🔒 Update guzzlehttp/guzzle

2026-05-19 15:22:17 +02:00 · 2022-06-28 15:13:04 +02:00
parent a0f28a9098
commit 2392f4a902
21 changed files with 194 additions and 119 deletions
--- a/lib/guzzlehttp/guzzle/src/RedirectMiddleware.php
+++ b/lib/guzzlehttp/guzzle/src/RedirectMiddleware.php
@@ -94,6 +94,14 @@ class RedirectMiddleware
        $this->guardMax($request, $options);
        $nextRequest = $this->modifyRequest($request, $options, $response);

+        // If authorization is handled by curl, unset it if URI is cross-origin.
+        if (Psr7\UriComparator::isCrossOrigin($request->getUri(), $nextRequest->getUri()) && defined('\CURLOPT_HTTPAUTH')) {
+            unset(
+                $options['curl'][\CURLOPT_HTTPAUTH],
+                $options['curl'][\CURLOPT_USERPWD]
+            );
+        }
+
        if (isset($options['allow_redirects']['on_redirect'])) {
            call_user_func(
                $options['allow_redirects']['on_redirect'],
@@ -210,8 +218,8 @@ class RedirectMiddleware
            $modify['remove_headers'][] = 'Referer';
        }

-        // Remove Authorization and Cookie headers if required.
-        if (self::shouldStripSensitiveHeaders($request->getUri(), $modify['uri'])) {
+        // Remove Authorization and Cookie headers if URI is cross-origin.
+        if (Psr7\UriComparator::isCrossOrigin($request->getUri(), $modify['uri'])) {
            $modify['remove_headers'][] = 'Authorization';
            $modify['remove_headers'][] = 'Cookie';
        }
@@ -219,31 +227,6 @@ class RedirectMiddleware
        return Psr7\modify_request($request, $modify);
    }

-    /**
-     * Determine if we should strip sensitive headers from the request.
-     *
-     * We return true if either of the following conditions are true:
-     *
-     * 1. the host is different;
-     * 2. the scheme has changed, and now is non-https.
-     *
-     * @return bool
-     */
-    private static function shouldStripSensitiveHeaders(
-        UriInterface $originalUri,
-        UriInterface $modifiedUri
-    ) {
-        if (strcasecmp($originalUri->getHost(), $modifiedUri->getHost()) !== 0) {
-            return true;
-        }
-
-        if ($originalUri->getScheme() !== $modifiedUri->getScheme() && 'https' !== $modifiedUri->getScheme()) {
-            return true;
-        }
-
-        return false;
-    }
-
    /**
     * Set the appropriate URL on the request based on the location header.
     *