Bug: CURLRequest::request() cannot set int type header value

[gentsir]

PHP Version

7.3

CodeIgniter4 Version

4.1.1

CodeIgniter4 Installation Method

Manual (zip or tar.gz)

Which operating systems have you tested for this bug?

Windows, Linux

Which server did you use?

fpm-fcgi

Database

MySQL 5.6

What happened?

when i set some headers options to call CURLRequest::request method，i found that the int type value is filtered. the last version also has this issue.

Steps to Reproduce

the headers option:

$url = 'https://192.168.8.119/api/v1/tenants';

$headers = [
    "Accept" => "application/json",
    "Accept-Language" => "zh-Hans",
    "Authorization" => "Bearer 6k8KGSDIGEz8y8QEftRIcCzqmUcjgc1WM2QfBHAesx",
    "Operator" => "Panda",
    "Tenat-Id" => 10001012,
];

$options = [
    'verify' => false,
    'http_errors' => false,
    'headers' => $headers,
];
$response = single_service('curlrequest', $options)->post($url);

---

the debug output:

[DEBUG] [2022-11-12 16:48:12.323709] [server:192.168.8.119] [client:192.168.0.123] -> CodeIgniter\HTTP\CURLRequest::sendRequest -> { "-1": true, "10002": "http://127.0.0.1:8890/api/v1/tenants/", "10015": "receivers=tenant%40gmail.com", "10023": [ "Accept: application/json", "Accept-Language: zh-Hans", "Authorization: Bearer 6k8KGSDIGEz8y8QEftRIcCzqmUcjgc1WM2QfBHAesx", "Operator: Panda", "Tenat-Id: " ], "10036": "POST", "155": 5000, "156": 150000, "19913": true, "42": true, "45": false, "64": false, "74": true }

Expected Output

the second parameter $value can set to int type in the CodeIgniter\HTTP\Header constructor.

Anything else?

No response

[kenjis]

Thank you for reporting.

the second parameter $value can set to int type in the CodeIgniter\HTTP\Header constructor.

Why? HTTP header values are all string.

[kenjis]

This is off topic, but v4.1.1 has serious security bugs. We recommend upgrade. See https://github.com/codeigniter4/CodeIgniter4/security/advisories

[kenjis]

@gentsir It seems your sample code does not work. Do you mean the headers element in the third parameter $options of CURLRequest::request()?

$client->request('get', '/', [
    'headers' => [
        'User-Agent' => 'testing/1.0',
        'Accept'     => 'application/json',
        'X-Foo'      => ['Bar', 'Baz'],
    ],
]);

https://codeigniter4.github.io/CodeIgniter4/libraries/curlrequest.html#headers

[gentsir]

@kenjis

sorry, I have edited the sample code again.

I checked and found that the CodeIgniter\HTTP\Header::getValueLine method was causing the problem by converting the int header value to an empty string.

[michalsn]

Adding additional check is_numeric to the above method should fix the issue, but the problem is more complicated.

In general Header class accepts only array|string|null: https://github.com/codeigniter4/CodeIgniter4/blob/develop/system/HTTP/Header.php#L81

So the question is:

• should we throw an exception
• allow numeric values
• cast numeric values on Header class creation to strings (I guess we should then also cast numeric values in arrays - just for consistency)
• or leave it as it is

[kenjis]

The property $value in Header is array|string. Having int is a bug.

1. cast to string
2. throws an exception