Skip to content

Update dependency react/http to v1.9.0 [SECURITY] - autoclosed #20

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Update dependency react/http to v1.9.0 [SECURITY] - autoclosed #20

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Nov 9, 2023

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
react/http 1.3.0 -> 1.9.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-36032

Impact

In ReactPHP's HTTP server component versions below v1.7.0, when ReactPHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host- and __Secure- confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. See also CVE-2020-7070 and CVE-2020-8184 for more information.

Patches

Workarounds

Infrastructure or DevOps can place a reverse proxy in front of the ReactPHP HTTP server to filter out any unexpected Cookie request headers.

References

Credits

  • Thanks to Marco Squarcina (TU Wien) for reporting this and working with us to coordinate this security advisory

For more information

If you have any questions or comments about this advisory:

CVE-2023-26044

Summary

Previous versions of ReactPHP's HTTP server component contain a potential DoS vulnerability that can cause high CPU load when processing large HTTP request bodies. This vulnerability has little to no impact on the default configuration, but can be exploited when explicitly using the RequestBodyBufferMiddleware with very large settings. This might lead to consuming large amounts of CPU time for processing requests and significantly delay or slow down the processing of legitimate user requests.

Patches

The supplied patch resolves this vulnerability for ReactPHP.

Workarounds

  • Keeping the request body limit using RequestBodyBufferMiddleware sensible will mitigate it.

  • Infrastructure or DevOps can place a reverse proxy in front of the ReactPHP HTTP server to filter out any excessive HTTP request bodies.

References

A similar vulnerability was discovered in PHP recently, see also PHP's security advisory (CVE-2023-0662). The fix is based on the PHP-FPM fix.

Release Notes

reactphp/http (react/http)

v1.9.0

Compare Source

This is a SECURITY and feature release for the 1.x series of ReactPHP's HTTP component.

  • Security fix: This release fixes a medium severity security issue in ReactPHP's HTTP server component
    that affects all versions between v0.8.0 and v1.8.0. All users are encouraged to upgrade immediately.
    (CVE-2023-26044 reported and fixed by @​WyriHaximus)

  • Feature: Support HTTP keep-alive for HTTP client (reusing persistent connections).
    (#​481, #​484, #​486 and #​495 by @​clue)

    This feature offers significant performance improvements when sending many
    requests to the same host as it avoids recreating the underlying TCP/IP
    connection and repeating the TLS handshake for secure HTTPS requests.

    $browser = new React\Http\Browser();

// Up to 300% faster! HTTP keep-alive is enabled by default
$response = React\Async\await($browser->get('https://httpbingo.org/redirect/6'));
assert($response instanceof Psr\Http\Message\ResponseInterface);

  • Feature: Add Request class to represent outgoing HTTP request message.
    (#​480 by @​clue)

  • Feature: Preserve request method and body for 307 Temporary Redirect and 308 Permanent Redirect.
    (#​442 by @​dinooo13)

  • Feature: Include buffer logic to avoid dependency on reactphp/promise-stream.
    (#​482 by @​clue)

  • Improve test suite and project setup and report failed assertions.
    (#​478 by @​clue, #​487 and #​491 by @​WyriHaximus and #​475 and #​479 by @​SimonFrings)

v1.8.0

Compare Source

  • Feature: Support for default request headers.
    (#​461 by @​51imyy)

    $browser = new React\Http\Browser();
$browser = $browser->withHeader('User-Agent', 'ACME');

$browser->get($url)->then(…);

  • Feature: Forward compatibility with upcoming Promise v3.
    (#​460 by @​clue)

v1.7.0

Compare Source

This is a SECURITY and feature release for the 1.x series of ReactPHP's HTTP component.

  • Security fix: This release fixes a medium severity security issue in ReactPHP's HTTP server component
    that affects all versions between v0.7.0 and v1.6.0. All users are encouraged to upgrade immediately.
    Special thanks to Marco Squarcina (TU Wien) for reporting this and working with us to coordinate this release.
    (CVE-2022-36032 reported by @​lavish and fixed by @​clue)

  • Feature: Improve HTTP server performance by ~20%, reuse syscall values for clock time and socket addresses.
    (#​457 and #​467 by @​clue)

  • Feature: Full PHP 8.2+ compatibility, refactor internal Transaction to avoid assigning dynamic properties.
    (#​459 by @​clue and #​466 by @​WyriHaximus)

  • Feature / Fix: Allow explicit Content-Length response header on HEAD requests.
    (#​444 by @​mrsimonbennett)

  • Minor documentation improvements.
    (#​452 by @​clue, #​458 by @​nhedger, #​448 by @​jorrit and #​446 by @​SimonFrings)

  • Improve test suite, update to use new reactphp/async package instead of clue/reactphp-block,
    skip memory tests when lowering memory limit fails and fix legacy HHVM build.
    (#​464 and #​440 by @​clue and #​450 by @​SimonFrings)

v1.6.0

Compare Source

  • Feature: Add factory methods for common HTML/JSON/plaintext/XML response types.
    (#​439 by @​clue)

    $response = React\Http\Response\html("<h1>Hello wörld!</h1>\n");
$response = React\Http\Response\json(['message' => 'Hello wörld!']);
$response = React\Http\Response\plaintext("Hello wörld!\n");
$response = React\Http\Response\xml("<message>Hello wörld!</message>\n");

  • Feature: Expose all status code constants via Response class.
    (#​432 by @​clue)

    $response = new React\Http\Message\Response(
    React\Http\Message\Response::STATUS_OK, // 200 OK
    …
);
$response = new React\Http\Message\Response(
    React\Http\Message\Response::STATUS_NOT_FOUND, // 404 Not Found
    …
);

  • Feature: Full support for PHP 8.1 release.
    (#​433 by @​SimonFrings and #​434 by @​clue)

  • Feature / Fix: Improve protocol handling for HTTP responses with no body.
    (#​429 and #​430 by @​clue)

  • Internal refactoring and internal improvements for handling requests and responses.
    (#​422 by @​WyriHaximus and #​431 by @​clue)

  • Improve documentation, update proxy examples, include error reporting in examples.
    (#​420, #​424, #​426, and #​427 by @​clue)

  • Update test suite to use default loop.
    (#​438 by @​clue)

v1.5.0

Compare Source

  • Feature: Update Browser signature to take optional $connector as first argument and
    to match new Socket API without nullable loop arguments.
    (#​418 and #​419 by @​clue)

    // unchanged
$browser = new React\Http\Browser();

// deprecated
$browser = new React\Http\Browser(null, $connector);
$browser = new React\Http\Browser($loop, $connector);

// new
$browser = new React\Http\Browser($connector);
$browser = new React\Http\Browser($connector, $loop);

  • Feature: Rename Server to HttpServer to avoid class name collisions and
    to avoid any ambiguities with regards to the new SocketServer API.
    (#​417 and #​419 by @​clue)

    // deprecated
$server = new React\Http\Server($handler);
$server->listen(new React\Socket\Server(8080));

// new
$http = new React\Http\HttpServer($handler);
$http->listen(new React\Socket\SocketServer('127.0.0.1:8080'));

v1.4.0

Compare Source

A major new feature release, see release announcement.

  • Feature: Simplify usage by supporting new default loop.
    (#​410 by @​clue)

    // old (still supported)
$browser = new React\Http\Browser($loop);
$server = new React\Http\Server($loop, $handler);

// new (using default loop)
$browser = new React\Http\Browser();
$server = new React\Http\Server($handler);

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot requested a review from WyriHaximus as a code owner November 9, 2023 12:47
@boring-cyborg boring-cyborg bot added Dependencies 📦 Pull requests that update a dependency file PHP 🐘 Hypertext Pre Processor labels Nov 9, 2023
@github-actions github-actions bot added this to the 1.1.0 milestone Nov 9, 2023
@renovate renovate bot changed the title Update dependency react/http to v1.9.0 [SECURITY] Update dependency react/http to v1.9.0 [SECURITY] - autoclosed Nov 10, 2023
@renovate renovate bot closed this Nov 10, 2023
@renovate renovate bot deleted the renovate/packagist-react/http-vulnerability branch November 10, 2023 05:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@WyriHaximus WyriHaximus Awaiting requested review from WyriHaximus WyriHaximus is a code owner

Assignees
No one assigned
Labels
Dependencies 📦 Pull requests that update a dependency file PHP 🐘 Hypertext Pre Processor
Projects
None yet
Milestone
1.1.0
Development

Successfully merging this pull request may close these issues.
0 participants