|
Chris@0
|
1 <?php
|
|
Chris@0
|
2 /**
|
|
Chris@12
|
3 * @see https://github.com/zendframework/zend-diactoros for the canonical source repository
|
|
Chris@12
|
4 * @copyright Copyright (c) 2015-2017 Zend Technologies USA Inc. (http://www.zend.com)
|
|
Chris@0
|
5 * @license https://github.com/zendframework/zend-diactoros/blob/master/LICENSE.md New BSD License
|
|
Chris@0
|
6 */
|
|
Chris@0
|
7
|
|
Chris@0
|
8 namespace Zend\Diactoros;
|
|
Chris@0
|
9
|
|
Chris@0
|
10 use InvalidArgumentException;
|
|
Chris@0
|
11
|
|
Chris@0
|
12 /**
|
|
Chris@0
|
13 * Provide security tools around HTTP headers to prevent common injection vectors.
|
|
Chris@0
|
14 *
|
|
Chris@0
|
15 * Code is largely lifted from the Zend\Http\Header\HeaderValue implementation in
|
|
Chris@0
|
16 * Zend Framework, released with the copyright and license below.
|
|
Chris@0
|
17 *
|
|
Chris@0
|
18 * @copyright Copyright (c) 2005-2015 Zend Technologies USA Inc. (http://www.zend.com)
|
|
Chris@0
|
19 * @license http://framework.zend.com/license/new-bsd New BSD License
|
|
Chris@0
|
20 */
|
|
Chris@0
|
21 final class HeaderSecurity
|
|
Chris@0
|
22 {
|
|
Chris@0
|
23 /**
|
|
Chris@0
|
24 * Private constructor; non-instantiable.
|
|
Chris@0
|
25 * @codeCoverageIgnore
|
|
Chris@0
|
26 */
|
|
Chris@0
|
27 private function __construct()
|
|
Chris@0
|
28 {
|
|
Chris@0
|
29 }
|
|
Chris@0
|
30
|
|
Chris@0
|
31 /**
|
|
Chris@0
|
32 * Filter a header value
|
|
Chris@0
|
33 *
|
|
Chris@0
|
34 * Ensures CRLF header injection vectors are filtered.
|
|
Chris@0
|
35 *
|
|
Chris@0
|
36 * Per RFC 7230, only VISIBLE ASCII characters, spaces, and horizontal
|
|
Chris@0
|
37 * tabs are allowed in values; header continuations MUST consist of
|
|
Chris@0
|
38 * a single CRLF sequence followed by a space or horizontal tab.
|
|
Chris@0
|
39 *
|
|
Chris@0
|
40 * This method filters any values not allowed from the string, and is
|
|
Chris@0
|
41 * lossy.
|
|
Chris@0
|
42 *
|
|
Chris@0
|
43 * @see http://en.wikipedia.org/wiki/HTTP_response_splitting
|
|
Chris@0
|
44 * @param string $value
|
|
Chris@0
|
45 * @return string
|
|
Chris@0
|
46 */
|
|
Chris@0
|
47 public static function filter($value)
|
|
Chris@0
|
48 {
|
|
Chris@0
|
49 $value = (string) $value;
|
|
Chris@0
|
50 $length = strlen($value);
|
|
Chris@0
|
51 $string = '';
|
|
Chris@0
|
52 for ($i = 0; $i < $length; $i += 1) {
|
|
Chris@0
|
53 $ascii = ord($value[$i]);
|
|
Chris@0
|
54
|
|
Chris@0
|
55 // Detect continuation sequences
|
|
Chris@0
|
56 if ($ascii === 13) {
|
|
Chris@0
|
57 $lf = ord($value[$i + 1]);
|
|
Chris@0
|
58 $ws = ord($value[$i + 2]);
|
|
Chris@0
|
59 if ($lf === 10 && in_array($ws, [9, 32], true)) {
|
|
Chris@0
|
60 $string .= $value[$i] . $value[$i + 1];
|
|
Chris@0
|
61 $i += 1;
|
|
Chris@0
|
62 }
|
|
Chris@0
|
63
|
|
Chris@0
|
64 continue;
|
|
Chris@0
|
65 }
|
|
Chris@0
|
66
|
|
Chris@0
|
67 // Non-visible, non-whitespace characters
|
|
Chris@0
|
68 // 9 === horizontal tab
|
|
Chris@0
|
69 // 32-126, 128-254 === visible
|
|
Chris@0
|
70 // 127 === DEL
|
|
Chris@0
|
71 // 255 === null byte
|
|
Chris@0
|
72 if (($ascii < 32 && $ascii !== 9)
|
|
Chris@0
|
73 || $ascii === 127
|
|
Chris@0
|
74 || $ascii > 254
|
|
Chris@0
|
75 ) {
|
|
Chris@0
|
76 continue;
|
|
Chris@0
|
77 }
|
|
Chris@0
|
78
|
|
Chris@0
|
79 $string .= $value[$i];
|
|
Chris@0
|
80 }
|
|
Chris@0
|
81
|
|
Chris@0
|
82 return $string;
|
|
Chris@0
|
83 }
|
|
Chris@0
|
84
|
|
Chris@0
|
85 /**
|
|
Chris@0
|
86 * Validate a header value.
|
|
Chris@0
|
87 *
|
|
Chris@0
|
88 * Per RFC 7230, only VISIBLE ASCII characters, spaces, and horizontal
|
|
Chris@0
|
89 * tabs are allowed in values; header continuations MUST consist of
|
|
Chris@0
|
90 * a single CRLF sequence followed by a space or horizontal tab.
|
|
Chris@0
|
91 *
|
|
Chris@0
|
92 * @see http://en.wikipedia.org/wiki/HTTP_response_splitting
|
|
Chris@0
|
93 * @param string $value
|
|
Chris@0
|
94 * @return bool
|
|
Chris@0
|
95 */
|
|
Chris@0
|
96 public static function isValid($value)
|
|
Chris@0
|
97 {
|
|
Chris@0
|
98 $value = (string) $value;
|
|
Chris@0
|
99
|
|
Chris@0
|
100 // Look for:
|
|
Chris@0
|
101 // \n not preceded by \r, OR
|
|
Chris@0
|
102 // \r not followed by \n, OR
|
|
Chris@0
|
103 // \r\n not followed by space or horizontal tab; these are all CRLF attacks
|
|
Chris@0
|
104 if (preg_match("#(?:(?:(?<!\r)\n)|(?:\r(?!\n))|(?:\r\n(?![ \t])))#", $value)) {
|
|
Chris@0
|
105 return false;
|
|
Chris@0
|
106 }
|
|
Chris@0
|
107
|
|
Chris@0
|
108 // Non-visible, non-whitespace characters
|
|
Chris@0
|
109 // 9 === horizontal tab
|
|
Chris@0
|
110 // 10 === line feed
|
|
Chris@0
|
111 // 13 === carriage return
|
|
Chris@0
|
112 // 32-126, 128-254 === visible
|
|
Chris@0
|
113 // 127 === DEL (disallowed)
|
|
Chris@0
|
114 // 255 === null byte (disallowed)
|
|
Chris@0
|
115 if (preg_match('/[^\x09\x0a\x0d\x20-\x7E\x80-\xFE]/', $value)) {
|
|
Chris@0
|
116 return false;
|
|
Chris@0
|
117 }
|
|
Chris@0
|
118
|
|
Chris@0
|
119 return true;
|
|
Chris@0
|
120 }
|
|
Chris@0
|
121
|
|
Chris@0
|
122 /**
|
|
Chris@0
|
123 * Assert a header value is valid.
|
|
Chris@0
|
124 *
|
|
Chris@0
|
125 * @param string $value
|
|
Chris@0
|
126 * @throws InvalidArgumentException for invalid values
|
|
Chris@0
|
127 */
|
|
Chris@0
|
128 public static function assertValid($value)
|
|
Chris@0
|
129 {
|
|
Chris@0
|
130 if (! is_string($value) && ! is_numeric($value)) {
|
|
Chris@0
|
131 throw new InvalidArgumentException(sprintf(
|
|
Chris@0
|
132 'Invalid header value type; must be a string or numeric; received %s',
|
|
Chris@0
|
133 (is_object($value) ? get_class($value) : gettype($value))
|
|
Chris@0
|
134 ));
|
|
Chris@0
|
135 }
|
|
Chris@0
|
136 if (! self::isValid($value)) {
|
|
Chris@0
|
137 throw new InvalidArgumentException(sprintf(
|
|
Chris@0
|
138 '"%s" is not valid header value',
|
|
Chris@0
|
139 $value
|
|
Chris@0
|
140 ));
|
|
Chris@0
|
141 }
|
|
Chris@0
|
142 }
|
|
Chris@0
|
143
|
|
Chris@0
|
144 /**
|
|
Chris@0
|
145 * Assert whether or not a header name is valid.
|
|
Chris@0
|
146 *
|
|
Chris@0
|
147 * @see http://tools.ietf.org/html/rfc7230#section-3.2
|
|
Chris@0
|
148 * @param mixed $name
|
|
Chris@0
|
149 * @throws InvalidArgumentException
|
|
Chris@0
|
150 */
|
|
Chris@0
|
151 public static function assertValidName($name)
|
|
Chris@0
|
152 {
|
|
Chris@0
|
153 if (! is_string($name)) {
|
|
Chris@0
|
154 throw new InvalidArgumentException(sprintf(
|
|
Chris@0
|
155 'Invalid header name type; expected string; received %s',
|
|
Chris@0
|
156 (is_object($name) ? get_class($name) : gettype($name))
|
|
Chris@0
|
157 ));
|
|
Chris@0
|
158 }
|
|
Chris@0
|
159 if (! preg_match('/^[a-zA-Z0-9\'`#$%&*+.^_|~!-]+$/', $name)) {
|
|
Chris@0
|
160 throw new InvalidArgumentException(sprintf(
|
|
Chris@0
|
161 '"%s" is not valid header name',
|
|
Chris@0
|
162 $name
|
|
Chris@0
|
163 ));
|
|
Chris@0
|
164 }
|
|
Chris@0
|
165 }
|
|
Chris@0
|
166 }
|
