Hi,
Le 22/04/2023 à 12:59, David Prévot a écrit :
[…]
[x] attach debdiff against the package in stable
For real now.
diff --git a/debian/changelog b/debian/changelog
index bd0b1d7..a0c6ab8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+php-nyholm-psr7 (1.3.2-2+deb11u1) bullseye; urgency=medium
+
+ * Fix improper input validation [CVE-2023-29197] (Closes: #1034597)
+ * Use debian/bullseye branch
+
+ -- David Prévot <taf...@debian.org> Sat, 22 Apr 2023 12:22:36 +0200
+
php-nyholm-psr7 (1.3.2-2) unstable; urgency=medium
* Fix d/clean
diff --git a/debian/control b/debian/control
index 263202a..79c9ad0 100644
--- a/debian/control
+++ b/debian/control
@@ -13,7 +13,7 @@ Build-Depends: debhelper-compat (= 13),
pkg-php-tools
Standards-Version: 4.5.1
Homepage: https://github.com/Nyholm/psr7
-Vcs-Git: https://salsa.debian.org/php-team/pear/php-nyholm-psr7.git -b debian/latest
+Vcs-Git: https://salsa.debian.org/php-team/pear/php-nyholm-psr7.git -b debian/bullseye
Vcs-Browser: https://salsa.debian.org/php-team/pear/php-nyholm-psr7
Rules-Requires-Root: no
diff --git a/debian/gbp.conf b/debian/gbp.conf
index eb7a2c8..bd2dada 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,5 +1,5 @@
[DEFAULT]
-debian-branch = debian/latest
+debian-branch = debian/bullseye
pristine-tar = True
pristine-tar-commit = True
diff --git a/debian/patches/0001-Merge-pull-request-from-GHSA-wjfc-pgfp-pv9c.patch b/debian/patches/0001-Merge-pull-request-from-GHSA-wjfc-pgfp-pv9c.patch
new file mode 100644
index 0000000..85e246f
--- /dev/null
+++ b/debian/patches/0001-Merge-pull-request-from-GHSA-wjfc-pgfp-pv9c.patch
@@ -0,0 +1,131 @@
+From: Tobias Nyholm <tobias.nyh...@gmail.com>
+Date: Mon, 17 Apr 2023 18:00:04 +0200
+Subject: Merge pull request from GHSA-wjfc-pgfp-pv9c
+
+Improper Input Validation in headers
+
+Origin: backport, https://github.com/Nyholm/psr7/commit/1029a2671cbdd3e075a21952082c2be7c8018426
+Bug-Debian: https://bugs.debian.org/1034597 https://security-tracker.debian.org/tracker/CVE-2023-29197
+---
+ src/MessageTrait.php | 4 ++--
+ tests/RequestTest.php | 46 ++++++++++++++++++++++++++++++++++++++++++++++
+ tests/ResponseTest.php | 31 +++++++++++++++++++++++++++++++
+ 3 files changed, 79 insertions(+), 2 deletions(-)
+
+diff --git a/src/MessageTrait.php b/src/MessageTrait.php
+index 2da949d..4977583 100644
+--- a/src/MessageTrait.php
++++ b/src/MessageTrait.php
+@@ -177,7 +177,7 @@ trait MessageTrait
+ */
+ private function validateAndTrimHeader($header, $values): array
+ {
+- if (!\is_string($header) || 1 !== \preg_match("@^[!#$%&'*+.^_`|~0-9A-Za-z-]+$@", $header)) {
++ if (!\is_string($header) || 1 !== \preg_match("@^[!#$%&'*+.^_`|~0-9A-Za-z-]+$@D", $header)) {
+ throw new \InvalidArgumentException('Header name must be an RFC 7230 compatible string.');
+ }
+
+@@ -197,7 +197,7 @@ trait MessageTrait
+ // Assert Non empty array
+ $returnValues = [];
+ foreach ($values as $v) {
+- if ((!\is_numeric($v) && !\is_string($v)) || 1 !== \preg_match("@^[ \t\x21-\x7E\x80-\xFF]*$@", (string) $v)) {
++ if ((!\is_numeric($v) && !\is_string($v)) || 1 !== \preg_match("@^[ \t\x21-\x7E\x80-\xFF]*$@D", (string) $v)) {
+ throw new \InvalidArgumentException('Header values must be RFC 7230 compatible strings.');
+ }
+
+diff --git a/tests/RequestTest.php b/tests/RequestTest.php
+index ddac6d2..8d5d53e 100644
+--- a/tests/RequestTest.php
++++ b/tests/RequestTest.php
+@@ -294,4 +294,50 @@ class RequestTest extends TestCase
+ $request = $request->withUri(new Uri('https://nyholm.tech:443'));
+ $this->assertEquals('nyholm.tech', $request->getHeaderLine('Host'));
+ }
++
++ /**
++ * @dataProvider provideHeaderValuesContainingNotAllowedChars
++ */
++ public function testCannotHaveHeaderWithInvalidValue(string $name)
++ {
++ $this->expectException(\InvalidArgumentException::class);
++ $this->expectExceptionMessage('Header name must be an RFC 7230 compatible string');
++ $r = new Request('GET', 'https://example.com/');
++ $r->withHeader($name, 'Bar');
++ }
++
++ public static function provideHeaderValuesContainingNotAllowedChars(): array
++ {
++ // Explicit tests for newlines as the most common exploit vector.
++ $tests = [
++ ["new\nline"],
++ ["new\r\nline"],
++ ["new\rline"],
++ ["new\r\n line"],
++ ["newline\n"],
++ ["\nnewline"],
++ ["newline\r\n"],
++ ["\n\rnewline"],
++ ];
++
++ for ($i = 0; $i <= 0xFF; ++$i) {
++ if ("\t" == \chr($i)) {
++ continue;
++ }
++ if (' ' == \chr($i)) {
++ continue;
++ }
++ if ($i >= 0x21 && $i <= 0x7E) {
++ continue;
++ }
++ if ($i >= 0x80) {
++ continue;
++ }
++
++ $tests[] = ['foo' . \chr($i) . 'bar'];
++ $tests[] = ['foo' . \chr($i)];
++ }
++
++ return $tests;
++ }
+ }
+diff --git a/tests/ResponseTest.php b/tests/ResponseTest.php
+index e6e109e..effc81d 100644
+--- a/tests/ResponseTest.php
++++ b/tests/ResponseTest.php
+@@ -266,4 +266,35 @@ class ResponseTest extends TestCase
+ $this->assertSame('Foo', $r->getHeaderLine('OWS'));
+ $this->assertSame(['Foo'], $r->getHeader('OWS'));
+ }
++
++ /**
++ * @dataProvider invalidWithHeaderProvider
++ */
++ public function testWithInvalidHeader($header, $headerValue, $expectedMessage): void
++ {
++ $r = new Response();
++ $this->expectException(\InvalidArgumentException::class);
++ $this->expectExceptionMessage($expectedMessage);
++ $r->withHeader($header, $headerValue);
++ }
++
++ public function invalidWithHeaderProvider(): iterable
++ {
++ return [
++ ['foo', [], 'Header values must be a string or an array of strings, empty array given'],
++ ['foo', new \stdClass(), 'Header values must be RFC 7230 compatible strings'],
++ [[], 'foo', 'Header name must be an RFC 7230 compatible string'],
++ [false, 'foo', 'Header name must be an RFC 7230 compatible string'],
++ [new \stdClass(), 'foo', 'Header name must be an RFC 7230 compatible string'],
++ ['', 'foo', 'Header name must be an RFC 7230 compatible string'],
++ ["Content-Type\r\n\r\n", 'foo', 'Header name must be an RFC 7230 compatible string'],
++ ["Content-Type\r\n", 'foo', 'Header name must be an RFC 7230 compatible string'],
++ ["Content-Type\n", 'foo', 'Header name must be an RFC 7230 compatible string'],
++ ["\r\nContent-Type", 'foo', 'Header name must be an RFC 7230 compatible string'],
++ ["\nContent-Type", 'foo', 'Header name must be an RFC 7230 compatible string'],
++ ["\n", 'foo', 'Header name must be an RFC 7230 compatible string'],
++ ["\r\n", 'foo', 'Header name must be an RFC 7230 compatible string'],
++ ["\t", 'foo', 'Header name must be an RFC 7230 compatible string'],
++ ];
++ }
+ }
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..f797cf4
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+0001-Merge-pull-request-from-GHSA-wjfc-pgfp-pv9c.patch