Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error since 2.2.1 with multiple Vary headers Google API #494

Closed
pimjansen opened this issue Mar 22, 2022 · 8 comments
Closed

Error since 2.2.1 with multiple Vary headers Google API #494

pimjansen opened this issue Mar 22, 2022 · 8 comments

Comments

@pimjansen
Copy link

pimjansen commented Mar 22, 2022
edited
Loading

PHP version: x.y.z (hint: php --version)
8.1.4

Description

Since the update of 2.2.1 i noticed that my calls to the Google API are failing. To be more precise https://gmail.googleapis.com/batch. In the header there are multiple Vary headers available:

Vary: Origin
Vary: X-Origin
Vary: Referer

From Guzzle point of view they are grouped as an header:

Array
(
    [Content-Type] => Array
        (
            [0] => multipart/mixed; boundary=batch_f3PDDHHnndFr-No5pVc9MW25FTec2yCf
        )

    [Vary] => Array
        (
            [0] => X-Origin
            [1] => Referer
            [2] => Origin,Accept-Encoding
        )

    [Date] => Array
        (
            [0] => Tue, 22 Mar 2022 16:35:33 GMT
        )

    [Server] => Array
        (
            [0] => ESF
        )

    [Cache-Control] => Array
        (
            [0] => private
        )

    [X-XSS-Protection] => Array
        (
            [0] => 0
        )

    [X-Frame-Options] => Array
        (
            [0] => SAMEORIGIN
        )

    [X-Content-Type-Options] => Array
        (
            [0] => nosniff
        )

    [Alt-Svc] => Array
        (
            [0] => h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
        )

    [Accept-Ranges] => Array
        (
            [0] => none
        )

    [Transfer-Encoding] => Array
        (
            [0] => chunked
        )

)

The new validation however groups this as 1 header and throws an error.

InvalidArgumentException: \u0022Origin\nX-Origin\nReferer\u0022 is not valid header value

How to reproduce

Hard to say i guess but make a call to the Google API with this and ensure multiple of the same header keys are available. I am also still diving into the issue to see if i notice anything odd though

Trace

InvalidArgumentException: \"Origin\nX-Origin\nReferer\" is not valid header value in /app/vendor/guzzlehttp/psr7/src/MessageTrait.php:263

Stack trace:\n
#0 /app/vendor/guzzlehttp/psr7/src/MessageTrait.php(209): GuzzleHttp\\Psr7\\Response->assertValue()\n
#1 [internal function]: GuzzleHttp\\Psr7\\Response->GuzzleHttp\\Psr7\\{closure}()\n
#2 /app/vendor/guzzlehttp/psr7/src/MessageTrait.php(212): array_map()\n
#3 /app/vendor/guzzlehttp/psr7/src/MessageTrait.php(174): GuzzleHttp\\Psr7\\Response->trimAndValidateHeaderValues()\n
#4 /app/vendor/guzzlehttp/psr7/src/MessageTrait.php(154): GuzzleHttp\\Psr7\\Response->normalizeHeaderValue()\n
#5 /app/vendor/guzzlehttp/psr7/src/Response.php(109): GuzzleHttp\\Psr7\\Response->setHeaders()\n
#6 /app/vendor/google/apiclient/src/Http/Batch.php(177): GuzzleHttp\\Psr7\\Response->__construct()\n
#7 /app/vendor/google/apiclient/src/Http/Batch.php(141): Google\\Http\\Batch->parseResponse()\n
#8 /app/module/SenetGoogle/src/Service/Gmail/MessageRequestService.php(158): Google\\Http\\Batch->execute()\n
@wlodekj
Copy link

wlodekj commented Mar 22, 2022

Hey,

Same happens making a call to azure oauth service (server also running on php 8.1), we get an error:

"2.1.12559.10 - SCUS ProdSlices" is not valid header value

Looks like the validation is too strict.

@TimWolla
Copy link

Can you provide a stack trace, please?

@pimjansen
Copy link
Author

Can you provide a stack trace, please?

@TimWolla added it in the start post. As far as i can see it goes "wrong" in asserting the response.

@TimWolla
Copy link

This is a bug in google/apiclient. The header value they provide actually is invalid, because it contains newlines:

https://github.com/googleapis/google-api-php-client/blob/c0ae314e055219978e6cd419087523fefc5c759f/src/Http/Batch.php#L210

The standards compliant way to provide the values is either:

  1. By passing an array with each header (recommended), or
  2. By concatenating all values, separated with a comma (not recommended, as this will break set-cookie).

@TimWolla TimWolla mentioned this issue Mar 22, 2022
Closed
@TimWolla
Copy link

see: googleapis/google-api-php-client#2230

@wlodekj
Copy link

wlodekj commented Mar 23, 2022
edited
Loading

Hi @TimWolla,

Looks like that change in 2.2.1:

if (! preg_match('/^[\x20\x09\x21-\x7E\x80-\xFF]*$/', $value)) {
    throw new \InvalidArgumentException(sprintf('"%s" is not valid header value', $value));
}

Solved my problem.

Thanks!
Jakub

@TimWolla
Copy link

Looks like that change in 2.2.1:

@wlodekj That's what I suspected seeing your example header. See my comment over here for details: #489 (comment)

@GrahamCampbell
Copy link
Member

Closing since this new behaviour is an important security fix. Do not try to bypass this, and do send multiple headers with the same key to us as an array. Google need to fix their API client to do that.

@vishwarajanand vishwarajanand mentioned this issue Mar 25, 2022
Merged
@aaemnnosttv aaemnnosttv mentioned this issue Apr 5, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@TimWolla @pimjansen @GrahamCampbell @wlodekj