Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PSR-7 Integration Tests Failing #74

Closed
l0gicgate opened this issue Sep 23, 2021 · 2 comments · Fixed by php-http/psr7-integration-tests#54 or #128
Closed

PSR-7 Integration Tests Failing #74

l0gicgate opened this issue Sep 23, 2021 · 2 comments · Fixed by php-http/psr7-integration-tests#54 or #128
Assignees
@weierophinney
Labels
Bug Something isn't working
Milestone
2.23.0

Comments

@l0gicgate
Copy link

Bug Report

The library is currently failing a UriIntegrationTest
https://github.com/php-http/psr7-integration-tests

Q A
Version(s) 2.8

Summary

screenshot

Current behavior

Fails the tests

How to reproduce

Run PSR-7 Integration Tests against this library

Expected behavior

Pass the tests
@l0gicgate l0gicgate added the Bug Something isn't working label Sep 23, 2021
@l0gicgate l0gicgate mentioned this issue Sep 23, 2021
Merged
@boesing
Copy link
Member

boesing commented Sep 23, 2021
edited
Loading

Related: php-http/psr7-integration-tests#49
/cc @weierophinney

@marcelthole marcelthole mentioned this issue Oct 13, 2021
Closed
This was referenced Apr 4, 2022
Merged
Merged
weierophinney added a commit to weierophinney/psr7-integration-tests that referenced this issue Jul 28, 2022
@weierophinney
fix: multiple slash in path detection
8fb9b12 
Per an [issue created for Diactoros](laminas/laminas-diactoros#74) its [related pull request](laminas/laminas-diactoros#77), and the discussion to that pull request, this patch does the following:

- It modifies `testPathWithMultipleSlashes()` to only validate that multiple slashes _not at the beginning_ of a path are retained intact.
- It adds `testProperlyTrimsLeadingSlashesToPreventXSS()`, which validates that when multiple leading slashes are present in a path, they are reduced to a single slash.

This approach is done to mitigate [ZF2015-05](https://framework.zend.com/security/advisory/ZF2015-05.html) which was also reported as [CVE-2015-3257](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3257).
While RFC 3986 allows for multiple slashes anywhere in the path, when security conflicts with a specification, security concerns win.
Without the mitigation, an implementation is vulnerable to XSS and open redirects if only the path portion of a URI is used within HTML content (common!) or within headers (also common).

Signed-off-by: Matthew Weier O'Phinney <matthew@weierophinney.net>
@weierophinney weierophinney mentioned this issue Jul 28, 2022
Merged
2 tasks
@weierophinney weierophinney self-assigned this Dec 14, 2022
@weierophinney weierophinney added this to the 2.23.0 milestone Dec 14, 2022
@weierophinney
Copy link
Member

See #128 for a fix.

@weierophinney weierophinney linked a pull request Dec 14, 2022 that will close this issue
Update PSR-7 integration tests #128
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@weierophinney weierophinney

Labels
Bug Something isn't working
Projects
None yet
Milestone
2.23.0
3 participants
@weierophinney @boesing @l0gicgate