Bug #91767
closedServerResponseCheck doesn't use TYPO3 HTTP config for GuzzleHttp Client
0%
Description
The class sysext/install/Classes/SystemEnvironment/ServerResponse/ServerResponseCheck.php create a plain GuzzleHttp\Client class without to take $GLOBALS['TYPO3_CONF_VARS']['HTTP'] into account.
When f.e. a proxy server for requests is defined, this one isn't used.
Affected versions: current 9.5 and 10.4
The crucial code lines are:
$client = new Client(['base_uri' => $this->baseUrl]);
foreach ($this->fileDeclarations as $fileDeclaration) {
$promises[] = $client->requestAsync('GET', $fileDeclaration->getFileName());
}
https://github.com/TYPO3/TYPO3.CMS/blob/dcac1c70440ed1ac1dd95cfc37b25589979d2c64/typo3/sysext/install/Classes/SystemEnvironment/ServerResponse/ServerResponseCheck.php#L177-L180
A possible fix (inspired by sysext/core/Classes/Http/RequestFactory.php), which worked for me:
$httpOptions = $GLOBALS['TYPO3_CONF_VARS']['HTTP'];
$httpOptions['verify'] = filter_var($httpOptions['verify'], FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE) ?? $httpOptions['verify'];
$httpOptions['base_uri'] = $this->baseUrl;
$client = GeneralUtility::makeInstance(Client::class, $httpOptions);
foreach ($this->fileDeclarations as $fileDeclaration) {
$promises[] = $client->requestAsync('GET', $fileDeclaration->getFileName());
}
ServerResponseCheck was introduced in #91354
Updated by Oliver Hader almost 4 years ago
- Due date set to 2020-05-11
- Start date changed from 2020-07-08 to 2020-05-11
- Follows Task #91354: Integrate server response security checks added
Updated by Oliver Hader almost 4 years ago
- Due date deleted (
2020-05-11) - Category set to Reports
- Start date deleted (
2020-05-11) - Complexity set to easy
Updated by David Gurk over 3 years ago
Hi Oliver,
it seems that with the update of TYPO3 to v9.5.23, our specific issue don't appear anymore.
I saw you commited something to https://github.com/TYPO3/TYPO3.CMS/blob/9.5/typo3/sysext/install/Classes/SystemEnvironment/ServerResponse/ServerResponseCheck.php#L211-L214
It helped, we could remove our temp-patch. Thank you. =)
I would consider this issue fixed.
Updated by Simon Schaufelberger almost 2 years ago
- Status changed from New to Closed