Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ticket/17036] Fix failure to strip Authorization header on HTTP downgrade #6414

Merged
merged 1 commit into from Sep 30, 2022
Merged

[ticket/17036] Fix failure to strip Authorization header on HTTP downgrade #6414

merged 1 commit into from Sep 30, 2022

Conversation

imhunterand
Copy link
Contributor

@imhunterand imhunterand commented Aug 31, 2022
edited by marc1706

Describe the bugs: 🐛

The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

Guzzle is an open source PHP HTTP client. In affected versions Authorization headers on requests are sensitive information. On making a request using the https scheme to a server which responds with a redirect to a URI with the http scheme, we should not forward the Authorization header on. This is much the same as to how we don't forward on the header if the host changes. Prior to this fix, https to http downgrades did not result in the Authorization header being removed, only changes to the host. Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4. Users unable to upgrade may consider an alternative approach which would be to use their own redirect middleware. Alternately users may simply disable redirects all together if redirects are not expected or required.

Fix failure to strip Authorization header on HTTP downgrade
CVE-2022-31043
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
GHSA-w248-ffj2-4v5q

Checklist:

  • Correct branch: master for new features; 3.3.x for fixes
  • Tests pass
  • Code follows coding guidelines: master and 3.3.x
  • Commit follows commit message format

Tracker ticket (set the ticket ID to your ticket ID):

https://tracker.phpbb.com/browse/PHPBB3-17036

@private-packagist
Copy link

private-packagist bot commented Aug 31, 2022
edited

phpBB/composer.lock

Package changes

Package Operation From To Changes
guzzlehttp/guzzle upgrade 6.5.6 ⚠️ 6.5.8 ✅ diff
guzzlehttp/promises upgrade 1.5.1 1.5.2 diff
guzzlehttp/psr7 upgrade 1.8.5 1.9.0 diff

Settings · Docs · Powered by Private Packagist

@marc1706 marc1706 changed the title Fix failure to strip Authorization header on HTTP downgrade [ticket/17036] Fix failure to strip Authorization header on HTTP downgrade Sep 25, 2022
@marc1706 marc1706 added this to the 3.3.9 milestone Sep 25, 2022
@marc1706
Copy link
Member

Hi @imhunterand and thanks for your PR. I've taken the liberty to adjust your commit message to our commit message format and created a fitting ticket in our tracker for you. 😎

@private-packagist
Copy link

The composer.lock diff comment has been updated to reflect new changes in this PR.

@marc1706 marc1706 changed the base branch from master to 3.3.x September 25, 2022 20:03
@private-packagist
Copy link

The composer.lock diff comment has been updated to reflect new changes in this PR.

@marc1706 marc1706 closed this Sep 25, 2022
@marc1706
Copy link
Member

Closed and reopened to trigger a fresh build with 3.3.x as base.

@marc1706 marc1706 reopened this Sep 25, 2022
@marc1706 marc1706 merged commit 64717d0 into phpbb:3.3.x Sep 30, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
3.3 (Proteus) 🌑
Projects
None yet
Milestone
3.3.9
2 participants
@imhunterand @marc1706