Undefined offset: 1 in Zend\Http\Header\ContentSecurityPolicy

jryd commented 4 years ago

[X] I was not able to find an open or closed issue matching what I'm seeing.
[X] This is not a question. (Questions should be asked on chat (Signup here) or our forums.)

Provide a narrative description of what you are trying to accomplish.

We are using the Zend Feed Reader, which uses Zend HTTP under the hood. This morning we upgraded from 2.10.0 to 2.10.1 and found that we began getting 500 errors with the following trace:

ErrorException Undefined offset: 1 .../vendor/zendframework/zend-http/src/Header/ContentSecurityPolicy.php:115

Looking at the response we received back from the API we called, the Content-Security-Policy header is set to:

Content-Security-Policy: upgrade-insecure-requests.

It would appear that in ContentSecurityPolicy.php we are try to destructure index 1 from the directive name and value, however the above example has no value.

Code to reproduce the issue

This is highly dependant on the feed host supplying the above CSP header. But we are doing this:

...
use Zend\Feed\Reader\Reader;
...
Reader::import($uri);

Where $uri is the host that returns the aforementioned header.

Expected results

I would expect the request to still be successful and for the headers to be parsed correctly.

Actual results

We got a 500 error with the following trace:

ErrorException Undefined offset: 1 
    /var/task/vendor/zendframework/zend-http/src/Header/ContentSecurityPolicy.php:115 Illuminate\Foundation\Bootstrap\HandleExceptions::handleError
    /var/task/vendor/zendframework/zend-http/src/Header/ContentSecurityPolicy.php:115 Zend\Http\Header\ContentSecurityPolicy::fromString
    /var/task/vendor/zendframework/zend-http/src/Headers.php:471 Zend\Http\Headers::lazyLoadHeader
    /var/task/vendor/zendframework/zend-http/src/Headers.php:425 Zend\Http\Headers::toArray
    /var/task/vendor/zendframework/zend-feed/src/Reader/Http/ZendHttpClientDecorator.php:113 Zend\Feed\Reader\Http\ZendHttpClientDecorator::prepareResponseHeaders
    /var/task/vendor/zendframework/zend-feed/src/Reader/Http/ZendHttpClientDecorator.php:56 Zend\Feed\Reader\Http\ZendHttpClientDecorator::get
    /var/task/vendor/zendframework/zend-feed/src/Reader/Reader.php:260 Zend\Feed\Reader\Reader::import

These were all the headers in the response:

Date: Tue, 03 Dec 2019 00:19:56 GMT
Content-Type: text/xml;charset=utf-8
Transfer-Encoding: chunked
Connection: close
CF-Ray: 53f15f2c68a7e9b3-BNE
CF-Cache-Status: EXPIRED
Cache-Control: s-maxage=120,max-age=5
Access-Control-Allow-Origin: *
Strict-Transport-Security: max-age=0
Vary: Accept-Encoding
Access-Control-Allow-Credentials: false
Content-Security-Policy: upgrade-insecure-requests
Edge-Cache-Tag: CG-3473494,P-3473494,PGS-ALL,SW-4,SD-44,B-5912369537
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
X-HS-Cache-Config: BrowserCache-5s-EdgeCache-120s
X-HS-Content-Group-Id: 5912369537
X-Powered-By: HubSpot
X-Trace: 2B0C868264222FA72179C499350F47CB6F0DF66429000000000000000000
Server: cloudflare

Our temporary solution has been to lock zend-http at version 2.10.0.

jryd commented 4 years ago

Looks like #200 has already been submitted to address this.

michalbundyra commented 4 years ago

@jryd Please update to 2.11.0 and let me know if the problem is now solved. Thanks!

zendframework / zend-http