🔒 Update guzzlehttp/guzzle

2026-04-24 02:58:43 +02:00 · 2022-06-28 15:13:04 +02:00
parent a0f28a9098
commit 2392f4a902
21 changed files with 194 additions and 119 deletions
--- a/lib/guzzlehttp/guzzle/CHANGELOG.md
+++ b/lib/guzzlehttp/guzzle/CHANGELOG.md
@@ -1,5 +1,10 @@
 # Change Log

+## 6.5.8 - 2022-06-20
+
+* Fix change in port should be considered a change in origin
+* Fix `CURLOPT_HTTPAUTH` option not cleared on change of origin
+
 ## 6.5.7 - 2022-06-09

 * Fix failure to strip Authorization header on HTTP downgrade
--- a/lib/guzzlehttp/guzzle/README.md
+++ b/lib/guzzlehttp/guzzle/README.md
@@ -1,5 +1,6 @@
-Guzzle, PHP HTTP client
-=======================
+![Guzzle](.github/logo.png?raw=true)
+
+# Guzzle, PHP HTTP client

 [![Latest Version](https://img.shields.io/github/release/guzzle/guzzle.svg?style=flat-square)](https://github.com/guzzle/guzzle/releases)
 [![Build Status](https://img.shields.io/github/workflow/status/guzzle/guzzle/CI?label=ci%20build&style=flat-square)](https://github.com/guzzle/guzzle/actions?query=workflow%3ACI)
@@ -38,15 +39,18 @@ $promise->wait();

 ## Help and docs

- [Documentation](http://guzzlephp.org/)
- [Stack Overflow](http://stackoverflow.com/questions/tagged/guzzle)
+We use GitHub issues only to discuss bugs and new features. For support please refer to:
+
+- [Documentation](https://docs.guzzlephp.org)
+- [Stack Overflow](https://stackoverflow.com/questions/tagged/guzzle)
+- [#guzzle](https://app.slack.com/client/T0D2S9JCT/CE6UAAKL4) channel on [PHP-HTTP Slack](https://slack.httplug.io/)
 - [Gitter](https://gitter.im/guzzle/guzzle)


 ## Installing Guzzle

 The recommended way to install Guzzle is through
-[Composer](http://getcomposer.org).
+[Composer](https://getcomposer.org/).

 ```bash
 # Install Composer
@@ -87,7 +91,7 @@ composer update
 [guzzle-5-repo]: https://github.com/guzzle/guzzle/tree/5.3
 [guzzle-6-repo]: https://github.com/guzzle/guzzle/tree/6.5
 [guzzle-7-repo]: https://github.com/guzzle/guzzle
-[guzzle-3-docs]: http://guzzle3.readthedocs.org
-[guzzle-5-docs]: http://docs.guzzlephp.org/en/5.3/
-[guzzle-6-docs]: http://docs.guzzlephp.org/en/6.5/
-[guzzle-7-docs]: http://docs.guzzlephp.org/en/latest/
+[guzzle-3-docs]: https://guzzle3.readthedocs.io/
+[guzzle-5-docs]: https://docs.guzzlephp.org/en/5.3/
+[guzzle-6-docs]: https://docs.guzzlephp.org/en/6.5/
+[guzzle-7-docs]: https://docs.guzzlephp.org/en/latest/
--- a/lib/guzzlehttp/guzzle/composer.json
+++ b/lib/guzzlehttp/guzzle/composer.json
@@ -53,9 +53,9 @@
    "require": {
        "php": ">=5.5",
        "ext-json": "*",
-        "symfony/polyfill-intl-idn": "^1.17.0",
+        "symfony/polyfill-intl-idn": "^1.17",
        "guzzlehttp/promises": "^1.0",
-        "guzzlehttp/psr7": "^1.6.1"
+        "guzzlehttp/psr7": "^1.9"
    },
    "require-dev": {
        "ext-curl": "*",
@@ -66,7 +66,10 @@
        "psr/log": "Required for using the Log middleware"
    },
    "config": {
-        "sort-packages": true
+        "sort-packages": true,
+        "allow-plugins": {
+            "bamarni/composer-bin-plugin": true
+        }
    },
    "extra": {
        "branch-alias": {
--- a/lib/guzzlehttp/guzzle/src/RedirectMiddleware.php
+++ b/lib/guzzlehttp/guzzle/src/RedirectMiddleware.php
@@ -94,6 +94,14 @@ class RedirectMiddleware
        $this->guardMax($request, $options);
        $nextRequest = $this->modifyRequest($request, $options, $response);

+        // If authorization is handled by curl, unset it if URI is cross-origin.
+        if (Psr7\UriComparator::isCrossOrigin($request->getUri(), $nextRequest->getUri()) && defined('\CURLOPT_HTTPAUTH')) {
+            unset(
+                $options['curl'][\CURLOPT_HTTPAUTH],
+                $options['curl'][\CURLOPT_USERPWD]
+            );
+        }
+
        if (isset($options['allow_redirects']['on_redirect'])) {
            call_user_func(
                $options['allow_redirects']['on_redirect'],
@@ -210,8 +218,8 @@ class RedirectMiddleware
            $modify['remove_headers'][] = 'Referer';
        }

-        // Remove Authorization and Cookie headers if required.
-        if (self::shouldStripSensitiveHeaders($request->getUri(), $modify['uri'])) {
+        // Remove Authorization and Cookie headers if URI is cross-origin.
+        if (Psr7\UriComparator::isCrossOrigin($request->getUri(), $modify['uri'])) {
            $modify['remove_headers'][] = 'Authorization';
            $modify['remove_headers'][] = 'Cookie';
        }
@@ -219,31 +227,6 @@ class RedirectMiddleware
        return Psr7\modify_request($request, $modify);
    }

-    /**
-     * Determine if we should strip sensitive headers from the request.
-     *
-     * We return true if either of the following conditions are true:
-     *
-     * 1. the host is different;
-     * 2. the scheme has changed, and now is non-https.
-     *
-     * @return bool
-     */
-    private static function shouldStripSensitiveHeaders(
-        UriInterface $originalUri,
-        UriInterface $modifiedUri
-    ) {
-        if (strcasecmp($originalUri->getHost(), $modifiedUri->getHost()) !== 0) {
-            return true;
-        }
-
-        if ($originalUri->getScheme() !== $modifiedUri->getScheme() && 'https' !== $modifiedUri->getScheme()) {
-            return true;
-        }
-
-        return false;
-    }
-
    /**
     * Set the appropriate URL on the request based on the location header.
     *
--- a/lib/guzzlehttp/psr7/CHANGELOG.md
+++ b/lib/guzzlehttp/psr7/CHANGELOG.md
@@ -3,12 +3,18 @@

 All notable changes to this project will be documented in this file.

-The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
-and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).


 ## Unreleased

+## 1.9.0 - 2022-06-20
+
+### Added
+
+- Added `UriComparator::isCrossOrigin` method
+
 ## 1.8.5 - 2022-03-20

 ### Fixed
--- a/lib/guzzlehttp/psr7/README.md
+++ b/lib/guzzlehttp/psr7/README.md
@@ -1,6 +1,6 @@
 # PSR-7 Message Implementation

-This repository contains a full [PSR-7](http://www.php-fig.org/psr/psr-7/)
+This repository contains a full [PSR-7](https://www.php-fig.org/psr/psr-7/)
 message implementation, several stream decorators, and some helpful
 functionality like query string parsing.

@@ -659,7 +659,7 @@ manually but instead is used indirectly via `Psr\Http\Message\UriInterface::__to

 `public static function fromParts(array $parts): UriInterface`

-Creates a URI from a hash of [`parse_url`](http://php.net/manual/en/function.parse-url.php) components.
+Creates a URI from a hash of [`parse_url`](https://www.php.net/manual/en/function.parse-url.php) components.


 ### `GuzzleHttp\Psr7\Uri::withQueryValue`
@@ -684,6 +684,16 @@ associative array of key => value.
 Creates a new URI with a specific query string value removed. Any existing query string values that exactly match the
 provided key are removed.

+## Cross-Origin Detection
+
+`GuzzleHttp\Psr7\UriComparator` provides methods to determine if a modified URL should be considered cross-origin.
+
+### `GuzzleHttp\Psr7\UriComparator::isCrossOrigin`
+
+`public static function isCrossOrigin(UriInterface $original, UriInterface $modified): bool`
+
+Determines if a modified URL should be considered cross-origin with respect to an original URL.
+
 ## Reference Resolution

 `GuzzleHttp\Psr7\UriResolver` provides methods to resolve a URI reference in the context of a base URI according
@@ -809,14 +819,24 @@ This of course assumes they will be resolved against the same base URI. If this
 equivalence or difference of relative references does not mean anything.


+## Version Guidance
+
+| Version | Status         | PHP Version      |
+|---------|----------------|------------------|
+| 1.x     | Security fixes | >=5.4,<8.1       |
+| 2.x     | Latest         | ^7.2.5 \|\| ^8.0 |
+
+
 ## Security

 If you discover a security vulnerability within this package, please send an email to security@tidelift.com. All security vulnerabilities will be promptly addressed. Please do not disclose security-related issues publicly until a fix has been announced. Please see [Security Policy](https://github.com/guzzle/psr7/security/policy) for more information.

+
 ## License

 Guzzle is made available under the MIT License (MIT). Please see [License File](LICENSE) for more information.

+
 ## For Enterprise

 Available as part of the Tidelift Subscription
--- a/lib/guzzlehttp/psr7/composer.json
+++ b/lib/guzzlehttp/psr7/composer.json
@@ -63,7 +63,7 @@
    },
    "extra": {
        "branch-alias": {
-            "dev-master": "1.7-dev"
+            "dev-master": "1.9-dev"
        }
    },
    "config": {
--- a/lib/guzzlehttp/psr7/src/UriComparator.php
+++ b/lib/guzzlehttp/psr7/src/UriComparator.php
@@ -0,0 +1,55 @@
+<?php
+
+namespace GuzzleHttp\Psr7;
+
+use Psr\Http\Message\UriInterface;
+
+/**
+ * Provides methods to determine if a modified URL should be considered cross-origin.
+ *
+ * @author Graham Campbell
+ */
+final class UriComparator
+{
+    /**
+     * Determines if a modified URL should be considered cross-origin with
+     * respect to an original URL.
+     *
+     * @return bool
+     */
+    public static function isCrossOrigin(UriInterface $original, UriInterface $modified)
+    {
+        if (\strcasecmp($original->getHost(), $modified->getHost()) !== 0) {
+            return true;
+        }
+
+        if ($original->getScheme() !== $modified->getScheme()) {
+            return true;
+        }
+
+        if (self::computePort($original) !== self::computePort($modified)) {
+            return true;
+        }
+
+        return false;
+    }
+
+    /**
+     * @return int
+     */
+    private static function computePort(UriInterface $uri)
+    {
+        $port = $uri->getPort();
+
+        if (null !== $port) {
+            return $port;
+        }
+
+        return 'https' === $uri->getScheme() ? 443 : 80;
+    }
+
+    private function __construct()
+    {
+        // cannot be instantiated
+    }
+}