== How to fix it in Guzzle

=== Code examples

include::../../common/fix/code-rationale.adoc[]

==== Noncompliant code example

[source,php,diff-id=11,diff-type=noncompliant]
----
use GuzzleHttp\Client;

$client = new Client();

$host = $_GET['host'];
$url = "https://$host/.well-known/openid-configuration";

$client->request('GET', $url); // Noncompliant
----

==== Compliant solution

[source,php,diff-id=11,diff-type=compliant]
----
use GuzzleHttp\Client;

$client = new Client();

$allowedHosts = ["trusted1" => "trusted1.example.com", "trusted2" => "trusted2.example.com"];
$host = $allowedHosts[$_GET['host']];
$url = "https://$host/.well-known/openid-configuration";

$client->request('GET', $url);
----

=== How does this work?

include::../../common/fix/pre-approved-list.adoc[]

The compliant code example uses such an approach.
The `requests` library implicitly validates the scheme as it only allows `http` and `https` by default.

include::../../common/fix/blacklist.adoc[]

=== Pitfalls

include::../../common/pitfalls/starts-with.adoc[]

include::../../common/pitfalls/blacklist-toctou.adoc[]