Closed spaze closed 2 years ago
@katmsft @XiaoningLiu this is a pretty big blocker, any chance it could be looked at?
If anyone wants/needs to update their guzzlehttp/psr7 to fix the reported vulnerability, here's how you can do it immediately without waiting for a new Azure SDK release (which experience from previous releases tells me will not happen any time soon)
Get the patch from the PR with
wget https://github.com/Azure/azure-storage-php/pull/328.diff
Add this to your composer.json
:
"extra": {
"patches-file": "patches/composer.patches.json"
},
Add the composer.patches.json
file:
{
"patches": {
"microsoft/azure-storage-table": {
"No EOLs in Content-Type headers": "patches/azure-328-no-eol-in-headers.diff"
}
}
}
And finally, install and use cweagans/composer-patches composer plugin to patch the file locally. Run composer update microsoft/azure-storage-table
after installing the plugin.
Once, and if, the maintainers will release the new version, you can simply remove the plugin and the composer.patches.json
file (and PATCHES.txt
from vendor/microsoft/azure-storage-table
dir).
Which service(blob, file, queue, table) does this issue concern?
Table
Which version of the SDK was used?
1.1.5
What's the PHP/OS version?
PHP 8+/Ubuntu
What problem was encountered?
After upgrading guzzlehttp/psr7 to 2.1.1+, batch requests fail
Steps to reproduce the issue?
InvalidArgumentException
is thrown withThis is because guzzlehttp/psr7 has fixed a security vulnerability (CVE-2022-24775) and the fix broke
MimeReaderWriter::encodeMimeMultipart()
:https://github.com/Azure/azure-storage-php/blob/0539ffb080779b29bc08c23caf24a19b77ad5e94/azure-storage-table/src/Table/Internal/MimeReaderWriter.php#L76
encodeMimeMultipart()
is used in\MicrosoftAzure\Storage\Table\TableRestProxy::createBatchRequestBody
which in turn is used in\MicrosoftAzure\Storage\Table\TableRestProxy::batchAsync
.This is the guzzlehttp/psr7 fix: https://github.com/guzzle/psr7/pull/485 (relevant lines) it has disallowed new lines in header values. Please note the regex was updated in https://github.com/guzzle/psr7/pull/492 but that wasn't relevant to the reported issue.
Have you found a mitigation/solution?
Yes #328 but you know me already 😅