[pkg-php-pear] Bug#786778: zendframework: HTTP Client component doesn't work after security upgrade
Marc Falzon
debian at happn.fr
Mon May 25 13:52:42 UTC 2015
Package: zendframework
Version: 1.12.9+dfsg-2+deb8u2
Severity: critical
Justification: breaks unrelated software
Dear Maintainer,
After upgrading to version 1.12.9+dfsg-2+deb8u2 following security issue
in CVE-2015-3154 (https://security-tracker.debian.org/tracker/CVE-2015-3154),
the HTTP Client component of the framework throws exceptions after
executing a request. These crashes didn't occur before the security
upgrade.
Code snippet to reproduce the issue:
<?php
//test.php
$httpClient = new \Zend_Http_Client();
$httpClient->setUri('https://www.debian.org/Bugs/');
$response = $httpClient->request('POST');
var_dump($response);
Results in:
Fatal error: Uncaught exception 'Zend_Http_Exception' with message
'Invalid header value detected' in
/debian/zend/library/Zend/Http/Client.php:1597
Stack trace:
#0 /debian/zend/library/Zend/Http/Client.php(467):
Zend_Http_Client->_validateHeaderValue(0)
#1 /debian/zend/library/Zend/Http/Client.php(1358):
Zend_Http_Client->setHeaders('Content-Length', 0)
#2 /debian/zend/library/Zend/Http/Client.php(1061):
Zend_Http_Client->_prepareBody()
#3 /debian/test.php(15): Zend_Http_Client->request('POST')
#4 {main}
thrown in /debian/zend/library/Zend/Http/Client.php on line 1597
In "preparebody" or "setRawData" method in Zend_Http_Client.php,
there are some calls "$this->setHeaders(self::CONTENT_LENGTH, strlen($this->raw_post_data))";
the length value is a numeric, but the "_validateHeaderValue" method that you added in the
patch doesn't accept numeric value as argument.
This throw the Zend_Http_Exception('Invalid header value detected');
maybe you can cast the value before calling _validateHeaderValue.
Best regards,
m.
More information about the pkg-php-pear
mailing list