laminas / laminas-feed

Consume and generate Atom and RSS feeds, and interact with Pubsubhubbub.
https://docs.laminas.dev/laminas-feed/
BSD 3-Clause "New" or "Revised" License
147 stars 26 forks source link

Laminas-http mishandles multiple headers causing failure #43

Open crscheid opened 3 years ago

crscheid commented 3 years ago

Bug Report

Q A
Version(s) 2.15.0

Summary

Header handling in the dependency for laminas/laminas-http has an error when it receives a header that it treats as a single string first followed by an array type header with the same data. Because the header has already been set like a string, the call to set it as an array fails.

I am fully aware that laminas/laminas-http is in security only support now which is why I'm posting the bug report to laminas-feed where the issue is manifesting. Laminas-Feed should be updated to use PSR-7 or the bug should be fixed.

Current behavior

When sending a request to an RSS feed that delivers the header twice, first as a string, then as an array, Laminas reports

PHP Error: [] operator not supported for strings in /var/www/vendor/laminas/laminas-http/src/Headers.php on line 454

How to reproduce

This occurs specifically when utilizing Google's news search to RSS feed approach. It returns two sets of Content-Security-Policy headers.

When set in the order of

require-trusted-types-for 'script';report-uri /_/DotsSplashUi/cspreport

followed by

script-src 'report-sample' 'nonce-e2kBBs8/LEHElepgO1hnkA' 'unsafe-inline'; object-src 'none'; base-uri 'self'; report-uri /_/DotsSplashUi/cspreport; worker-src 'self';

Laminas-http fails.

However, it does so inconsisently because the responding server does not always send the headers back in the same order. If the headers are sent back in the reverse order, the process succeeds, but actually overwrites the array header with the string header.

To reproduce, run this multiple times.

$url = 'https://news.google.com/rss/search?q=%22ecommerce%22+when%3A7d&hl=en-US&gl=US&ceid=US%3Aen';
$feed_result = \Laminas\Feed\Reader\Reader::import($feed_url);

Expected behavior

We should expect the headers to be assembled even if an array type is passed to the client after a string type.

froschdesign commented 3 years ago

@crscheid

Laminas-Feed should be updated to use PSR-7…

You can already use a PSR-7 client. Example:

Laminas\Feed\Reader\Reader::setHttpClient(
    new class implements Laminas\Feed\Reader\Http\ClientInterface {
        public function get($uri)
        {
            return new Laminas\Feed\Reader\Http\Psr7ResponseDecorator(
                (new GuzzleHttp\Client())->request('GET', $uri)
            );
        }
    }
);

$url  = 'https://news.google.com/rss/search?q=%22ecommerce%22+when%3A7d&hl=en-US&gl=US&ceid=US%3Aen';
$feed = Laminas\Feed\Reader\Reader::import($url);

echo $feed->getDescription(); // Google News

https://docs.laminas.dev/laminas-feed/psr7-clients/

When sending a request to an RSS feed that delivers the header twice, first as a string, then as an array, Laminas reports

PHP Error: [] operator not supported for strings in /var/www/vendor/laminas/laminas-http/src/Headers.php on line 454

Can you create a test and send it as a pull request? It seems that not all PHP versions are affected. Thanks in advance! 👍

crscheid commented 3 years ago

@froschdesign: Thanks for the feedback, I will check using PSR-7 ... more than happy to move beyond the deprecated dependency. Once I do so, let me see if this occurs further. If not, I will close this issue. Thank you.