Version in base suite: 1.7.0-1+deb11u1

Base version: php-guzzlehttp-psr7_1.7.0-1+deb11u1
Target version: php-guzzlehttp-psr7_1.7.0-1+deb11u2
Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/php-guzzlehttp-psr7/php-guzzlehttp-psr7_1.7.0-1+deb11u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/p/php-guzzlehttp-psr7/php-guzzlehttp-psr7_1.7.0-1+deb11u2.dsc

 changelog                                        |    6 +
 patches/0004-Patch-header-validation-issue.patch |   87 +++++++++++++++++++++++
 patches/series                                   |    1 
 3 files changed, 94 insertions(+)

diff -Nru php-guzzlehttp-psr7-1.7.0/debian/changelog php-guzzlehttp-psr7-1.7.0/debian/changelog
--- php-guzzlehttp-psr7-1.7.0/debian/changelog	2022-05-27 11:29:47.000000000 +0000
+++ php-guzzlehttp-psr7-1.7.0/debian/changelog	2023-04-22 09:41:36.000000000 +0000
@@ -1,3 +1,9 @@
+php-guzzlehttp-psr7 (1.7.0-1+deb11u2) bullseye; urgency=medium
+
+  * Fix improper input validation [CVE-2023-29197] (Closes: #1034581)
+
+ -- David Prévot <taffit@debian.org>  Sat, 22 Apr 2023 11:41:36 +0200
+
 php-guzzlehttp-psr7 (1.7.0-1+deb11u1) bullseye; urgency=medium
 
   * Track Bullseye
diff -Nru php-guzzlehttp-psr7-1.7.0/debian/patches/0004-Patch-header-validation-issue.patch php-guzzlehttp-psr7-1.7.0/debian/patches/0004-Patch-header-validation-issue.patch
--- php-guzzlehttp-psr7-1.7.0/debian/patches/0004-Patch-header-validation-issue.patch	1970-01-01 00:00:00.000000000 +0000
+++ php-guzzlehttp-psr7-1.7.0/debian/patches/0004-Patch-header-validation-issue.patch	2023-04-22 09:40:08.000000000 +0000
@@ -0,0 +1,87 @@
+From: Graham Campbell <hello@gjcampbell.co.uk>
+Date: Mon, 17 Apr 2023 16:33:27 +0100
+Subject: Patch header validation issue
+
+Origin: upstream, https://github.com/guzzle/psr7/commit/18fd8915823bd9ca4156e84849e18970057dc7e4
+Bug-Debian: https://bugs.debian.org/1034581 https://security-tracker.debian.org/tracker/CVE-2023-29197
+---
+ src/MessageTrait.php   | 13 ++++++-------
+ tests/RequestTest.php  |  5 +++++
+ tests/ResponseTest.php |  9 +++++++++
+ 3 files changed, 20 insertions(+), 7 deletions(-)
+
+diff --git a/src/MessageTrait.php b/src/MessageTrait.php
+index 0ac8663..0bbd63e 100644
+--- a/src/MessageTrait.php
++++ b/src/MessageTrait.php
+@@ -226,12 +226,9 @@ trait MessageTrait
+             throw new \InvalidArgumentException('Header name can not be empty.');
+         }
+ 
+-        if (! preg_match('/^[a-zA-Z0-9\'`#$%&*+.^_|~!-]+$/', $header)) {
++        if (! preg_match('/^[a-zA-Z0-9\'`#$%&*+.^_|~!-]+$/D', $header)) {
+             throw new \InvalidArgumentException(
+-                sprintf(
+-                    '"%s" is not valid header name',
+-                    $header
+-                )
++                sprintf('"%s" is not valid header name.', $header)
+             );
+         }
+     }
+@@ -263,8 +260,10 @@ trait MessageTrait
+         // Clients must not send a request with line folding and a server sending folded headers is
+         // likely very rare. Line folding is a fairly obscure feature of HTTP/1.1 and thus not accepting
+         // folding is not likely to break any legitimate use case.
+-        if (! preg_match('/^[\x20\x09\x21-\x7E\x80-\xFF]*$/', $value)) {
+-            throw new \InvalidArgumentException(sprintf('"%s" is not valid header value', $value));
++        if (! preg_match('/^[\x20\x09\x21-\x7E\x80-\xFF]*$/D', $value)) {
++            throw new \InvalidArgumentException(
++                sprintf('"%s" is not valid header value.', $value)
++            );
+         }
+     }
+ }
+diff --git a/tests/RequestTest.php b/tests/RequestTest.php
+index 10ac92a..7dca806 100644
+--- a/tests/RequestTest.php
++++ b/tests/RequestTest.php
+@@ -269,6 +269,10 @@ class RequestTest extends BaseTest
+             // Line folding is technically allowed, but deprecated.
+             // We don't support it.
+             ["new\r\n line"],
++            ["newline\n"],
++            ["\nnewline"],
++            ["newline\r\n"],
++            ["\r\nnewline"],
+         ];
+ 
+         for ($i = 0; $i <= 0xff; $i++) {
+@@ -286,6 +290,7 @@ class RequestTest extends BaseTest
+             }
+ 
+             $tests[] = ["foo" . \chr($i) . "bar"];
++            $tests[] = ["foo" . \chr($i)];
+         }
+ 
+         return $tests;
+diff --git a/tests/ResponseTest.php b/tests/ResponseTest.php
+index 0b6be02..30e106b 100644
+--- a/tests/ResponseTest.php
++++ b/tests/ResponseTest.php
+@@ -284,6 +284,15 @@ class ResponseTest extends BaseTest
+             [[], 'foo', 'Header name must be a string but array provided.'],
+             [false, 'foo', 'Header name must be a string but boolean provided.'],
+             [new \stdClass(), 'foo', 'Header name must be a string but stdClass provided.'],
++            ["", 'foo', "Header name can not be empty."],
++            ["Content-Type\r\n\r\n", 'foo', "\"Content-Type\r\n\r\n\" is not valid header name."],
++            ["Content-Type\r\n", 'foo', "\"Content-Type\r\n\" is not valid header name."],
++            ["Content-Type\n", 'foo', "\"Content-Type\n\" is not valid header name."],
++            ["\r\nContent-Type", 'foo', "\"\r\nContent-Type\" is not valid header name."],
++            ["\nContent-Type", 'foo', "\"\nContent-Type\" is not valid header name."],
++            ["\n", 'foo', "\"\n\" is not valid header name."],
++            ["\r\n", 'foo', "\"\r\n\" is not valid header name."],
++            ["\t", 'foo', "\"\t\" is not valid header name."],
+         ]);
+     }
+ 
diff -Nru php-guzzlehttp-psr7-1.7.0/debian/patches/series php-guzzlehttp-psr7-1.7.0/debian/patches/series
--- php-guzzlehttp-psr7-1.7.0/debian/patches/series	2022-05-27 11:29:47.000000000 +0000
+++ php-guzzlehttp-psr7-1.7.0/debian/patches/series	2023-04-22 09:40:08.000000000 +0000
@@ -1,3 +1,4 @@
 0002-Fixed-bad-test-355.patch
 0002-Release-1.8.4-486.patch
 0003-Release-1.8.5-491.patch
+0004-Patch-header-validation-issue.patch