From 6c91232ad2cbc335dc2b299f828a8406fc74d25e Mon Sep 17 00:00:00 2001 From: Nate Good Date: Tue, 30 Apr 2024 22:12:55 -0400 Subject: [PATCH] Fix security issue with defaulting to skipping certificate validation --- README.md | 172 ++++++++++++++++++++-------------------- src/Httpful/Httpful.php | 2 +- src/Httpful/Request.php | 8 +- 3 files changed, 93 insertions(+), 89 deletions(-) diff --git a/README.md b/README.md index b3620b3..1139f3d 100644 --- a/README.md +++ b/README.md @@ -1,21 +1,20 @@ # Httpful - -Httpful is a simple Http Client library for PHP 8.0+. There is an emphasis of readability, simplicity, and flexibility – basically provide the features and flexibility to get the job done and make those features really easy to use. +Httpful is a simple Http Client library for PHP 8.0+. There is an emphasis of readability, simplicity, and flexibility – basically provide the features and flexibility to get the job done and make those features really easy to use. Features - - Readable HTTP Method Support (GET, PUT, POST, DELETE, HEAD, PATCH and OPTIONS) - - Custom Headers - - Automatic "Smart" Parsing - - Automatic Payload Serialization - - Basic Auth - - Client Side Certificate Auth - - Request "Templates" +- Readable HTTP Method Support (GET, PUT, POST, DELETE, HEAD, PATCH and OPTIONS) +- Custom Headers +- Automatic "Smart" Parsing +- Automatic Payload Serialization +- Basic Auth +- Client Side Certificate Auth +- Request "Templates" # Sneak Peak -Here's something to whet your appetite. Search the twitter API for tweets containing "#PHP". Include a trivial header for the heck of it. Notice that the library automatically interprets the response as JSON (can override this if desired) and parses it as an array of objects. +Here's something to whet your appetite. Search the twitter API for tweets containing "#PHP". Include a trivial header for the heck of it. Notice that the library automatically interprets the response as JSON (can override this if desired) and parses it as an array of objects. ```php @@ -35,7 +34,7 @@ echo "{$response->body->name} joined GitHub on " . ## Composer -Httpful is PSR-0 compliant and can be installed using [composer](http://getcomposer.org/). Simply add `nategood/httpful` to your composer.json file. _Composer is the sane alternative to PEAR. It is excellent for managing dependencies in larger projects_. +Httpful is PSR-0 compliant and can be installed using [composer](http://getcomposer.org/). Simply add `nategood/httpful` to your composer.json file. _Composer is the sane alternative to PEAR. It is excellent for managing dependencies in larger projects_. { "require": { @@ -50,176 +49,181 @@ Because Httpful is PSR-0 compliant, you can also just clone the Httpful reposito ## Build your Phar If you want the build your own [Phar Archive](http://php.net/manual/en/book.phar.php) you can use the `build` script included. -Make sure that your `php.ini` has the *Off* or 0 value for the `phar.readonly` setting. +Make sure that your `php.ini` has the _Off_ or 0 value for the `phar.readonly` setting. Also you need to create an empty `downloads` directory in the project root. # Contributing -Httpful highly encourages sending in pull requests. When submitting a pull request please: +Httpful highly encourages sending in pull requests. When submitting a pull request please: - - All pull requests should target the `dev` branch (not `master`) - - Make sure your code follows the [coding conventions](http://pear.php.net/manual/en/standards.php) - - Please use soft tabs (four spaces) instead of hard tabs - - Make sure you add appropriate test coverage for your changes - - Run all unit tests in the test directory via `phpunit ./tests` - - Include commenting where appropriate and add a descriptive pull request message +- All pull requests should target the `dev` branch (not `master`) +- Make sure your code follows the [coding conventions](http://pear.php.net/manual/en/standards.php) +- Please use soft tabs (four spaces) instead of hard tabs +- Make sure you add appropriate test coverage for your changes +- Run all unit tests in the test directory via `phpunit ./tests` +- Include commenting where appropriate and add a descriptive pull request message # Changelog +## 1.0.0 + +- SECURITY Make certificate validation the default. This is a potentially breaking, but important security change. Validation can still be skipped but must be explicitly skipped via withoutStrictSSL. +- REFACTOR [PR #305] Remove deprecated functionality pre PHP 8.0 +- REFACTOR Partially from [PR #282] Add CI support for running tests now that Travis is gone. + ## 0.3.2 - - REFACTOR [PR #276](https://github.com/nategood/httpful/pull/276) Add properly subclassed, more descriptive Exceptions for JSON parse errors +- REFACTOR [PR #276](https://github.com/nategood/httpful/pull/276) Add properly subclassed, more descriptive Exceptions for JSON parse errors ## 0.3.1 - - FIX [PR #286](https://github.com/nategood/httpful/pull/286) Fixed header case sensitivity +- FIX [PR #286](https://github.com/nategood/httpful/pull/286) Fixed header case sensitivity ## 0.3.0 - - REFACTOR Dropped support for dead versions of PHP. Updated the PHPUnit tests. +- REFACTOR Dropped support for dead versions of PHP. Updated the PHPUnit tests. ## 0.2.20 - - MINOR Move Response building logic into separate function [PR #193](https://github.com/nategood/httpful/pull/193) +- MINOR Move Response building logic into separate function [PR #193](https://github.com/nategood/httpful/pull/193) ## 0.2.19 - - FEATURE Before send hook [PR #164](https://github.com/nategood/httpful/pull/164) - - MINOR More descriptive connection exceptions [PR #166](https://github.com/nategood/httpful/pull/166) +- FEATURE Before send hook [PR #164](https://github.com/nategood/httpful/pull/164) +- MINOR More descriptive connection exceptions [PR #166](https://github.com/nategood/httpful/pull/166) ## 0.2.18 - - FIX [PR #149](https://github.com/nategood/httpful/pull/149) - - FIX [PR #150](https://github.com/nategood/httpful/pull/150) - - FIX [PR #156](https://github.com/nategood/httpful/pull/156) +- FIX [PR #149](https://github.com/nategood/httpful/pull/149) +- FIX [PR #150](https://github.com/nategood/httpful/pull/150) +- FIX [PR #156](https://github.com/nategood/httpful/pull/156) ## 0.2.17 - - FEATURE [PR #144](https://github.com/nategood/httpful/pull/144) Adds additional parameter to the Response class to specify additional meta data about the request/response (e.g. number of redirect). +- FEATURE [PR #144](https://github.com/nategood/httpful/pull/144) Adds additional parameter to the Response class to specify additional meta data about the request/response (e.g. number of redirect). ## 0.2.16 - - FEATURE Added support for whenError to define a custom callback to be fired upon error. Useful for logging or overriding the default error_log behavior. +- FEATURE Added support for whenError to define a custom callback to be fired upon error. Useful for logging or overriding the default error_log behavior. ## 0.2.15 - - FEATURE [I #131](https://github.com/nategood/httpful/pull/131) Support for SOCKS proxy +- FEATURE [I #131](https://github.com/nategood/httpful/pull/131) Support for SOCKS proxy ## 0.2.14 - - FEATURE [I #138](https://github.com/nategood/httpful/pull/138) Added alternative option for XML request construction. In the next major release this will likely supplant the older version. +- FEATURE [I #138](https://github.com/nategood/httpful/pull/138) Added alternative option for XML request construction. In the next major release this will likely supplant the older version. ## 0.2.13 - - REFACTOR [I #121](https://github.com/nategood/httpful/pull/121) Throw more descriptive exception on curl errors - - REFACTOR [I #122](https://github.com/nategood/httpful/issues/122) Better proxy scrubbing in Request - - REFACTOR [I #119](https://github.com/nategood/httpful/issues/119) Better document the mimeType param on Request::body - - Misc code and test cleanup +- REFACTOR [I #121](https://github.com/nategood/httpful/pull/121) Throw more descriptive exception on curl errors +- REFACTOR [I #122](https://github.com/nategood/httpful/issues/122) Better proxy scrubbing in Request +- REFACTOR [I #119](https://github.com/nategood/httpful/issues/119) Better document the mimeType param on Request::body +- Misc code and test cleanup ## 0.2.12 - - REFACTOR [I #123](https://github.com/nategood/httpful/pull/123) Support new curl file upload method - - FEATURE [I #118](https://github.com/nategood/httpful/pull/118) 5.4 HTTP Test Server - - FIX [I #109](https://github.com/nategood/httpful/pull/109) Typo - - FIX [I #103](https://github.com/nategood/httpful/pull/103) Handle also CURLOPT_SSL_VERIFYHOST for strictSsl mode +- REFACTOR [I #123](https://github.com/nategood/httpful/pull/123) Support new curl file upload method +- FEATURE [I #118](https://github.com/nategood/httpful/pull/118) 5.4 HTTP Test Server +- FIX [I #109](https://github.com/nategood/httpful/pull/109) Typo +- FIX [I #103](https://github.com/nategood/httpful/pull/103) Handle also CURLOPT_SSL_VERIFYHOST for strictSsl mode ## 0.2.11 - - FIX [I #99](https://github.com/nategood/httpful/pull/99) Prevent hanging on HEAD requests +- FIX [I #99](https://github.com/nategood/httpful/pull/99) Prevent hanging on HEAD requests ## 0.2.10 - - FIX [I #93](https://github.com/nategood/httpful/pull/86) Fixes edge case where content-length would be set incorrectly +- FIX [I #93](https://github.com/nategood/httpful/pull/86) Fixes edge case where content-length would be set incorrectly ## 0.2.9 - - FEATURE [I #89](https://github.com/nategood/httpful/pull/89) multipart/form-data support (a.k.a. file uploads)! Thanks @dtelaroli! +- FEATURE [I #89](https://github.com/nategood/httpful/pull/89) multipart/form-data support (a.k.a. file uploads)! Thanks @dtelaroli! ## 0.2.8 - - FIX Notice fix for Pull Request 86 +- FIX Notice fix for Pull Request 86 ## 0.2.7 - - FIX [I #86](https://github.com/nategood/httpful/pull/86) Remove Connection Established header when using a proxy +- FIX [I #86](https://github.com/nategood/httpful/pull/86) Remove Connection Established header when using a proxy ## 0.2.6 - - FIX [I #85](https://github.com/nategood/httpful/issues/85) Empty Content Length issue resolved +- FIX [I #85](https://github.com/nategood/httpful/issues/85) Empty Content Length issue resolved ## 0.2.5 - - FEATURE [I #80](https://github.com/nategood/httpful/issues/80) [I #81](https://github.com/nategood/httpful/issues/81) Proxy support added with `useProxy` method. +- FEATURE [I #80](https://github.com/nategood/httpful/issues/80) [I #81](https://github.com/nategood/httpful/issues/81) Proxy support added with `useProxy` method. ## 0.2.4 - - FEATURE [I #77](https://github.com/nategood/httpful/issues/77) Convenience method for setting a timeout (seconds) `$req->timeoutIn(10);` - - FIX [I #75](https://github.com/nategood/httpful/issues/75) [I #78](https://github.com/nategood/httpful/issues/78) Bug with checking if digest auth is being used. +- FEATURE [I #77](https://github.com/nategood/httpful/issues/77) Convenience method for setting a timeout (seconds) `$req->timeoutIn(10);` +- FIX [I #75](https://github.com/nategood/httpful/issues/75) [I #78](https://github.com/nategood/httpful/issues/78) Bug with checking if digest auth is being used. ## 0.2.3 - - FIX Overriding default Mime Handlers - - FIX [PR #73](https://github.com/nategood/httpful/pull/73) Parsing http status codes +- FIX Overriding default Mime Handlers +- FIX [PR #73](https://github.com/nategood/httpful/pull/73) Parsing http status codes ## 0.2.2 - - FEATURE Add support for parsing JSON responses as associative arrays instead of objects - - FEATURE Better support for setting constructor arguments on Mime Handlers +- FEATURE Add support for parsing JSON responses as associative arrays instead of objects +- FEATURE Better support for setting constructor arguments on Mime Handlers ## 0.2.1 - - FEATURE [PR #72](https://github.com/nategood/httpful/pull/72) Allow support for custom Accept header +- FEATURE [PR #72](https://github.com/nategood/httpful/pull/72) Allow support for custom Accept header ## 0.2.0 - - REFACTOR [PR #49](https://github.com/nategood/httpful/pull/49) Broke headers out into their own class - - REFACTOR [PR #54](https://github.com/nategood/httpful/pull/54) Added more specific Exceptions - - FIX [PR #58](https://github.com/nategood/httpful/pull/58) Fixes throwing an error on an empty xml response - - FEATURE [PR #57](https://github.com/nategood/httpful/pull/57) Adds support for digest authentication +- REFACTOR [PR #49](https://github.com/nategood/httpful/pull/49) Broke headers out into their own class +- REFACTOR [PR #54](https://github.com/nategood/httpful/pull/54) Added more specific Exceptions +- FIX [PR #58](https://github.com/nategood/httpful/pull/58) Fixes throwing an error on an empty xml response +- FEATURE [PR #57](https://github.com/nategood/httpful/pull/57) Adds support for digest authentication ## 0.1.6 - - Ability to set the number of max redirects via overloading `followRedirects(int max_redirects)` - - Standards Compliant fix to `Accepts` header - - Bug fix for bootstrap process when installed via Composer +- Ability to set the number of max redirects via overloading `followRedirects(int max_redirects)` +- Standards Compliant fix to `Accepts` header +- Bug fix for bootstrap process when installed via Composer ## 0.1.5 - - Use `DIRECTORY_SEPARATOR` constant [PR #33](https://github.com/nategood/httpful/pull/32) - - [PR #35](https://github.com/nategood/httpful/pull/35) - - Added the raw\_headers property reference to response. - - Compose request header and added raw\_header to Request object. - - Fixed response has errors and added more comments for clarity. - - Fixed header parsing to allow the minimum (status line only) and also cater for the actual CRLF ended headers as per RFC2616. - - Added the perfect test Accept: header for all Acceptable scenarios see @b78e9e82cd9614fbe137c01bde9439c4e16ca323 for details. - - Added default User-Agent header - - `User-Agent: Httpful/0.1.5` + curl version + server software + PHP version - - To bypass this "default" operation simply add a User-Agent to the request headers even a blank User-Agent is sufficient and more than simple enough to produce me thinks. - - Completed test units for additions. - - Added phpunit coverage reporting and helped phpunit auto locate the tests a bit easier. +- Use `DIRECTORY_SEPARATOR` constant [PR #33](https://github.com/nategood/httpful/pull/32) +- [PR #35](https://github.com/nategood/httpful/pull/35) +- Added the raw_headers property reference to response. +- Compose request header and added raw_header to Request object. +- Fixed response has errors and added more comments for clarity. +- Fixed header parsing to allow the minimum (status line only) and also cater for the actual CRLF ended headers as per RFC2616. +- Added the perfect test Accept: header for all Acceptable scenarios see @b78e9e82cd9614fbe137c01bde9439c4e16ca323 for details. +- Added default User-Agent header +- `User-Agent: Httpful/0.1.5` + curl version + server software + PHP version +- To bypass this "default" operation simply add a User-Agent to the request headers even a blank User-Agent is sufficient and more than simple enough to produce me thinks. +- Completed test units for additions. +- Added phpunit coverage reporting and helped phpunit auto locate the tests a bit easier. ## 0.1.4 - - Add support for CSV Handling [PR #32](https://github.com/nategood/httpful/pull/32) +- Add support for CSV Handling [PR #32](https://github.com/nategood/httpful/pull/32) ## 0.1.3 - - Handle empty responses in JsonParser and XmlParser +- Handle empty responses in JsonParser and XmlParser ## 0.1.2 - - Added support for setting XMLHandler configuration options - - Added examples for overriding XmlHandler and registering a custom parser - - Removed the httpful.php download (deprecated in favor of httpful.phar) +- Added support for setting XMLHandler configuration options +- Added examples for overriding XmlHandler and registering a custom parser +- Removed the httpful.php download (deprecated in favor of httpful.phar) ## 0.1.1 - - Bug fix serialization default case and phpunit tests +- Bug fix serialization default case and phpunit tests ## 0.1.0 - - Added Support for Registering Mime Handlers - - Created AbstractMimeHandler type that all Mime Handlers must extend - - Pulled out the parsing/serializing logic from the Request/Response classes into their own MimeHandler classes - - Added ability to register new mime handlers for mime types - +- Added Support for Registering Mime Handlers +- Created AbstractMimeHandler type that all Mime Handlers must extend +- Pulled out the parsing/serializing logic from the Request/Response classes into their own MimeHandler classes +- Added ability to register new mime handlers for mime types diff --git a/src/Httpful/Httpful.php b/src/Httpful/Httpful.php index 98d49b7..74468f7 100644 --- a/src/Httpful/Httpful.php +++ b/src/Httpful/Httpful.php @@ -3,7 +3,7 @@ namespace Httpful; class Httpful { - public const VERSION = '0.3.0'; + public const VERSION = '1.0.0'; private static $mimeRegistrar = []; private static $default = null; diff --git a/src/Httpful/Request.php b/src/Httpful/Request.php index e7b91c8..39c3882 100644 --- a/src/Httpful/Request.php +++ b/src/Httpful/Request.php @@ -16,7 +16,7 @@ * and "chainabilty" of the library. * * @author Nate Good - * + * * @method self sendsJson() * @method self sendsXml() * @method self sendsForm() @@ -56,7 +56,7 @@ class Request $method = Http::GET, $headers = [], $raw_headers = '', - $strict_ssl = false, + $strict_ssl = true, $content_type, $expected_type, $additional_curl_opts = [], @@ -520,7 +520,7 @@ public function useSocks5Proxy($proxy_host, $proxy_port = 80, $auth_type = null, public function hasProxy(): bool { /* We must be aware that proxy variables could come from environment also. - In curl extension, http proxy can be specified not only via CURLOPT_PROXY option, + In curl extension, http proxy can be specified not only via CURLOPT_PROXY option, but also by environment variable called http_proxy. */ return isset($this->additional_curl_opts[CURLOPT_PROXY]) && is_string($this->additional_curl_opts[CURLOPT_PROXY]) || @@ -1087,7 +1087,7 @@ public function buildResponse($result) { $body = array_pop($response); $headers = array_pop($response); - + return new Response($body, $headers, $this, $info); }