diff options
author | Carl Schwan <carl@carlschwan.eu> | 2022-06-24 16:41:41 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-06-24 16:41:41 +0300 |
commit | a5d796d02631b21546accdafc09021f96787bb8b (patch) | |
tree | c92a579ec6995ab7b56498e9c094b539f9683f16 | |
parent | 0bf50db5aad59205408a7486f4addca8698de741 (diff) | |
parent | 87fb7ed8acd5e8343e8e6abe7b3a896f2a535550 (diff) |
Merge pull request #1088 from nextcloud/dependabot/composer/guzzlehttp/guzzle-7.4.5
Bump guzzlehttp/guzzle from 7.4.4 to 7.4.5
-rw-r--r-- | composer.lock | 28 | ||||
-rw-r--r-- | composer/autoload_classmap.php | 1 | ||||
-rw-r--r-- | composer/autoload_static.php | 1 | ||||
-rw-r--r-- | composer/installed.json | 32 | ||||
-rw-r--r-- | composer/installed.php | 24 | ||||
-rw-r--r-- | guzzlehttp/guzzle/src/RedirectMiddleware.php | 33 | ||||
-rw-r--r-- | guzzlehttp/psr7/CHANGELOG.md | 10 | ||||
-rw-r--r-- | guzzlehttp/psr7/README.md | 24 | ||||
-rw-r--r-- | guzzlehttp/psr7/composer.json | 2 | ||||
-rw-r--r-- | guzzlehttp/psr7/src/UriComparator.php | 55 |
10 files changed, 134 insertions, 76 deletions
diff --git a/composer.lock b/composer.lock index 28a6b4bd..cf85f0da 100644 --- a/composer.lock +++ b/composer.lock @@ -1218,22 +1218,22 @@ }, { "name": "guzzlehttp/guzzle", - "version": "7.4.4", + "version": "7.4.5", "source": { "type": "git", "url": "https://github.com/guzzle/guzzle.git", - "reference": "e3ff079b22820c2029d4c2a87796b6a0b8716ad8" + "reference": "1dd98b0564cb3f6bd16ce683cb755f94c10fbd82" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/guzzle/guzzle/zipball/e3ff079b22820c2029d4c2a87796b6a0b8716ad8", - "reference": "e3ff079b22820c2029d4c2a87796b6a0b8716ad8", + "url": "https://api.github.com/repos/guzzle/guzzle/zipball/1dd98b0564cb3f6bd16ce683cb755f94c10fbd82", + "reference": "1dd98b0564cb3f6bd16ce683cb755f94c10fbd82", "shasum": "" }, "require": { "ext-json": "*", "guzzlehttp/promises": "^1.5", - "guzzlehttp/psr7": "^1.8.3 || ^2.1", + "guzzlehttp/psr7": "^1.9 || ^2.4", "php": "^7.2.5 || ^8.0", "psr/http-client": "^1.0", "symfony/deprecation-contracts": "^2.2 || ^3.0" @@ -1322,7 +1322,7 @@ ], "support": { "issues": "https://github.com/guzzle/guzzle/issues", - "source": "https://github.com/guzzle/guzzle/tree/7.4.4" + "source": "https://github.com/guzzle/guzzle/tree/7.4.5" }, "funding": [ { @@ -1338,7 +1338,7 @@ "type": "tidelift" } ], - "time": "2022-06-09T21:39:15+00:00" + "time": "2022-06-20T22:16:13+00:00" }, { "name": "guzzlehttp/promises", @@ -1426,16 +1426,16 @@ }, { "name": "guzzlehttp/psr7", - "version": "1.8.5", + "version": "1.9.0", "source": { "type": "git", "url": "https://github.com/guzzle/psr7.git", - "reference": "337e3ad8e5716c15f9657bd214d16cc5e69df268" + "reference": "e98e3e6d4f86621a9b75f623996e6bbdeb4b9318" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/guzzle/psr7/zipball/337e3ad8e5716c15f9657bd214d16cc5e69df268", - "reference": "337e3ad8e5716c15f9657bd214d16cc5e69df268", + "url": "https://api.github.com/repos/guzzle/psr7/zipball/e98e3e6d4f86621a9b75f623996e6bbdeb4b9318", + "reference": "e98e3e6d4f86621a9b75f623996e6bbdeb4b9318", "shasum": "" }, "require": { @@ -1456,7 +1456,7 @@ "type": "library", "extra": { "branch-alias": { - "dev-master": "1.7-dev" + "dev-master": "1.9-dev" } }, "autoload": { @@ -1516,7 +1516,7 @@ ], "support": { "issues": "https://github.com/guzzle/psr7/issues", - "source": "https://github.com/guzzle/psr7/tree/1.8.5" + "source": "https://github.com/guzzle/psr7/tree/1.9.0" }, "funding": [ { @@ -1532,7 +1532,7 @@ "type": "tidelift" } ], - "time": "2022-03-20T21:51:18+00:00" + "time": "2022-06-20T21:43:03+00:00" }, { "name": "guzzlehttp/uri-template", diff --git a/composer/autoload_classmap.php b/composer/autoload_classmap.php index b5499d8c..d1c1cfda 100644 --- a/composer/autoload_classmap.php +++ b/composer/autoload_classmap.php @@ -1409,6 +1409,7 @@ return array( 'GuzzleHttp\\Psr7\\StreamWrapper' => $vendorDir . '/guzzlehttp/psr7/src/StreamWrapper.php', 'GuzzleHttp\\Psr7\\UploadedFile' => $vendorDir . '/guzzlehttp/psr7/src/UploadedFile.php', 'GuzzleHttp\\Psr7\\Uri' => $vendorDir . '/guzzlehttp/psr7/src/Uri.php', + 'GuzzleHttp\\Psr7\\UriComparator' => $vendorDir . '/guzzlehttp/psr7/src/UriComparator.php', 'GuzzleHttp\\Psr7\\UriNormalizer' => $vendorDir . '/guzzlehttp/psr7/src/UriNormalizer.php', 'GuzzleHttp\\Psr7\\UriResolver' => $vendorDir . '/guzzlehttp/psr7/src/UriResolver.php', 'GuzzleHttp\\Psr7\\Utils' => $vendorDir . '/guzzlehttp/psr7/src/Utils.php', diff --git a/composer/autoload_static.php b/composer/autoload_static.php index 43ff4254..d1087101 100644 --- a/composer/autoload_static.php +++ b/composer/autoload_static.php @@ -2045,6 +2045,7 @@ class ComposerStaticInit2f23f73bc0cc116b4b1eee1521aa8652 'GuzzleHttp\\Psr7\\StreamWrapper' => __DIR__ . '/..' . '/guzzlehttp/psr7/src/StreamWrapper.php', 'GuzzleHttp\\Psr7\\UploadedFile' => __DIR__ . '/..' . '/guzzlehttp/psr7/src/UploadedFile.php', 'GuzzleHttp\\Psr7\\Uri' => __DIR__ . '/..' . '/guzzlehttp/psr7/src/Uri.php', + 'GuzzleHttp\\Psr7\\UriComparator' => __DIR__ . '/..' . '/guzzlehttp/psr7/src/UriComparator.php', 'GuzzleHttp\\Psr7\\UriNormalizer' => __DIR__ . '/..' . '/guzzlehttp/psr7/src/UriNormalizer.php', 'GuzzleHttp\\Psr7\\UriResolver' => __DIR__ . '/..' . '/guzzlehttp/psr7/src/UriResolver.php', 'GuzzleHttp\\Psr7\\Utils' => __DIR__ . '/..' . '/guzzlehttp/psr7/src/Utils.php', diff --git a/composer/installed.json b/composer/installed.json index 767f9379..d6a64e89 100644 --- a/composer/installed.json +++ b/composer/installed.json @@ -1266,23 +1266,23 @@ }, { "name": "guzzlehttp/guzzle", - "version": "7.4.4", - "version_normalized": "7.4.4.0", + "version": "7.4.5", + "version_normalized": "7.4.5.0", "source": { "type": "git", "url": "https://github.com/guzzle/guzzle.git", - "reference": "e3ff079b22820c2029d4c2a87796b6a0b8716ad8" + "reference": "1dd98b0564cb3f6bd16ce683cb755f94c10fbd82" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/guzzle/guzzle/zipball/e3ff079b22820c2029d4c2a87796b6a0b8716ad8", - "reference": "e3ff079b22820c2029d4c2a87796b6a0b8716ad8", + "url": "https://api.github.com/repos/guzzle/guzzle/zipball/1dd98b0564cb3f6bd16ce683cb755f94c10fbd82", + "reference": "1dd98b0564cb3f6bd16ce683cb755f94c10fbd82", "shasum": "" }, "require": { "ext-json": "*", "guzzlehttp/promises": "^1.5", - "guzzlehttp/psr7": "^1.8.3 || ^2.1", + "guzzlehttp/psr7": "^1.9 || ^2.4", "php": "^7.2.5 || ^8.0", "psr/http-client": "^1.0", "symfony/deprecation-contracts": "^2.2 || ^3.0" @@ -1302,7 +1302,7 @@ "ext-intl": "Required for Internationalized Domain Name (IDN) support", "psr/log": "Required for using the Log middleware" }, - "time": "2022-06-09T21:39:15+00:00", + "time": "2022-06-20T22:16:13+00:00", "type": "library", "extra": { "branch-alias": { @@ -1373,7 +1373,7 @@ ], "support": { "issues": "https://github.com/guzzle/guzzle/issues", - "source": "https://github.com/guzzle/guzzle/tree/7.4.4" + "source": "https://github.com/guzzle/guzzle/tree/7.4.5" }, "funding": [ { @@ -1480,17 +1480,17 @@ }, { "name": "guzzlehttp/psr7", - "version": "1.8.5", - "version_normalized": "1.8.5.0", + "version": "1.9.0", + "version_normalized": "1.9.0.0", "source": { "type": "git", "url": "https://github.com/guzzle/psr7.git", - "reference": "337e3ad8e5716c15f9657bd214d16cc5e69df268" + "reference": "e98e3e6d4f86621a9b75f623996e6bbdeb4b9318" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/guzzle/psr7/zipball/337e3ad8e5716c15f9657bd214d16cc5e69df268", - "reference": "337e3ad8e5716c15f9657bd214d16cc5e69df268", + "url": "https://api.github.com/repos/guzzle/psr7/zipball/e98e3e6d4f86621a9b75f623996e6bbdeb4b9318", + "reference": "e98e3e6d4f86621a9b75f623996e6bbdeb4b9318", "shasum": "" }, "require": { @@ -1508,11 +1508,11 @@ "suggest": { "laminas/laminas-httphandlerrunner": "Emit PSR-7 responses" }, - "time": "2022-03-20T21:51:18+00:00", + "time": "2022-06-20T21:43:03+00:00", "type": "library", "extra": { "branch-alias": { - "dev-master": "1.7-dev" + "dev-master": "1.9-dev" } }, "installation-source": "dist", @@ -1573,7 +1573,7 @@ ], "support": { "issues": "https://github.com/guzzle/psr7/issues", - "source": "https://github.com/guzzle/psr7/tree/1.8.5" + "source": "https://github.com/guzzle/psr7/tree/1.9.0" }, "funding": [ { diff --git a/composer/installed.php b/composer/installed.php index 3de8328c..ba7cb887 100644 --- a/composer/installed.php +++ b/composer/installed.php @@ -1,9 +1,9 @@ <?php return array( 'root' => array( 'name' => 'nextcloud/3rdparty', - 'pretty_version' => '1.0.0+no-version-set', - 'version' => '1.0.0.0', - 'reference' => NULL, + 'pretty_version' => 'dev-master', + 'version' => 'dev-master', + 'reference' => 'e7734546c48c106a9d22730073024bad3de3a7b6', 'type' => 'library', 'install_path' => __DIR__ . '/../', 'aliases' => array(), @@ -173,9 +173,9 @@ 'dev_requirement' => false, ), 'guzzlehttp/guzzle' => array( - 'pretty_version' => '7.4.4', - 'version' => '7.4.4.0', - 'reference' => 'e3ff079b22820c2029d4c2a87796b6a0b8716ad8', + 'pretty_version' => '7.4.5', + 'version' => '7.4.5.0', + 'reference' => '1dd98b0564cb3f6bd16ce683cb755f94c10fbd82', 'type' => 'library', 'install_path' => __DIR__ . '/../guzzlehttp/guzzle', 'aliases' => array(), @@ -191,9 +191,9 @@ 'dev_requirement' => false, ), 'guzzlehttp/psr7' => array( - 'pretty_version' => '1.8.5', - 'version' => '1.8.5.0', - 'reference' => '337e3ad8e5716c15f9657bd214d16cc5e69df268', + 'pretty_version' => '1.9.0', + 'version' => '1.9.0.0', + 'reference' => 'e98e3e6d4f86621a9b75f623996e6bbdeb4b9318', 'type' => 'library', 'install_path' => __DIR__ . '/../guzzlehttp/psr7', 'aliases' => array(), @@ -299,9 +299,9 @@ 'dev_requirement' => false, ), 'nextcloud/3rdparty' => array( - 'pretty_version' => '1.0.0+no-version-set', - 'version' => '1.0.0.0', - 'reference' => NULL, + 'pretty_version' => 'dev-master', + 'version' => 'dev-master', + 'reference' => 'e7734546c48c106a9d22730073024bad3de3a7b6', 'type' => 'library', 'install_path' => __DIR__ . '/../', 'aliases' => array(), diff --git a/guzzlehttp/guzzle/src/RedirectMiddleware.php b/guzzlehttp/guzzle/src/RedirectMiddleware.php index cedad4e7..f67d448b 100644 --- a/guzzlehttp/guzzle/src/RedirectMiddleware.php +++ b/guzzlehttp/guzzle/src/RedirectMiddleware.php @@ -88,10 +88,8 @@ class RedirectMiddleware $this->guardMax($request, $response, $options); $nextRequest = $this->modifyRequest($request, $options, $response); - // If authorization is handled by curl, unset it if host is different. - if ($request->getUri()->getHost() !== $nextRequest->getUri()->getHost() - && defined('\CURLOPT_HTTPAUTH') - ) { + // If authorization is handled by curl, unset it if URI is cross-origin. + if (Psr7\UriComparator::isCrossOrigin($request->getUri(), $nextRequest->getUri()) && defined('\CURLOPT_HTTPAUTH')) { unset( $options['curl'][\CURLOPT_HTTPAUTH], $options['curl'][\CURLOPT_USERPWD] @@ -198,8 +196,8 @@ class RedirectMiddleware $modify['remove_headers'][] = 'Referer'; } - // Remove Authorization and Cookie headers if required. - if (self::shouldStripSensitiveHeaders($request->getUri(), $modify['uri'])) { + // Remove Authorization and Cookie headers if URI is cross-origin. + if (Psr7\UriComparator::isCrossOrigin($request->getUri(), $modify['uri'])) { $modify['remove_headers'][] = 'Authorization'; $modify['remove_headers'][] = 'Cookie'; } @@ -208,29 +206,6 @@ class RedirectMiddleware } /** - * Determine if we should strip sensitive headers from the request. - * - * We return true if either of the following conditions are true: - * - * 1. the host is different; - * 2. the scheme has changed, and now is non-https. - */ - private static function shouldStripSensitiveHeaders( - UriInterface $originalUri, - UriInterface $modifiedUri - ): bool { - if (\strcasecmp($originalUri->getHost(), $modifiedUri->getHost()) !== 0) { - return true; - } - - if ($originalUri->getScheme() !== $modifiedUri->getScheme() && 'https' !== $modifiedUri->getScheme()) { - return true; - } - - return false; - } - - /** * Set the appropriate URL on the request based on the location header. */ private static function redirectUri( diff --git a/guzzlehttp/psr7/CHANGELOG.md b/guzzlehttp/psr7/CHANGELOG.md index f177f583..b4fdf3c6 100644 --- a/guzzlehttp/psr7/CHANGELOG.md +++ b/guzzlehttp/psr7/CHANGELOG.md @@ -3,12 +3,18 @@ All notable changes to this project will be documented in this file. -The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) -and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) +and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ## Unreleased +## 1.9.0 - 2022-06-20 + +### Added + +- Added `UriComparator::isCrossOrigin` method + ## 1.8.5 - 2022-03-20 ### Fixed diff --git a/guzzlehttp/psr7/README.md b/guzzlehttp/psr7/README.md index 464cae4f..64776cb6 100644 --- a/guzzlehttp/psr7/README.md +++ b/guzzlehttp/psr7/README.md @@ -1,6 +1,6 @@ # PSR-7 Message Implementation -This repository contains a full [PSR-7](http://www.php-fig.org/psr/psr-7/) +This repository contains a full [PSR-7](https://www.php-fig.org/psr/psr-7/) message implementation, several stream decorators, and some helpful functionality like query string parsing. @@ -659,7 +659,7 @@ manually but instead is used indirectly via `Psr\Http\Message\UriInterface::__to `public static function fromParts(array $parts): UriInterface` -Creates a URI from a hash of [`parse_url`](http://php.net/manual/en/function.parse-url.php) components. +Creates a URI from a hash of [`parse_url`](https://www.php.net/manual/en/function.parse-url.php) components. ### `GuzzleHttp\Psr7\Uri::withQueryValue` @@ -684,6 +684,16 @@ associative array of key => value. Creates a new URI with a specific query string value removed. Any existing query string values that exactly match the provided key are removed. +## Cross-Origin Detection + +`GuzzleHttp\Psr7\UriComparator` provides methods to determine if a modified URL should be considered cross-origin. + +### `GuzzleHttp\Psr7\UriComparator::isCrossOrigin` + +`public static function isCrossOrigin(UriInterface $original, UriInterface $modified): bool` + +Determines if a modified URL should be considered cross-origin with respect to an original URL. + ## Reference Resolution `GuzzleHttp\Psr7\UriResolver` provides methods to resolve a URI reference in the context of a base URI according @@ -809,14 +819,24 @@ This of course assumes they will be resolved against the same base URI. If this equivalence or difference of relative references does not mean anything. +## Version Guidance + +| Version | Status | PHP Version | +|---------|----------------|------------------| +| 1.x | Security fixes | >=5.4,<8.1 | +| 2.x | Latest | ^7.2.5 \|\| ^8.0 | + + ## Security If you discover a security vulnerability within this package, please send an email to security@tidelift.com. All security vulnerabilities will be promptly addressed. Please do not disclose security-related issues publicly until a fix has been announced. Please see [Security Policy](https://github.com/guzzle/psr7/security/policy) for more information. + ## License Guzzle is made available under the MIT License (MIT). Please see [License File](LICENSE) for more information. + ## For Enterprise Available as part of the Tidelift Subscription diff --git a/guzzlehttp/psr7/composer.json b/guzzlehttp/psr7/composer.json index 7ecdc8ba..0e36920d 100644 --- a/guzzlehttp/psr7/composer.json +++ b/guzzlehttp/psr7/composer.json @@ -63,7 +63,7 @@ }, "extra": { "branch-alias": { - "dev-master": "1.7-dev" + "dev-master": "1.9-dev" } }, "config": { diff --git a/guzzlehttp/psr7/src/UriComparator.php b/guzzlehttp/psr7/src/UriComparator.php new file mode 100644 index 00000000..ccf51ffb --- /dev/null +++ b/guzzlehttp/psr7/src/UriComparator.php @@ -0,0 +1,55 @@ +<?php + +namespace GuzzleHttp\Psr7; + +use Psr\Http\Message\UriInterface; + +/** + * Provides methods to determine if a modified URL should be considered cross-origin. + * + * @author Graham Campbell + */ +final class UriComparator +{ + /** + * Determines if a modified URL should be considered cross-origin with + * respect to an original URL. + * + * @return bool + */ + public static function isCrossOrigin(UriInterface $original, UriInterface $modified) + { + if (\strcasecmp($original->getHost(), $modified->getHost()) !== 0) { + return true; + } + + if ($original->getScheme() !== $modified->getScheme()) { + return true; + } + + if (self::computePort($original) !== self::computePort($modified)) { + return true; + } + + return false; + } + + /** + * @return int + */ + private static function computePort(UriInterface $uri) + { + $port = $uri->getPort(); + + if (null !== $port) { + return $port; + } + + return 'https' === $uri->getScheme() ? 443 : 80; + } + + private function __construct() + { + // cannot be instantiated + } +} |