psr7: Urgent - v2.1.1 - MessageTrait assertValue broken

PHP version: 7.4.27 (hint: php --version)

Description I updated my dependencies, and guzzlehttp/psr7 was updated to v2.1.1. This broke an integration with a third party API that I’m working with. (Largest credit card payment processor in Scandiavia).

I have traced it down to the changes introduced in MessageTrait for the method assertValue. When the response (which I am not in control over), contains the following header, I get an InvalidArgumentException XXX is not a valid header value.

X-Iinfo: 12-34567890-123456789 AAAA BC(12 34 5) DE(1234567890123 123) a(1 2 3 4) b(1 2) A1

I have changed the actual values from the header, as I’m not sure if it contains confidential information. The relevant part here is the whitespaces, which failes the parsing introduced in 2.1.1.

How to reproduce Add the above header to a response.

Possible Solution Revert the changes done in 2.1.1 back to the behavior in 2.1.0

Additional context

About this issue

Original URL
State: closed
Created 2 years ago
Reactions: 7
Comments: 16 (7 by maintainers)

Most upvoted comments

Hi folks. Sorry for breaking this. When creating the validation regex I’ve faithfully transcribed the ABNF given in RFC 7230#3.2. Double checking the ABNF it looks like the validation in guzzle/psr7 was technically correct and the header values are indeed not valid with the current spec. But of course this is not useful to you.

I’ve checked with the experts in #curl on libera.chat and it appears the error in the specification is already fixed in the latest draft: https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values

+12

TimWolla on Mar 21, 2022

I have prepared a fix. Please can you try this out @thomas-alrek @mbabker @kissifrot @it-can @holtkamp.

1.8.x line: https://github.com/guzzle/psr7/pull/491
2.1.x line: https://github.com/guzzle/psr7/pull/492

GrahamCampbell on Mar 20, 2022

I am get InvalidArgumentException: "___utmvayaufcDoB=TphsWoW; path=/; Max-Age=900; Secure; SameSite=None" is not valid header value now in

/var/www/vendor/guzzlehttp/psr7/src/MessageTrait.php:267
/var/www/vendor/guzzlehttp/psr7/src/MessageTrait.php:203
/var/www/vendor/guzzlehttp/psr7/src/MessageTrait.php:206
/var/www/vendor/guzzlehttp/psr7/src/MessageTrait.php:175
/var/www/vendor/guzzlehttp/psr7/src/MessageTrait.php:148
/var/www/vendor/guzzlehttp/psr7/src/Response.php:107

with

$ php -v
PHP 7.4.9 (cli) ....

$ composer info guzzlehttp/psr7
name     : guzzlehttp/psr7
descrip. : PSR-7 message implementation that also provides common utility methods
keywords : http, message, psr-7, request, response, stream, uri, url
versions : * 1.8.5
....

samizdam on Mar 28, 2022

To reproduce, tested on php 8.1 and guzzle 7.4

<?php
$header = 'Linux f0f489981e90 5.10.104-linuxkit 1 SMP Wed Mar 9 19:05:23 UTC 2022 x86_64';

$client = new \GuzzleHttp\Client();
$response = $client->request('GET', 'https://enswyqyojtxm.x.pipedream.net', [
    'headers' => [
        'User-Agent' => 'testing/1.0',
        'Accept'     => 'application/json',
        'X-Foo'      => ['Bar', 'Baz'],
        'X-TEST'     => $header,
    ]
]);

This will throw an error: "Linux f0f489981e90 5.10.104-linuxkit #1 SMP Wed Mar 9 19:05:23 UTC 2022 x86_64" is not valid header value

it-can on Mar 20, 2022