Currently there is a lack of HTTP header builder / parser in the PHP community ecosystem.

I suggest move Zend\Http\Header namespace to an standalone component for better reusability.

Actually zendframework/zend-http installs 6 packages, 4 direct dependencies + 2 indirect dependencies.

The proposed roadmap is move the subcomponent files to the new repository under the Composer's name of zendframework/zend-http-headers and make it a requirement of zendframework/zend-http

The following files are excluded from these movement and should be keep in this repo.

• HeaderLoader A Zend\Loader plugin loader of header files.
• Headers A headers collection which is not reusable for PSR-7 interfaces

BC Breaks: Generally speaking there is no BC Breaks but Header exceptions won't inherit from Zend\Header\Exception anymore

Originally posted by @Maks3w at https://github.com/zendframework/zend-http/issues/43

Bug Report

| Q | A |------------ | ------ | Version(s) | ^2.7

Summary

Laminas\Uri\Exception\InvalidUriPartException: Host "[IP ADDRESS]" is not valid or is not accepted by Laminas\Uri\Http

Current behavior

When certain requests are made a 500 server error is produced.

This appears to be happening on AWS servers hosting zend framework see:

https://magento.stackexchange.com/questions/299596/getting-error-php-fatal-error-uncaught-zend-uri-exception-invaliduripartexcept

https://serverfault.com/questions/996647/getting-error-php-fatal-error-uncaught-zend-uri-exception-invaliduripartexcept

We are also experiencing the error on our Zend Framework site when a set of requests are being sent from an AWS Security Scanner:

44.225.84.206 - - [10/Mar/2020:13:27:06 +0000] "GET http://[::ffff:a9fe:a9fe]/ HTTP/1.1" 500 - "-" "AWS Security Scanner"

The problem is with these lines of code starting on line 298 in /src/PhpEnvironment/Request.php

            // Check for missinterpreted IPv6-Address
            // Reported at least for Safari on Windows
            if (isset($this->serverParams['SERVER_ADDR']) && preg_match('/^\[[0-9a-fA-F\:]+\]$/', $host)) {
                $host = '[' . $this->serverParams['SERVER_ADDR'] . ']';
                if ($port . ']' == substr($host, strrpos($host, ':') + 1)) {
                    // The last digit of the IPv6-Address has been taken as port
                    // Unset the port so the default port can be used
                    $port = null;
                }
            }

How to reproduce

<?php

use PHPUnit\Framework\TestCase;
//use Zend\Http\PhpEnvironment\Request;
use \Laminas\Http\PhpEnvironment\Request;

class Test extends TestCase
{
    public function testInvalidHost()
    {
        $_SERVER = [
            'SCRIPT_NAME'           => '',
            'SERVER_ADDR'           => '10.0.33.135',
            'SERVER_NAME'           => '[::ffff:a9fe:a9fe]',
       ];
        $request = new Request();

    }

}

Expected behavior

The host should be null, 10.0.33.135, or [::ffff:a9fe:a9fe] not [10.0.33.135]

Zend\Http\Response::decodeChunkedBody fail with exception when curl adapter decode body itself , BUT it still has "Transfer-Encoding: encoded" header

$client = new \Zend\Http\Client();
$client->setOptions(array( 
   'sslverifypeer' => false,
   'adapter'         => 'Zend\Http\Client\Adapter\Curl',
));
$client->setUri('https://www.truesocialmetrics.com/');
$response = $client->send(); // Error parsing body - doesn't seem to be a chunked message

php: 5.5 , 5.6, 7

Originally posted by @necromant2005 at https://github.com/zendframework/zend-http/issues/19

Hi ZF team! Just a little thing:

How can I check if the request scheme is https? Regardless the getScheme() method, does the Request class has a method for that? I can get the scheme:

$request = $this->request->getUri();
return ($request->getScheme() === 'https');

So, where should I add this validation for make it available for all controllers? Anyways, would be great add this method on the Request object.

$this->request->isSecure() 
// or maybe
$this->request->isHttps()

Thanks! great project :1st_place_medal:

Originally posted by @diemax at https://github.com/zendframework/zend-http/issues/123

| Q | A |-------------- | ------ | Bugfix | yes | BC Break | no

Description

Some response coming from IIS are using gzuncompress instead of gzinflate.

Note: This fix was already fixed 10 years ago on ZF1 https://github.com/zendframework/zf1/commit/1e158aa35ff672564a74636c140ebc8309d6ed07 but this this was not ported in ZF2. See: https://framework.zend.com/issues/browse/ZF-12457.html

To reproduce:

use Laminas\Http\Client;
$client = new Client('https://www.vnews.com/With-Federal-Money-Running-Out-Lebanon-Starts-to-Pick-Up-Motel-Tabs-for-Homeless-48667855');
echo $client->send()->getBody();

Current result:

PHP Warning: gzuncompress(): data error in vendor/laminas/laminas-http/src/Response.php on line 653

BC Break Report

| Q | A |------------ | ------ | Version | 2.15.0

Summary

After upgrading from Verion 2.14.3 to Version 2.15.0 I could record that requests are sent with HTTP 1.0 instead of HTTP 1.1.

The default HTTP version is set to the const value of \Laminas\Http\Request::VERSION_11 wich is the string '1.1'. see \Laminas\Http\Client::$config

     'httpversion'     => Request::VERSION_11,

The Curl Adapter compares this string to the float value 1.1 in a typesafe way and will switch the HTTP version to 1.0. see \Laminas\Http\Client\Adapter\Curl line 445

$curlHttp = $httpVersion === 1.1 ? CURL_HTTP_VERSION_1_1 : CURL_HTTP_VERSION_1_0;

Previous behavior

Requests sended by default with HTTP version 1.1 with the Curl adapter

Current behavior

Requests sended by default with HTTP version 1.0 with the Curl adapter

How to reproduce

Some Code:

<?php

require_once 'vendor/autoload.php';

class CurlWrapper extends \Laminas\Http\Client\Adapter\Curl
{
    public function write($method, $uri, $httpVersion = 1.1, $headers = [], $body = '')
    {
        $result = parent::write($method, $uri, $httpVersion, $headers, $body);

        preg_match(
            '/^.*HTTP\/(.*)\s$/m',
            $result,
            $matches
        );

        // Should be by default 1.1
        $realHttpVersion = $matches[1];

        // $httpVersion is actually a mixed type
        if ($httpVersion == 1.1 && $realHttpVersion != $httpVersion) {
            throw new \LogicException('Unexpected HTTP version sent');
        }

        return $result;
    }

}

$clientDefault = new \Laminas\Http\Client(
    'http://jsonplaceholder.typicode.com/todos/1',
    [
        'adapter' => CurlWrapper::class,
    ]
);
$clientDefault->send(); // throws the "Unexpected HTTP version sent" exception

$clientOverwrittenByConst = new \Laminas\Http\Client(
    'http://jsonplaceholder.typicode.com/todos/1',
    [
        'adapter' => CurlWrapper::class,
        'httpversion' => \Laminas\Http\Request::VERSION_11
    ]
);
$clientOverwrittenByConst->send(); // throws the "Unexpected HTTP version sent" exception

$clientOverwrittenByFloat = new \Laminas\Http\Client(
    'http://jsonplaceholder.typicode.com/todos/1',
    [
        'adapter' => CurlWrapper::class,
        'httpversion' => 1.1
    ]
);
$clientOverwrittenByFloat->send(); // correct behaviour

Shouldn't that be catched?

[Zend\Http\Header\Exception\InvalidArgumentException]
Invalid date passed as string (0)

[Exception]
DateTime::__construct(): Failed to parse time string(0) at position 0 (0): Unexcepted character

Originally posted by @aight8 at https://github.com/zendframework/zend-http/issues/9

| Q | A |-------------- | ------ | Bugfix | yes | BC Break | no

Description

When headers contain require-trusted-types-for CSP directive, Headers::toArray ends with a PHP Fatal Error.

To reproduce:

use Laminas\Http\Client;
$client = new Client('http://news.google.com/news?ned=us&topic=t&output=atom');
$client->send()->getHeaders()->toArray();

Current result:

PHP Fatal error: Uncaught Error: [] operator not supported for strings in vendor/laminas/laminas-http/src/Headers.php:456

Signed-off-by: Abdul Malik Ikhsan [email protected]

| Q | A |-------------- | ------ | BC Break | yes

Description

Fixes https://github.com/laminas/laminas-http/issues/5 Handle Response::sendHeaders() to not silently returns when header already sent

In http client zendframework/zend-http/src/Client.php:1231 $body request is created using http_build_query function.

$body = http_build_query($this->getRequest()->getPost()->toArray());

Problem is that separator can be changed via ini_set('arg_separator.output', 'some other'); and this will break http client. Since "x-www-form-urlencoded" accepts only "&" as a separator, suggest to hardcode it there.

See similar issue: https://www.drupal.org/node/2372211

Originally posted by @ameoba32 at https://github.com/zendframework/zend-http/issues/33

We currently accept these values for the ssltransport option of the Socket client:

• ssl ⇒ STREAM_CRYPTO_METHOD_SSLv23_CLIENT
• sslv2 ⇒ STREAM_CRYPTO_METHOD_SSLv2_CLIENT
• sslv3 ⇒ STREAM_CRYPTO_METHOD_SSLv3_CLIENT
• tls ⇒ STREAM_CRYPTO_METHOD_TLS_CLIENT

In particular:

• STREAM_CRYPTO_METHOD_SSLv23_CLIENT
  • evaluates to SSLv2 / SSLv3 for 5.5.0 ≤ PHP ≤ 5.6.6 (reference)
  • evaluates to TLSv1.0 / TLSv1.1 / TLSv1.2 for 5.6.7 ≤ PHP ≤ 7.1.0 (reference)
• STREAM_CRYPTO_METHOD_TLS_CLIENT
  • evaluates to TLSv1.0 / TLSv1.1 / TLSv1.2 for 5.6.0 ≤ PHP ≤ 5.6.6
  • evaluates to TLSv1.0 for 5.6.7 ≤ PHP ≤ 7.1.0

There are some problems with the current implementation:

• the constant values change between different PHP versions, and that leads to portability problems
• we allow specifying the version of SSL, but not the version of TLS
• we don't have a way to allow any protocol (aka the STREAM_CRYPTO_METHOD_ANY_CLIENT option introduced in PHP 5.6.0, which evaluates to SSLv2 / SSLv3 / TLSv1.0 / TLSv1.1 / TLSv1.2)

So, what about defining the following transports?

• ssl to enable sslv2 and sslv3
• sslv2 to enable only sslv2
• sslv3 to enable only sslv3
• tls to enable tlsv1.0 and tlsv1.1 and tlsv1.2
• tlsv1.0 to enable only tlsv1.0
• tlsv1.1 to enable only tlsv1.1
• tlsv1.2 to enable only tlsv1.2
• * to enable any kind of connections

Furthermore, because of security issues, more and more websites disable SSL (both SSLv2 and SSLv3), keeping only TLS connections (see for instance what's doing Google).

So, what about switching from ssl to tls as the default transport?

Originally posted by @mlocati at https://github.com/zendframework/zend-http/issues/105