Merge pull request from GHSA-wjfc-pgfp-pv9c

Nyholm · web-flow · commit 1029a2671cbd · 2023-04-17T18:00:04.000+02:00
Improper Input Validation in headers
diff --git a/src/MessageTrait.php b/src/MessageTrait.php
@@ -187,7 +187,7 @@ private function setHeaders(array $headers): void
      */
     private function validateAndTrimHeader($header, $values): array
     {
-        if (!\is_string($header) || 1 !== \preg_match("@^[!#$%&'*+.^_`|~0-9A-Za-z-]+$@", $header)) {
+        if (!\is_string($header) || 1 !== \preg_match("@^[!#$%&'*+.^_`|~0-9A-Za-z-]+$@D", $header)) {
             throw new \InvalidArgumentException('Header name must be an RFC 7230 compatible string');
         }
 
@@ -207,7 +207,7 @@ private function validateAndTrimHeader($header, $values): array
         // Assert Non empty array
         $returnValues = [];
         foreach ($values as $v) {
-            if ((!\is_numeric($v) && !\is_string($v)) || 1 !== \preg_match("@^[ \t\x21-\x7E\x80-\xFF]*$@", (string) $v)) {
+            if ((!\is_numeric($v) && !\is_string($v)) || 1 !== \preg_match("@^[ \t\x21-\x7E\x80-\xFF]*$@D", (string) $v)) {
                 throw new \InvalidArgumentException('Header values must be RFC 7230 compatible strings');
             }
 
diff --git a/tests/RequestTest.php b/tests/RequestTest.php
@@ -294,4 +294,50 @@ public function testUpdateHostFromUri()
         $request = $request->withUri(new Uri('https://nyholm.tech:443'));
         $this->assertEquals('nyholm.tech', $request->getHeaderLine('Host'));
     }
+
+    /**
+     * @dataProvider provideHeaderValuesContainingNotAllowedChars
+     */
+    public function testCannotHaveHeaderWithInvalidValue(string $name)
+    {
+        $this->expectException(\InvalidArgumentException::class);
+        $this->expectExceptionMessage('Header name must be an RFC 7230 compatible string');
+        $r = new Request('GET', 'https://example.com/');
+        $r->withHeader($name, 'Bar');
+    }
+
+    public static function provideHeaderValuesContainingNotAllowedChars(): array
+    {
+        // Explicit tests for newlines as the most common exploit vector.
+        $tests = [
+            ["new\nline"],
+            ["new\r\nline"],
+            ["new\rline"],
+            ["new\r\n line"],
+            ["newline\n"],
+            ["\nnewline"],
+            ["newline\r\n"],
+            ["\n\rnewline"],
+        ];
+
+        for ($i = 0; $i <= 0xFF; ++$i) {
+            if ("\t" == \chr($i)) {
+                continue;
+            }
+            if (' ' == \chr($i)) {
+                continue;
+            }
+            if ($i >= 0x21 && $i <= 0x7E) {
+                continue;
+            }
+            if ($i >= 0x80) {
+                continue;
+            }
+
+            $tests[] = ['foo' . \chr($i) . 'bar'];
+            $tests[] = ['foo' . \chr($i)];
+        }
+
+        return $tests;
+    }
 }
diff --git a/tests/ResponseTest.php b/tests/ResponseTest.php
@@ -274,4 +274,35 @@ public function testHeaderValuesAreTrimmed($r)
         $this->assertSame('Foo', $r->getHeaderLine('OWS'));
         $this->assertSame(['Foo'], $r->getHeader('OWS'));
     }
+
+    /**
+     * @dataProvider invalidWithHeaderProvider
+     */
+    public function testWithInvalidHeader($header, $headerValue, $expectedMessage): void
+    {
+        $r = new Response();
+        $this->expectException(\InvalidArgumentException::class);
+        $this->expectExceptionMessage($expectedMessage);
+        $r->withHeader($header, $headerValue);
+    }
+
+    public function invalidWithHeaderProvider(): iterable
+    {
+        return [
+            ['foo', [], 'Header values must be a string or an array of strings, empty array given'],
+            ['foo', new \stdClass(),  'Header values must be RFC 7230 compatible strings'],
+            [[], 'foo', 'Header name must be an RFC 7230 compatible string'],
+            [false, 'foo', 'Header name must be an RFC 7230 compatible string'],
+            [new \stdClass(), 'foo', 'Header name must be an RFC 7230 compatible string'],
+            ['', 'foo', 'Header name must be an RFC 7230 compatible string'],
+            ["Content-Type\r\n\r\n", 'foo', 'Header name must be an RFC 7230 compatible string'],
+            ["Content-Type\r\n", 'foo', 'Header name must be an RFC 7230 compatible string'],
+            ["Content-Type\n", 'foo', 'Header name must be an RFC 7230 compatible string'],
+            ["\r\nContent-Type", 'foo', 'Header name must be an RFC 7230 compatible string'],
+            ["\nContent-Type", 'foo', 'Header name must be an RFC 7230 compatible string'],
+            ["\n", 'foo', 'Header name must be an RFC 7230 compatible string'],
+            ["\r\n", 'foo', 'Header name must be an RFC 7230 compatible string'],
+            ["\t", 'foo', 'Header name must be an RFC 7230 compatible string'],
+        ];
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -187,7 +187,7 @@ private function setHeaders(array $headers): void`
`187`	`187`	`*/`
`188`	`188`	`private function validateAndTrimHeader($header, $values): array`
`189`	`189`	`{`
`190`		- if (!\is_string($header) \|\| 1 !== \preg_match("@^[!#$%&'*+.^_`\|~0-9A-Za-z-]+$@", $header)) {
	`190`	+ if (!\is_string($header) \|\| 1 !== \preg_match("@^[!#$%&'*+.^_`\|~0-9A-Za-z-]+$@D", $header)) {
`191`	`191`	`throw new \InvalidArgumentException('Header name must be an RFC 7230 compatible string');`
`192`	`192`	`}`
`193`	`193`
`@@ -207,7 +207,7 @@ private function validateAndTrimHeader($header, $values): array`
`207`	`207`	`// Assert Non empty array`
`208`	`208`	`$returnValues = [];`
`209`	`209`	`foreach ($values as $v) {`
`210`		`- if ((!\is_numeric($v) && !\is_string($v)) \|\| 1 !== \preg_match("@^[ \t\x21-\x7E\x80-\xFF]*$@", (string) $v)) {`
	`210`	`+ if ((!\is_numeric($v) && !\is_string($v)) \|\| 1 !== \preg_match("@^[ \t\x21-\x7E\x80-\xFF]*$@D", (string) $v)) {`
`211`	`211`	`throw new \InvalidArgumentException('Header values must be RFC 7230 compatible strings');`
`212`	`212`	`}`
`213`	`213`