.github/workflows/ci.yml

@@ -6,7 +6,7 @@ on:
 jobs:
   build:
     name: Build
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     strategy:
       max-parallel: 10
       matrix:
@@ -21,11 +21,7 @@ jobs:
           extensions: mbstring
 
       - name: Checkout code
-        uses: actions/checkout@v2
-
-      - name: Mimic PHP 8.0
-        run: composer config platform.php 8.0.999
-        if: matrix.php > 8
+        uses: actions/checkout@v3
 
       - name: Install dependencies
         run: composer update --no-interaction --no-progress

.github/workflows/integration.yml

@@ -4,14 +4,13 @@ on:
   pull_request:
 
 jobs:
-
   build:
     name: Test
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     strategy:
       max-parallel: 10
       matrix:
-        php: ['7.2', '7.3', '7.4', '8.0']
+        php: ['7.2', '7.3', '7.4', '8.0', '8.1']
 
     steps:
       - name: Set up PHP
@@ -21,7 +20,7 @@ jobs:
           coverage: none
 
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       - name: Download dependencies
         uses: ramsey/composer-install@v1

.github/workflows/static.yml

@@ -6,11 +6,11 @@ on:
 jobs:
   php-cs-fixer:
     name: PHP-CS-Fixer
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       - name: Setup PHP
         uses: shivammathur/setup-php@v2

CHANGELOG.md

@@ -3,12 +3,36 @@
 
 All notable changes to this project will be documented in this file.
 
-The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
-and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 
 ## Unreleased
 
+## 1.9.1 - 2023-04-17
+
+### Fixed
+
+- Fixed header validation issue
+
+## 1.9.0 - 2022-06-20
+
+### Added
+
+- Added `UriComparator::isCrossOrigin` method
+
+## 1.8.5 - 2022-03-20
+
+### Fixed
+
+- Correct header value validation
+
+## 1.8.4 - 2022-03-20
+
+### Fixed
+
+- Validate header values properly
+
 ## 1.8.3 - 2021-10-05
 
 ### Fixed

README.md

@@ -1,6 +1,6 @@
 # PSR-7 Message Implementation
 
-This repository contains a full [PSR-7](http://www.php-fig.org/psr/psr-7/)
+This repository contains a full [PSR-7](https://www.php-fig.org/psr/psr-7/)
 message implementation, several stream decorators, and some helpful
 functionality like query string parsing.
 
@@ -659,7 +659,7 @@ manually but instead is used indirectly via `Psr\Http\Message\UriInterface::__to
 
 `public static function fromParts(array $parts): UriInterface`
 
-Creates a URI from a hash of [`parse_url`](http://php.net/manual/en/function.parse-url.php) components.
+Creates a URI from a hash of [`parse_url`](https://www.php.net/manual/en/function.parse-url.php) components.
 
 
 ### `GuzzleHttp\Psr7\Uri::withQueryValue`
@@ -684,6 +684,16 @@ associative array of key => value.
 Creates a new URI with a specific query string value removed. Any existing query string values that exactly match the
 provided key are removed.
 
+## Cross-Origin Detection
+
+`GuzzleHttp\Psr7\UriComparator` provides methods to determine if a modified URL should be considered cross-origin.
+
+### `GuzzleHttp\Psr7\UriComparator::isCrossOrigin`
+
+`public static function isCrossOrigin(UriInterface $original, UriInterface $modified): bool`
+
+Determines if a modified URL should be considered cross-origin with respect to an original URL.
+
 ## Reference Resolution
 
 `GuzzleHttp\Psr7\UriResolver` provides methods to resolve a URI reference in the context of a base URI according
@@ -809,14 +819,24 @@ This of course assumes they will be resolved against the same base URI. If this
 equivalence or difference of relative references does not mean anything.
 
 
+## Version Guidance
+
+| Version | Status         | PHP Version      |
+|---------|----------------|------------------|
+| 1.x     | Security fixes | >=5.4,<8.1       |
+| 2.x     | Latest         | ^7.2.5 \|\| ^8.0 |
+
+
 ## Security
 
 If you discover a security vulnerability within this package, please send an email to security@tidelift.com. All security vulnerabilities will be promptly addressed. Please do not disclose security-related issues publicly until a fix has been announced. Please see [Security Policy](https://github.com/guzzle/psr7/security/policy) for more information.
 
+
 ## License
 
 Guzzle is made available under the MIT License (MIT). Please see [License File](LICENSE) for more information.
 
+
 ## For Enterprise
 
 Available as part of the Tidelift Subscription

composer.json

@@ -61,13 +61,11 @@
             "GuzzleHttp\\Tests\\Psr7\\": "tests/"
         }
     },
-    "extra": {
-        "branch-alias": {
-            "dev-master": "1.7-dev"
-        }
-    },
     "config": {
         "preferred-install": "dist",
-        "sort-packages": true
+        "sort-packages": true,
+        "allow-plugins": {
+            "bamarni/composer-bin-plugin": true
+        }
     }
 }

src/MessageTrait.php

@@ -157,17 +157,22 @@ private function setHeaders(array $headers)
         }
     }
 
+    /**
+     * @param mixed $value
+     *
+     * @return string[]
+     */
     private function normalizeHeaderValue($value)
     {
         if (!is_array($value)) {
-            return $this->trimHeaderValues([$value]);
+            return $this->trimAndValidateHeaderValues([$value]);
         }
 
         if (count($value) === 0) {
             throw new \InvalidArgumentException('Header value can not be an empty array.');
         }
 
-        return $this->trimHeaderValues($value);
+        return $this->trimAndValidateHeaderValues($value);
     }
 
     /**
@@ -178,13 +183,13 @@ private function normalizeHeaderValue($value)
      * header-field = field-name ":" OWS field-value OWS
      * OWS          = *( SP / HTAB )
      *
-     * @param string[] $values Header values
+     * @param mixed[] $values Header values
      *
      * @return string[] Trimmed header values
      *
      * @see https://tools.ietf.org/html/rfc7230#section-3.2.4
      */
-    private function trimHeaderValues(array $values)
+    private function trimAndValidateHeaderValues(array $values)
     {
         return array_map(function ($value) {
             if (!is_scalar($value) && null !== $value) {
@@ -194,10 +199,20 @@ private function trimHeaderValues(array $values)
                 ));
             }
 
-            return trim((string) $value, " \t");
+            $trimmed = trim((string) $value, " \t");
+            $this->assertValue($trimmed);
+
+            return $trimmed;
         }, array_values($values));
     }
 
+    /**
+     * @see https://tools.ietf.org/html/rfc7230#section-3.2
+     *
+     * @param mixed $header
+     *
+     * @return void
+     */
     private function assertHeader($header)
     {
         if (!is_string($header)) {
@@ -210,5 +225,45 @@ private function assertHeader($header)
         if ($header === '') {
             throw new \InvalidArgumentException('Header name can not be empty.');
         }
+
+        if (! preg_match('/^[a-zA-Z0-9\'`#$%&*+.^_|~!-]+$/D', $header)) {
+            throw new \InvalidArgumentException(
+                sprintf('"%s" is not valid header name.', $header)
+            );
+        }
+    }
+
+    /**
+     * @param string $value
+     *
+     * @return void
+     *
+     * @see https://tools.ietf.org/html/rfc7230#section-3.2
+     *
+     * field-value    = *( field-content / obs-fold )
+     * field-content  = field-vchar [ 1*( SP / HTAB ) field-vchar ]
+     * field-vchar    = VCHAR / obs-text
+     * VCHAR          = %x21-7E
+     * obs-text       = %x80-FF
+     * obs-fold       = CRLF 1*( SP / HTAB )
+     */
+    private function assertValue($value)
+    {
+        // The regular expression intentionally does not support the obs-fold production, because as
+        // per RFC 7230#3.2.4:
+        //
+        // A sender MUST NOT generate a message that includes
+        // line folding (i.e., that has any field-value that contains a match to
+        // the obs-fold rule) unless the message is intended for packaging
+        // within the message/http media type.
+        //
+        // Clients must not send a request with line folding and a server sending folded headers is
+        // likely very rare. Line folding is a fairly obscure feature of HTTP/1.1 and thus not accepting
+        // folding is not likely to break any legitimate use case.
+        if (! preg_match('/^[\x20\x09\x21-\x7E\x80-\xFF]*$/D', $value)) {
+            throw new \InvalidArgumentException(
+                sprintf('"%s" is not valid header value.', $value)
+            );
+        }
     }
 }

src/UriComparator.php

@@ -0,0 +1,55 @@
+<?php
+
+namespace GuzzleHttp\Psr7;
+
+use Psr\Http\Message\UriInterface;
+
+/**
+ * Provides methods to determine if a modified URL should be considered cross-origin.
+ *
+ * @author Graham Campbell
+ */
+final class UriComparator
+{
+    /**
+     * Determines if a modified URL should be considered cross-origin with
+     * respect to an original URL.
+     *
+     * @return bool
+     */
+    public static function isCrossOrigin(UriInterface $original, UriInterface $modified)
+    {
+        if (\strcasecmp($original->getHost(), $modified->getHost()) !== 0) {
+            return true;
+        }
+
+        if ($original->getScheme() !== $modified->getScheme()) {
+            return true;
+        }
+
+        if (self::computePort($original) !== self::computePort($modified)) {
+            return true;
+        }
+
+        return false;
+    }
+
+    /**
+     * @return int
+     */
+    private static function computePort(UriInterface $uri)
+    {
+        $port = $uri->getPort();
+
+        if (null !== $port) {
+            return $port;
+        }
+
+        return 'https' === $uri->getScheme() ? 443 : 80;
+    }
+
+    private function __construct()
+    {
+        // cannot be instantiated
+    }
+}