.7.0/debian/patches/0002-Release-1.8.4-486.patch 2022-05-27 11:29:47.000000000 +0000 @@ -0,0 +1,188 @@ +From: Graham Campbell +Date: Sun, 20 Mar 2022 13:44:44 +0000 +Subject: Release 1.8.4 (#486) +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +Co-authored-by: Tim Düsterhus + +Origin: backport, https://github.com/guzzle/psr7/commit/902db15a551a4a415e732b622282e21ce1b508b4 +--- + src/MessageTrait.php | 66 +++++++++++++++++++++++++++++++++++++++++++++++---- + tests/RequestTest.php | 50 ++++++++++++++++++++++++++++++++++++++ + 2 files changed, 111 insertions(+), 5 deletions(-) + +diff --git a/src/MessageTrait.php b/src/MessageTrait.php +index 99203bb..459b104 100644 +--- a/src/MessageTrait.php ++++ b/src/MessageTrait.php +@@ -157,17 +157,22 @@ trait MessageTrait + } + } + ++ /** ++ * @param mixed $value ++ * ++ * @return string[] ++ */ + private function normalizeHeaderValue($value) + { + if (!is_array($value)) { +- return $this->trimHeaderValues([$value]); ++ return $this->trimAndValidateHeaderValues([$value]); + } + + if (count($value) === 0) { + throw new \InvalidArgumentException('Header value can not be an empty array.'); + } + +- return $this->trimHeaderValues($value); ++ return $this->trimAndValidateHeaderValues($value); + } + + /** +@@ -178,13 +183,13 @@ trait MessageTrait + * header-field = field-name ":" OWS field-value OWS + * OWS = *( SP / HTAB ) + * +- * @param string[] $values Header values ++ * @param mixed[] $values Header values + * + * @return string[] Trimmed header values + * + * @see https://tools.ietf.org/html/rfc7230#section-3.2.4 + */ +- private function trimHeaderValues(array $values) ++ private function trimAndValidateHeaderValues(array $values) + { + return array_map(function ($value) { + if (!is_scalar($value) && null !== $value) { +@@ -194,10 +199,20 @@ trait MessageTrait + )); + } + +- return trim((string) $value, " \t"); ++ $trimmed = trim((string) $value, " \t"); ++ $this->assertValue($trimmed); ++ ++ return $trimmed; + }, array_values($values)); + } + ++ /** ++ * @see https://tools.ietf.org/html/rfc7230#section-3.2 ++ * ++ * @param mixed $header ++ * ++ * @return void ++ */ + private function assertHeader($header) + { + if (!is_string($header)) { +@@ -210,5 +225,46 @@ trait MessageTrait + if ($header === '') { + throw new \InvalidArgumentException('Header name can not be empty.'); + } ++ ++ if (! preg_match('/^[a-zA-Z0-9\'`#$%&*+.^_|~!-]+$/', $header)) { ++ throw new \InvalidArgumentException( ++ sprintf( ++ '"%s" is not valid header name', ++ $header ++ ) ++ ); ++ } ++ } ++ ++ /** ++ * @param string $value ++ * ++ * @return void ++ * ++ * @see https://tools.ietf.org/html/rfc7230#section-3.2 ++ * ++ * field-value = *( field-content / obs-fold ) ++ * field-content = field-vchar [ 1*( SP / HTAB ) field-vchar ] ++ * field-vchar = VCHAR / obs-text ++ * VCHAR = %x21-7E ++ * obs-text = %x80-FF ++ * obs-fold = CRLF 1*( SP / HTAB ) ++ */ ++ private function assertValue($value) ++ { ++ // The regular expression intentionally does not support the obs-fold production, because as ++ // per RFC 7230#3.2.4: ++ // ++ // A sender MUST NOT generate a message that includes ++ // line folding (i.e., that has any field-value that contains a match to ++ // the obs-fold rule) unless the message is intended for packaging ++ // within the message/http media type. ++ // ++ // Clients must not send a request with line folding and a server sending folded headers is ++ // likely very rare. Line folding is a fairly obscure feature of HTTP/1.1 and thus not accepting ++ // folding is not likely to break any legitimate use case. ++ if (! preg_match('/^(?:[\x21-\x7E\x80-\xFF](?:[\x20\x09]+[\x21-\x7E\x80-\xFF])?)*$/', $value)) { ++ throw new \InvalidArgumentException(sprintf('"%s" is not valid header value', $value)); ++ } + } + } +diff --git a/tests/RequestTest.php b/tests/RequestTest.php +index cae5933..e2b9e69 100644 +--- a/tests/RequestTest.php ++++ b/tests/RequestTest.php +@@ -229,4 +229,54 @@ class RequestTest extends BaseTest + $r = $r->withUri(new Uri('http://foo.com:8125/bar')); + $this->assertSame('foo.com:8125', $r->getHeaderLine('host')); + } ++ ++ /** ++ * @dataProvider provideHeaderValuesContainingNotAllowedChars ++ */ ++ public function testContainsNotAllowedCharsOnHeaderValue($value) ++ { ++ $this->expectExceptionGuzzle('InvalidArgumentException', sprintf('"%s" is not valid header value', $value)); ++ $r = new Request( ++ 'GET', ++ 'http://foo.com/baz?bar=bam', ++ [ ++ 'testing' => $value ++ ] ++ ); ++ } ++ ++ /** ++ * @return iterable ++ */ ++ public function provideHeaderValuesContainingNotAllowedChars() ++ { ++ // Explicit tests for newlines as the most common exploit vector. ++ $tests = [ ++ ["new\nline"], ++ ["new\r\nline"], ++ ["new\rline"], ++ // Line folding is technically allowed, but deprecated. ++ // We don't support it. ++ ["new\r\n line"], ++ ]; ++ ++ for ($i = 0; $i <= 0xff; $i++) { ++ if (\chr($i) == "\t") { ++ continue; ++ } ++ if (\chr($i) == " ") { ++ continue; ++ } ++ if ($i >= 0x21 && $i <= 0x7e) { ++ continue; ++ } ++ if ($i >= 0x80) { ++ continue; ++ } ++ ++ $tests[] = ["foo" . \chr($i) . "bar"]; ++ } ++ ++ return $tests; ++ } + } diff -Nru php-guzzlehttp-psr7-1.7.0/debian/patches/0003-Release-1.8.5-491.patch php-guzzlehttp-psr7-1.7.0/debian/patches/0003-Release-1.8.5-491.patch --- php-guzzlehttp-psr7-1.7.0/debian/patches/0003-Release-1.8.5-491.patch 1970-01-01 00:00:00.000000000 +0000 +++ php-guzzlehttp-psr7-1.7.0/debian/patches/0003-Release-1.8.5-491.patch 2022-05-27 11:29:47.000000000 +0000 @@ -0,0 +1,45 @@ +From: Graham Campbell +Date: Sun, 20 Mar 2022 21:51:18 +0000 +Subject: Release 1.8.5 (#491) + +Origin: backport, https://github.com/guzzle/psr7/commit/337e3ad8e5716c15f9657bd214d16cc5e69df268 +--- + src/MessageTrait.php | 2 +- + tests/RequestTest.php | 11 +++++++++++ + 2 files changed, 12 insertions(+), 1 deletion(-) + +diff --git a/src/MessageTrait.php b/src/MessageTrait.php +index 459b104..0ac8663 100644 +--- a/src/MessageTrait.php ++++ b/src/MessageTrait.php +@@ -263,7 +263,7 @@ trait MessageTrait + // Clients must not send a request with line folding and a server sending folded headers is + // likely very rare. Line folding is a fairly obscure feature of HTTP/1.1 and thus not accepting + // folding is not likely to break any legitimate use case. +- if (! preg_match('/^(?:[\x21-\x7E\x80-\xFF](?:[\x20\x09]+[\x21-\x7E\x80-\xFF])?)*$/', $value)) { ++ if (! preg_match('/^[\x20\x09\x21-\x7E\x80-\xFF]*$/', $value)) { + throw new \InvalidArgumentException(sprintf('"%s" is not valid header value', $value)); + } + } +diff --git a/tests/RequestTest.php b/tests/RequestTest.php +index e2b9e69..10ac92a 100644 +--- a/tests/RequestTest.php ++++ b/tests/RequestTest.php +@@ -174,6 +174,17 @@ class RequestTest extends BaseTest + ], $r->getHeaders()); + } + ++ public function testHeaderValueWithWhitespace() ++ { ++ $r = new Request('GET', 'https://example.com/', [ ++ 'User-Agent' => 'Linux f0f489981e90 5.10.104-linuxkit 1 SMP Wed Mar 9 19:05:23 UTC 2022 x86_64' ++ ]); ++ self::assertSame([ ++ 'Host' => ['example.com'], ++ 'User-Agent' => ['Linux f0f489981e90 5.10.104-linuxkit 1 SMP Wed Mar 9 19:05:23 UTC 2022 x86_64'] ++ ], $r->getHeaders()); ++ } ++ + public function testCanGetHeaderAsCsv() + { + $r = new Request('GET', 'http://foo.com/baz?bar=bam', [ diff -Nru php-guzzlehttp-psr7-1.7.0/debian/patches/series php-guzzlehttp-psr7-1.7.0/debian/patches/series --- php-guzzlehttp-psr7-1.7.0/debian/patches/series 2021-01-26 02:12:14.000000000 +0000 +++ php-guzzlehttp-psr7-1.7.0/debian/patches/series 2022-05-27 11:29:47.000000000 +0000 @@ -1 +1,3 @@ 0002-Fixed-bad-test-355.patch +0002-Release-1.8.4-486.patch +0003-Release-1.8.5-491.patch