Chris@0: <?php
Chris@0: /**
Chris@12:  * @see       https://github.com/zendframework/zend-diactoros for the canonical source repository
Chris@12:  * @copyright Copyright (c) 2015-2017 Zend Technologies USA Inc. (http://www.zend.com)
Chris@0:  * @license   https://github.com/zendframework/zend-diactoros/blob/master/LICENSE.md New BSD License
Chris@0:  */
Chris@0: 
Chris@0: namespace Zend\Diactoros;
Chris@0: 
Chris@0: use InvalidArgumentException;
Chris@0: 
Chris@16: use function get_class;
Chris@16: use function gettype;
Chris@16: use function in_array;
Chris@16: use function is_numeric;
Chris@16: use function is_object;
Chris@16: use function is_string;
Chris@16: use function ord;
Chris@16: use function preg_match;
Chris@16: use function sprintf;
Chris@16: use function strlen;
Chris@16: 
Chris@0: /**
Chris@0:  * Provide security tools around HTTP headers to prevent common injection vectors.
Chris@0:  *
Chris@0:  * Code is largely lifted from the Zend\Http\Header\HeaderValue implementation in
Chris@0:  * Zend Framework, released with the copyright and license below.
Chris@0:  *
Chris@0:  * @copyright Copyright (c) 2005-2015 Zend Technologies USA Inc. (http://www.zend.com)
Chris@0:  * @license   http://framework.zend.com/license/new-bsd New BSD License
Chris@0:  */
Chris@0: final class HeaderSecurity
Chris@0: {
Chris@0:     /**
Chris@0:      * Private constructor; non-instantiable.
Chris@0:      * @codeCoverageIgnore
Chris@0:      */
Chris@0:     private function __construct()
Chris@0:     {
Chris@0:     }
Chris@0: 
Chris@0:     /**
Chris@0:      * Filter a header value
Chris@0:      *
Chris@0:      * Ensures CRLF header injection vectors are filtered.
Chris@0:      *
Chris@0:      * Per RFC 7230, only VISIBLE ASCII characters, spaces, and horizontal
Chris@0:      * tabs are allowed in values; header continuations MUST consist of
Chris@0:      * a single CRLF sequence followed by a space or horizontal tab.
Chris@0:      *
Chris@0:      * This method filters any values not allowed from the string, and is
Chris@0:      * lossy.
Chris@0:      *
Chris@0:      * @see http://en.wikipedia.org/wiki/HTTP_response_splitting
Chris@0:      * @param string $value
Chris@0:      * @return string
Chris@0:      */
Chris@0:     public static function filter($value)
Chris@0:     {
Chris@0:         $value  = (string) $value;
Chris@0:         $length = strlen($value);
Chris@0:         $string = '';
Chris@0:         for ($i = 0; $i < $length; $i += 1) {
Chris@0:             $ascii = ord($value[$i]);
Chris@0: 
Chris@0:             // Detect continuation sequences
Chris@0:             if ($ascii === 13) {
Chris@0:                 $lf = ord($value[$i + 1]);
Chris@0:                 $ws = ord($value[$i + 2]);
Chris@0:                 if ($lf === 10 && in_array($ws, [9, 32], true)) {
Chris@0:                     $string .= $value[$i] . $value[$i + 1];
Chris@0:                     $i += 1;
Chris@0:                 }
Chris@0: 
Chris@0:                 continue;
Chris@0:             }
Chris@0: 
Chris@0:             // Non-visible, non-whitespace characters
Chris@0:             // 9 === horizontal tab
Chris@0:             // 32-126, 128-254 === visible
Chris@0:             // 127 === DEL
Chris@0:             // 255 === null byte
Chris@0:             if (($ascii < 32 && $ascii !== 9)
Chris@0:                 || $ascii === 127
Chris@0:                 || $ascii > 254
Chris@0:             ) {
Chris@0:                 continue;
Chris@0:             }
Chris@0: 
Chris@0:             $string .= $value[$i];
Chris@0:         }
Chris@0: 
Chris@0:         return $string;
Chris@0:     }
Chris@0: 
Chris@0:     /**
Chris@0:      * Validate a header value.
Chris@0:      *
Chris@0:      * Per RFC 7230, only VISIBLE ASCII characters, spaces, and horizontal
Chris@0:      * tabs are allowed in values; header continuations MUST consist of
Chris@0:      * a single CRLF sequence followed by a space or horizontal tab.
Chris@0:      *
Chris@0:      * @see http://en.wikipedia.org/wiki/HTTP_response_splitting
Chris@0:      * @param string $value
Chris@0:      * @return bool
Chris@0:      */
Chris@0:     public static function isValid($value)
Chris@0:     {
Chris@0:         $value  = (string) $value;
Chris@0: 
Chris@0:         // Look for:
Chris@0:         // \n not preceded by \r, OR
Chris@0:         // \r not followed by \n, OR
Chris@0:         // \r\n not followed by space or horizontal tab; these are all CRLF attacks
Chris@0:         if (preg_match("#(?:(?:(?<!\r)\n)|(?:\r(?!\n))|(?:\r\n(?![ \t])))#", $value)) {
Chris@0:             return false;
Chris@0:         }
Chris@0: 
Chris@0:         // Non-visible, non-whitespace characters
Chris@0:         // 9 === horizontal tab
Chris@0:         // 10 === line feed
Chris@0:         // 13 === carriage return
Chris@0:         // 32-126, 128-254 === visible
Chris@0:         // 127 === DEL (disallowed)
Chris@0:         // 255 === null byte (disallowed)
Chris@0:         if (preg_match('/[^\x09\x0a\x0d\x20-\x7E\x80-\xFE]/', $value)) {
Chris@0:             return false;
Chris@0:         }
Chris@0: 
Chris@0:         return true;
Chris@0:     }
Chris@0: 
Chris@0:     /**
Chris@0:      * Assert a header value is valid.
Chris@0:      *
Chris@0:      * @param string $value
Chris@0:      * @throws InvalidArgumentException for invalid values
Chris@0:      */
Chris@0:     public static function assertValid($value)
Chris@0:     {
Chris@0:         if (! is_string($value) && ! is_numeric($value)) {
Chris@0:             throw new InvalidArgumentException(sprintf(
Chris@0:                 'Invalid header value type; must be a string or numeric; received %s',
Chris@0:                 (is_object($value) ? get_class($value) : gettype($value))
Chris@0:             ));
Chris@0:         }
Chris@0:         if (! self::isValid($value)) {
Chris@0:             throw new InvalidArgumentException(sprintf(
Chris@0:                 '"%s" is not valid header value',
Chris@0:                 $value
Chris@0:             ));
Chris@0:         }
Chris@0:     }
Chris@0: 
Chris@0:     /**
Chris@0:      * Assert whether or not a header name is valid.
Chris@0:      *
Chris@0:      * @see http://tools.ietf.org/html/rfc7230#section-3.2
Chris@0:      * @param mixed $name
Chris@0:      * @throws InvalidArgumentException
Chris@0:      */
Chris@0:     public static function assertValidName($name)
Chris@0:     {
Chris@0:         if (! is_string($name)) {
Chris@0:             throw new InvalidArgumentException(sprintf(
Chris@0:                 'Invalid header name type; expected string; received %s',
Chris@0:                 (is_object($name) ? get_class($name) : gettype($name))
Chris@0:             ));
Chris@0:         }
Chris@0:         if (! preg_match('/^[a-zA-Z0-9\'`#$%&*+.^_|~!-]+$/', $name)) {
Chris@0:             throw new InvalidArgumentException(sprintf(
Chris@0:                 '"%s" is not valid header name',
Chris@0:                 $name
Chris@0:             ));
Chris@0:         }
Chris@0:     }
Chris@0: }