|
Chris@0
|
1 <?php
|
|
Chris@0
|
2 /**
|
|
Chris@0
|
3 * Zend Framework (http://framework.zend.com/)
|
|
Chris@0
|
4 *
|
|
Chris@0
|
5 * @see http://github.com/zendframework/zend-diactoros for the canonical source repository
|
|
Chris@0
|
6 * @copyright Copyright (c) 2015-2016 Zend Technologies USA Inc. (http://www.zend.com)
|
|
Chris@0
|
7 * @license https://github.com/zendframework/zend-diactoros/blob/master/LICENSE.md New BSD License
|
|
Chris@0
|
8 */
|
|
Chris@0
|
9
|
|
Chris@0
|
10 namespace Zend\Diactoros;
|
|
Chris@0
|
11
|
|
Chris@0
|
12 use InvalidArgumentException;
|
|
Chris@0
|
13
|
|
Chris@0
|
14 /**
|
|
Chris@0
|
15 * Provide security tools around HTTP headers to prevent common injection vectors.
|
|
Chris@0
|
16 *
|
|
Chris@0
|
17 * Code is largely lifted from the Zend\Http\Header\HeaderValue implementation in
|
|
Chris@0
|
18 * Zend Framework, released with the copyright and license below.
|
|
Chris@0
|
19 *
|
|
Chris@0
|
20 * @copyright Copyright (c) 2005-2015 Zend Technologies USA Inc. (http://www.zend.com)
|
|
Chris@0
|
21 * @license http://framework.zend.com/license/new-bsd New BSD License
|
|
Chris@0
|
22 */
|
|
Chris@0
|
23 final class HeaderSecurity
|
|
Chris@0
|
24 {
|
|
Chris@0
|
25 /**
|
|
Chris@0
|
26 * Private constructor; non-instantiable.
|
|
Chris@0
|
27 * @codeCoverageIgnore
|
|
Chris@0
|
28 */
|
|
Chris@0
|
29 private function __construct()
|
|
Chris@0
|
30 {
|
|
Chris@0
|
31 }
|
|
Chris@0
|
32
|
|
Chris@0
|
33 /**
|
|
Chris@0
|
34 * Filter a header value
|
|
Chris@0
|
35 *
|
|
Chris@0
|
36 * Ensures CRLF header injection vectors are filtered.
|
|
Chris@0
|
37 *
|
|
Chris@0
|
38 * Per RFC 7230, only VISIBLE ASCII characters, spaces, and horizontal
|
|
Chris@0
|
39 * tabs are allowed in values; header continuations MUST consist of
|
|
Chris@0
|
40 * a single CRLF sequence followed by a space or horizontal tab.
|
|
Chris@0
|
41 *
|
|
Chris@0
|
42 * This method filters any values not allowed from the string, and is
|
|
Chris@0
|
43 * lossy.
|
|
Chris@0
|
44 *
|
|
Chris@0
|
45 * @see http://en.wikipedia.org/wiki/HTTP_response_splitting
|
|
Chris@0
|
46 * @param string $value
|
|
Chris@0
|
47 * @return string
|
|
Chris@0
|
48 */
|
|
Chris@0
|
49 public static function filter($value)
|
|
Chris@0
|
50 {
|
|
Chris@0
|
51 $value = (string) $value;
|
|
Chris@0
|
52 $length = strlen($value);
|
|
Chris@0
|
53 $string = '';
|
|
Chris@0
|
54 for ($i = 0; $i < $length; $i += 1) {
|
|
Chris@0
|
55 $ascii = ord($value[$i]);
|
|
Chris@0
|
56
|
|
Chris@0
|
57 // Detect continuation sequences
|
|
Chris@0
|
58 if ($ascii === 13) {
|
|
Chris@0
|
59 $lf = ord($value[$i + 1]);
|
|
Chris@0
|
60 $ws = ord($value[$i + 2]);
|
|
Chris@0
|
61 if ($lf === 10 && in_array($ws, [9, 32], true)) {
|
|
Chris@0
|
62 $string .= $value[$i] . $value[$i + 1];
|
|
Chris@0
|
63 $i += 1;
|
|
Chris@0
|
64 }
|
|
Chris@0
|
65
|
|
Chris@0
|
66 continue;
|
|
Chris@0
|
67 }
|
|
Chris@0
|
68
|
|
Chris@0
|
69 // Non-visible, non-whitespace characters
|
|
Chris@0
|
70 // 9 === horizontal tab
|
|
Chris@0
|
71 // 32-126, 128-254 === visible
|
|
Chris@0
|
72 // 127 === DEL
|
|
Chris@0
|
73 // 255 === null byte
|
|
Chris@0
|
74 if (($ascii < 32 && $ascii !== 9)
|
|
Chris@0
|
75 || $ascii === 127
|
|
Chris@0
|
76 || $ascii > 254
|
|
Chris@0
|
77 ) {
|
|
Chris@0
|
78 continue;
|
|
Chris@0
|
79 }
|
|
Chris@0
|
80
|
|
Chris@0
|
81 $string .= $value[$i];
|
|
Chris@0
|
82 }
|
|
Chris@0
|
83
|
|
Chris@0
|
84 return $string;
|
|
Chris@0
|
85 }
|
|
Chris@0
|
86
|
|
Chris@0
|
87 /**
|
|
Chris@0
|
88 * Validate a header value.
|
|
Chris@0
|
89 *
|
|
Chris@0
|
90 * Per RFC 7230, only VISIBLE ASCII characters, spaces, and horizontal
|
|
Chris@0
|
91 * tabs are allowed in values; header continuations MUST consist of
|
|
Chris@0
|
92 * a single CRLF sequence followed by a space or horizontal tab.
|
|
Chris@0
|
93 *
|
|
Chris@0
|
94 * @see http://en.wikipedia.org/wiki/HTTP_response_splitting
|
|
Chris@0
|
95 * @param string $value
|
|
Chris@0
|
96 * @return bool
|
|
Chris@0
|
97 */
|
|
Chris@0
|
98 public static function isValid($value)
|
|
Chris@0
|
99 {
|
|
Chris@0
|
100 $value = (string) $value;
|
|
Chris@0
|
101
|
|
Chris@0
|
102 // Look for:
|
|
Chris@0
|
103 // \n not preceded by \r, OR
|
|
Chris@0
|
104 // \r not followed by \n, OR
|
|
Chris@0
|
105 // \r\n not followed by space or horizontal tab; these are all CRLF attacks
|
|
Chris@0
|
106 if (preg_match("#(?:(?:(?<!\r)\n)|(?:\r(?!\n))|(?:\r\n(?![ \t])))#", $value)) {
|
|
Chris@0
|
107 return false;
|
|
Chris@0
|
108 }
|
|
Chris@0
|
109
|
|
Chris@0
|
110 // Non-visible, non-whitespace characters
|
|
Chris@0
|
111 // 9 === horizontal tab
|
|
Chris@0
|
112 // 10 === line feed
|
|
Chris@0
|
113 // 13 === carriage return
|
|
Chris@0
|
114 // 32-126, 128-254 === visible
|
|
Chris@0
|
115 // 127 === DEL (disallowed)
|
|
Chris@0
|
116 // 255 === null byte (disallowed)
|
|
Chris@0
|
117 if (preg_match('/[^\x09\x0a\x0d\x20-\x7E\x80-\xFE]/', $value)) {
|
|
Chris@0
|
118 return false;
|
|
Chris@0
|
119 }
|
|
Chris@0
|
120
|
|
Chris@0
|
121 return true;
|
|
Chris@0
|
122 }
|
|
Chris@0
|
123
|
|
Chris@0
|
124 /**
|
|
Chris@0
|
125 * Assert a header value is valid.
|
|
Chris@0
|
126 *
|
|
Chris@0
|
127 * @param string $value
|
|
Chris@0
|
128 * @throws InvalidArgumentException for invalid values
|
|
Chris@0
|
129 */
|
|
Chris@0
|
130 public static function assertValid($value)
|
|
Chris@0
|
131 {
|
|
Chris@0
|
132 if (! is_string($value) && ! is_numeric($value)) {
|
|
Chris@0
|
133 throw new InvalidArgumentException(sprintf(
|
|
Chris@0
|
134 'Invalid header value type; must be a string or numeric; received %s',
|
|
Chris@0
|
135 (is_object($value) ? get_class($value) : gettype($value))
|
|
Chris@0
|
136 ));
|
|
Chris@0
|
137 }
|
|
Chris@0
|
138 if (! self::isValid($value)) {
|
|
Chris@0
|
139 throw new InvalidArgumentException(sprintf(
|
|
Chris@0
|
140 '"%s" is not valid header value',
|
|
Chris@0
|
141 $value
|
|
Chris@0
|
142 ));
|
|
Chris@0
|
143 }
|
|
Chris@0
|
144 }
|
|
Chris@0
|
145
|
|
Chris@0
|
146 /**
|
|
Chris@0
|
147 * Assert whether or not a header name is valid.
|
|
Chris@0
|
148 *
|
|
Chris@0
|
149 * @see http://tools.ietf.org/html/rfc7230#section-3.2
|
|
Chris@0
|
150 * @param mixed $name
|
|
Chris@0
|
151 * @throws InvalidArgumentException
|
|
Chris@0
|
152 */
|
|
Chris@0
|
153 public static function assertValidName($name)
|
|
Chris@0
|
154 {
|
|
Chris@0
|
155 if (! is_string($name)) {
|
|
Chris@0
|
156 throw new InvalidArgumentException(sprintf(
|
|
Chris@0
|
157 'Invalid header name type; expected string; received %s',
|
|
Chris@0
|
158 (is_object($name) ? get_class($name) : gettype($name))
|
|
Chris@0
|
159 ));
|
|
Chris@0
|
160 }
|
|
Chris@0
|
161 if (! preg_match('/^[a-zA-Z0-9\'`#$%&*+.^_|~!-]+$/', $name)) {
|
|
Chris@0
|
162 throw new InvalidArgumentException(sprintf(
|
|
Chris@0
|
163 '"%s" is not valid header name',
|
|
Chris@0
|
164 $name
|
|
Chris@0
|
165 ));
|
|
Chris@0
|
166 }
|
|
Chris@0
|
167 }
|
|
Chris@0
|
168 }
|
