CVE-2022-31043: Guzzle PHP HTTP Client Security Issue with Authorization Header Forwarding

Guzzle is a widely used open-source PHP HTTP client that allows developers to send HTTP requests and manage responses. It was recently discovered that certain versions of Guzzle are affected by a security vulnerability (CVE-2022-31043), which involves the forwarding of sensitive Authorization header information during HTTP redirects.

Details

The vulnerability is present in Guzzle versions prior to 7.4.4 when redirecting from an https to an http URL. In such cases, Guzzle should not forward the Authorization header, as this can lead to sensitive information leakage. However, the affected versions do not remove the header during https to http redirects, making it possible for an attacker to obtain sensitive data. Users are advised to upgrade to Guzzle 7.4.4 immediately to mitigate the risk.

Here's an example of how Guzzle's default behavior might expose an Authorization header

$client = new GuzzleHttp\Client(['base_uri' => 'https://example.com';]);
$headers = ['Authorization' => 'Bearer '.$accessToken];
$response = $client->get('/redirect', ['headers' => $headers]);

In this code snippet, if the https://example.com/redirect URL redirects to an http URL, the Authorization header will be forwarded, causing an unintended data leak.

Original references

- Guzzle GitHub repository
- Guzzle Security Advisory

Solution

Affected users should upgrade to Guzzle 7.4.4 as soon as possible. Users who are on an earlier Guzzle series can upgrade to either Guzzle 6.5.7 or 7.4.4. In case upgrading is not an option, users can implement an alternative solution, like using their own redirect middleware or disabling redirects entirely.

Using your own redirect middleware

use Psr\Http\Message\RequestInterface;
use GuzzleHttp\RedirectMiddleware;

// Define your own callback for deciding when to follow redirects:
$onRedirect = function (
    RequestInterface $request,
    ResponseInterface $response,
    UriInterface $uri
) {
    // Only follow redirects if the scheme has NOT changed from https to http:
    if ($request->getUri()->getScheme() === 'https' && $uri->getScheme() === 'http') {
        return false;
    } else {
        // Default behavior: only follow redirects for same host
        return RedirectMiddleware::isRedirect($response) && RedirectMiddleware::modifyRequest($request, $response, $uri)->getUri()->getHost() === $uri->getHost();
    }
};

$handlerStack = GuzzleHttp\HandlerStack::create();
$handlerStack->push(GuzzleHttp\Middleware::redirect($onRedirect));

$client = new GuzzleHttp\Client(['handler' => $handlerStack]);

If your application does not expect or require redirects, you may disable them as follows

$client = new GuzzleHttp\Client(['allow_redirects' => false]);

Conclusion

The security issue with Guzzle PHP HTTP client's forwarding of the Authorization header during redirects can potentially expose sensitive information. To protect against this vulnerability, users are strongly advised to update to Guzzle 7.4.4, 6.5.7, or implement an alternative solution if upgrading is not an option.

Timeline

Published on: 06/10/2022 00:15:00 UTC
Last modified on: 06/17/2022 15:22:00 UTC