Update dependency react/http to v1.9.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
react/http	1.4.0 -> 1.9.0

GitHub Vulnerability Alerts

CVE-2022-36032

Impact

In ReactPHP's HTTP server component versions below v1.7.0, when ReactPHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host- and __Secure- confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. See also CVE-2020-7070 and CVE-2020-8184 for more information.

Patches

• reactphp/http@663c9a3 - Fixed in reactphp/http v1.7.0

Workarounds

Infrastructure or DevOps can place a reverse proxy in front of the ReactPHP HTTP server to filter out any unexpected Cookie request headers.

References

• CVE-2020-7070, https://bugs.php.net/bug.php?id=79699 and php/php-src@6559fe9
• CVE-2020-8184, https://hackerone.com/reports/895727 and rack/rack@1f5763d
• Originally introduced via https://github.com/reactphp/http/pull/175

Credits

• Thanks to Marco Squarcina (TU Wien) for reporting this and working with us to coordinate this security advisory

For more information

If you have any questions or comments about this advisory:

• Join the discussion
• Email us at [email protected]

CVE-2023-26044

Summary

Previous versions of ReactPHP's HTTP server component contain a potential DoS vulnerability that can cause high CPU load when processing large HTTP request bodies. This vulnerability has little to no impact on the default configuration, but can be exploited when explicitly using the RequestBodyBufferMiddleware with very large settings. This might lead to consuming large amounts of CPU time for processing requests and significantly delay or slow down the processing of legitimate user requests.

Patches

The supplied patch resolves this vulnerability for ReactPHP.

Workarounds

• Keeping the request body limit using RequestBodyBufferMiddleware sensible will mitigate it.

• Infrastructure or DevOps can place a reverse proxy in front of the ReactPHP HTTP server to filter out any excessive HTTP request bodies.

References

A similar vulnerability was discovered in PHP recently, see also PHP's security advisory (CVE-2023-0662). The fix is based on the PHP-FPM fix.

---

ReactPHP's HTTP server parses encoded cookie names so malicious __Host- and __Secure- cookies can be sent

CVE-2022-36032 / GHSA-w3w9-vrf5-8mx8

More information

Details

Impact

In ReactPHP's HTTP server component versions below v1.7.0, when ReactPHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host- and __Secure- confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. See also CVE-2020-7070 and CVE-2020-8184 for more information.

Patches

• reactphp/http@663c9a3 - Fixed in reactphp/http v1.7.0

Workarounds

Infrastructure or DevOps can place a reverse proxy in front of the ReactPHP HTTP server to filter out any unexpected Cookie request headers.

References

• CVE-2020-7070, https://bugs.php.net/bug.php?id=79699 and php/php-src@6559fe9
• CVE-2020-8184, https://hackerone.com/reports/895727 and rack/rack@1f5763d
• Originally introduced via https://github.com/reactphp/http/pull/175

Credits

• Thanks to Marco Squarcina (TU Wien) for reporting this and working with us to coordinate this security advisory

For more information

If you have any questions or comments about this advisory:

• Join the discussion
• Email us at [email protected]

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References

• https://github.com/reactphp/http/security/advisories/GHSA-w3w9-vrf5-8mx8
• https://nvd.nist.gov/vuln/detail/CVE-2022-36032
• https://github.com/reactphp/http/pull/175
• https://github.com/reactphp/http/commit/663c9a3b77b71463fa7fcb76a6676ffd16979dd6
• https://github.com/FriendsOfPHP/security-advisories/blob/master/react/http/CVE-2022-36032.yaml
• https://github.com/reactphp/http
• https://github.com/reactphp/http/releases/tag/v1.7.0

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

ReactPHP's HTTP server continues parsing unused multipart parts after reaching input field and file upload limits

CVE-2023-26044 / GHSA-95x4-j7vc-h8mf

More information

Details

Summary

Previous versions of ReactPHP's HTTP server component contain a potential DoS vulnerability that can cause high CPU load when processing large HTTP request bodies. This vulnerability has little to no impact on the default configuration, but can be exploited when explicitly using the RequestBodyBufferMiddleware with very large settings. This might lead to consuming large amounts of CPU time for processing requests and significantly delay or slow down the processing of legitimate user requests.

Patches

The supplied patch resolves this vulnerability for ReactPHP.

Workarounds

• Keeping the request body limit using RequestBodyBufferMiddleware sensible will mitigate it.

• Infrastructure or DevOps can place a reverse proxy in front of the ReactPHP HTTP server to filter out any excessive HTTP request bodies.

References

A similar vulnerability was discovered in PHP recently, see also PHP's security advisory (CVE-2023-0662). The fix is based on the PHP-FPM fix.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

• https://github.com/php/php-src/security/advisories/GHSA-54hq-v5wp-fqgv
• https://github.com/reactphp/http/security/advisories/GHSA-95x4-j7vc-h8mf
• https://nvd.nist.gov/vuln/detail/CVE-2023-26044
• https://github.com/php/php-src/commit/716de0cff539f46294ef70fe75d548cd66766370#diff-81d659aa9e83177ac08151f99cebf21ab331d22462c72a1039f59947e66f5a35
• https://github.com/reactphp/http/commit/9681f764b80c45ebfb5fe2ea7da5bd3babfcdcfd
• https://github.com/FriendsOfPHP/security-advisories/blob/master/react/http/CVE-2023-26044.yaml
• https://github.com/advisories/GHSA-95x4-j7vc-h8mf
• https://github.com/reactphp/http
• https://github.com/reactphp/http/releases/tag/v1.9.0

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

reactphp/http (react/http)

v1.9.0

Compare Source

This is a SECURITY and feature release for the 1.x series of ReactPHP's HTTP component.

• Security fix: This release fixes a medium severity security issue in ReactPHP's HTTP server component
  that affects all versions between v0.8.0 and v1.8.0. All users are encouraged to upgrade immediately.
  (CVE-2023-26044 reported and fixed by @​WyriHaximus)

• Feature: Support HTTP keep-alive for HTTP client (reusing persistent connections).
  (#​481, #​484, #​486 and #​495 by @​clue)

  This feature offers significant performance improvements when sending many
  requests to the same host as it avoids recreating the underlying TCP/IP
  connection and repeating the TLS handshake for secure HTTPS requests.

  $browser = new React\Http\Browser();
  
  // Up to 300% faster! HTTP keep-alive is enabled by default
  $response = React\Async\await($browser->get('https://httpbingo.org/redirect/6'));
  assert($response instanceof Psr\Http\Message\ResponseInterface);

• Feature: Add Request class to represent outgoing HTTP request message.
  (#​480 by @​clue)

• Feature: Preserve request method and body for 307 Temporary Redirect and 308 Permanent Redirect.
  (#​442 by @​dinooo13)

• Feature: Include buffer logic to avoid dependency on reactphp/promise-stream.
  (#​482 by @​clue)

• Improve test suite and project setup and report failed assertions.
  (#​478 by @​clue, #​487 and #​491 by @​WyriHaximus and #​475 and #​479 by @​SimonFrings)

v1.8.0

Compare Source

• Feature: Support for default request headers.
  (#​461 by @​51imyy)

  $browser = new React\Http\Browser();
  $browser = $browser->withHeader('User-Agent', 'ACME');
  
  $browser->get($url)->then(…);

• Feature: Forward compatibility with upcoming Promise v3.
  (#​460 by @​clue)

v1.7.0

Compare Source

This is a SECURITY and feature release for the 1.x series of ReactPHP's HTTP component.

• Security fix: This release fixes a medium severity security issue in ReactPHP's HTTP server component
  that affects all versions between v0.7.0 and v1.6.0. All users are encouraged to upgrade immediately.
  Special thanks to Marco Squarcina (TU Wien) for reporting this and working with us to coordinate this release.
  (CVE-2022-36032 reported by @​lavish and fixed by @​clue)

• Feature: Improve HTTP server performance by ~20%, reuse syscall values for clock time and socket addresses.
  (#​457 and #​467 by @​clue)

• Feature: Full PHP 8.2+ compatibility, refactor internal Transaction to avoid assigning dynamic properties.
  (#​459 by @​clue and #​466 by @​WyriHaximus)

• Feature / Fix: Allow explicit Content-Length response header on HEAD requests.
  (#​444 by @​mrsimonbennett)

• Minor documentation improvements.
  (#​452 by @​clue, #​458 by @​nhedger, #​448 by @​jorrit and #​446 by @​SimonFrings)

• Improve test suite, update to use new reactphp/async package instead of clue/reactphp-block,
  skip memory tests when lowering memory limit fails and fix legacy HHVM build.
  (#​464 and #​440 by @​clue and #​450 by @​SimonFrings)

v1.6.0

Compare Source

• Feature: Add factory methods for common HTML/JSON/plaintext/XML response types.
  (#​439 by @​clue)

  $response = React\Http\Response\html("<h1>Hello wörld!</h1>\n");
  $response = React\Http\Response\json(['message' => 'Hello wörld!']);
  $response = React\Http\Response\plaintext("Hello wörld!\n");
  $response = React\Http\Response\xml("<message>Hello wörld!</message>\n");

• Feature: Expose all status code constants via Response class.
  (#​432 by @​clue)

  $response = new React\Http\Message\Response(
      React\Http\Message\Response::STATUS_OK, // 200 OK
      …
  );
  $response = new React\Http\Message\Response(
      React\Http\Message\Response::STATUS_NOT_FOUND, // 404 Not Found
      …
  );

• Feature: Full support for PHP 8.1 release.
  (#​433 by @​SimonFrings and #​434 by @​clue)

• Feature / Fix: Improve protocol handling for HTTP responses with no body.
  (#​429 and #​430 by @​clue)

• Internal refactoring and internal improvements for handling requests and responses.
  (#​422 by @​WyriHaximus and #​431 by @​clue)

• Improve documentation, update proxy examples, include error reporting in examples.
  (#​420, #​424, #​426, and #​427 by @​clue)

• Update test suite to use default loop.
  (#​438 by @​clue)

v1.5.0

Compare Source

• Feature: Update Browser signature to take optional $connector as first argument and
  to match new Socket API without nullable loop arguments.
  (#​418 and #​419 by @​clue)

  // unchanged
  $browser = new React\Http\Browser();
  
  // deprecated
  $browser = new React\Http\Browser(null, $connector);
  $browser = new React\Http\Browser($loop, $connector);
  
  // new
  $browser = new React\Http\Browser($connector);
  $browser = new React\Http\Browser($connector, $loop);

• Feature: Rename Server to HttpServer to avoid class name collisions and
  to avoid any ambiguities with regards to the new SocketServer API.
  (#​417 and #​419 by @​clue)

  // deprecated
  $server = new React\Http\Server($handler);
  $server->listen(new React\Socket\Server(8080));
  
  // new
  $http = new React\Http\HttpServer($handler);
  $http->listen(new React\Socket\SocketServer('127.0.0.1:8080'));

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Amsterdam, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.