Reject non-HTTP schemes in StreamHandler

Non-HTTP schemes are effectively not supported, because the HTTP response headers will only be filled for the `http` and `https` stream wrappers. Also Guzzle is an HTTP client after all. Reject non-HTTP schemes early on to improve error messages and to prevent possible exploits using odd stream wrappers in case an non-fully-trusted URL is passed to Guzzle.
guzzle · Feb 24, 2022 · d198940 · d198940
1 parent 5172455
commit d198940
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 2 deletions.
diff --git a/src/Handler/StreamHandler.php b/src/Handler/StreamHandler.php
@@ -266,6 +266,10 @@ private function createStream(RequestInterface $request, array $options)
             $methods = \array_flip(\get_class_methods(__CLASS__));
         }
 
+        if (!\in_array($request->getUri()->getScheme(), ['http', 'https'])) {
+            throw new RequestException(\sprintf("The scheme '%s' is not supported.", $request->getUri()->getScheme()), $request);
+        }
+
         // HTTP/1.1 streams using the PHP stream wrapper require a
         // Connection: close header
         if ($request->getProtocolVersion() == '1.1'

diff --git a/tests/Handler/StreamHandlerTest.php b/tests/Handler/StreamHandlerTest.php
@@ -739,12 +739,12 @@ public function testHandlesInvalidStatusCodeGracefully()
         )->wait();
     }
 
-    public function testHandlesNonHttpSchemesGracefully()
+    public function testRejectsNonHttpSchemes()
     {
         $handler = new StreamHandler();
 
         $this->expectException(RequestException::class);
-        $this->expectExceptionMessage('An error was encountered while creating the response');
+        $this->expectExceptionMessage("The scheme 'file' is not supported.");
 
         $handler(
             new Request('GET', 'file:///etc/passwd'),