Another major issue with pugnace/psr7 is the lack of rate limiting. An attacker could make a large number of requests with crafted headers that would bypass rate limits and flood the victim’s server with requests. The issue is patched in 1.8.4 and 2.1.1. There are currently no known workarounds. A last major issue with pugnace/psr7 is the lack of input sanitization. An attacker could pass any value to an input field in a request and the server would blindly echo that value back to the client. The issue is patched in 1.8.4 and 2.1.1. There are currently no known workarounds.
What’s the standard for PHP Error Codes?
In general, PHP error codes are used to give developers and administrators a quick way of troubleshooting errors in their code. For example, if an error occurs when processing the file uploads from the form, a developer could then run the following code:
Versioning and Deployment
Pugnace/PSR7 is not currently deployed by default. If you are using a package management tool like composer, the recommended deployment of pugnace/psr7 is to use it in dev mode. In production, deploy pugnace/psr7 with the --no-dev flag and configure your webserver to disallow requests from that IP address or domain.
Timeline
Published on: 03/21/2022 19:15:00 UTC
Last modified on: 03/29/2022 02:23:00 UTC
References
- https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96
- https://github.com/guzzle/psr7/pull/485/commits/e55afaa3fc138c89adf3b55a8ba20dc60d17f1f1
- https://github.com/guzzle/psr7/pull/486/commits/9a96d9db668b485361ed9de7b5bf1e54895df1dc
- https://www.drupal.org/sa-core-2022-006
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24775