malhuda/CodeIgniter4
1
0
Fork 0
mirror of https://github.com/codeigniter4/CodeIgniter4.git synced 2025-02-20 11:44:28 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge commit from fork

Browse Source 
Co-authored-by: neznaika0 <ozornick.ks@gmail.com>
Co-authored-by: John Paul E. Balandan, CPA <paulbalandan@gmail.com>
This commit is contained in:
Michal Sniatala 2025-01-18 11:54:38 +01:00 committed by GitHub
parent 119330c56f
commit 5f8aa24280
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 159 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

72
system/HTTP/Header.php
View File

@ -13,6 +13,7 @@ declare(strict_types=1);
namespace CodeIgniter\HTTP;
use InvalidArgumentException;
use Stringable;
/**
@ -54,7 +55,7 @@ class Header implements Stringable
*/
public function __construct(string $name, $value = null)
{
$this->name = $name;
$this->setName($name);
$this->setValue($value);
}
@ -81,9 +82,12 @@ class Header implements Stringable
* Sets the name of the header, overwriting any previous value.
*
* @return $this
*
* @throws InvalidArgumentException
*/
public function setName(string $name)
{
$this->validateName($name);
$this->name = $name;
return $this;
@ -95,10 +99,16 @@ class Header implements Stringable
* @param array<int|string, array<string, string>|string>|string|null $value
*
* @return $this
*
* @throws InvalidArgumentException
*/
public function setValue($value = null)
{
$this->value = is_array($value) ? $value : (string) $value;
$value = is_array($value) ? $value : (string) $value;
$this->validateValue($value);
$this->value = $value;
return $this;
}
@ -110,6 +120,8 @@ class Header implements Stringable
* @param array<string, string>|string|null $value
*
* @return $this
*
* @throws InvalidArgumentException
*/
public function appendValue($value = null)
{
@ -117,6 +129,8 @@ class Header implements Stringable
return $this;
}
$this->validateValue($value);
if (! is_array($this->value)) {
$this->value = [$this->value];
}
@ -135,6 +149,8 @@ class Header implements Stringable
* @param array<string, string>|string|null $value
*
* @return $this
*
* @throws InvalidArgumentException
*/
public function prependValue($value = null)
{
@ -142,6 +158,8 @@ class Header implements Stringable
return $this;
}
$this->validateValue($value);
if (! is_array($this->value)) {
$this->value = [$this->value];
}
@ -193,4 +211,54 @@ class Header implements Stringable
{
return $this->name . ': ' . $this->getValueLine();
}
/**
* Validate header name.
*
* Regex is based on code from a guzzlehttp/psr7 library.
*
* @see https://datatracker.ietf.org/doc/html/rfc7230#section-3.2
*
* @throws InvalidArgumentException
*/
private function validateName(string $name): void
{
if (preg_match('/^[a-zA-Z0-9\'`#$%&*+.^_|~!-]+$/D', $name) !== 1) {
throw new InvalidArgumentException('The header name is not valid as per RFC 7230.');
}
}
/**
* Validate header value.
*
* Regex is based on code from a guzzlehttp/psr7 library.
*
* @see https://datatracker.ietf.org/doc/html/rfc7230#section-3.2
*
* @param array<int|string, array<string, string>|string>|int|string $value
*
* @throws InvalidArgumentException
*/
private function validateValue(array|int|string $value): void
{
if (is_int($value)) {
return;
}
if (is_array($value)) {
foreach ($value as $key => $val) {
$this->validateValue($key);
$this->validateValue($val);
}
return;
}
// The regular expression excludes obs-fold per RFC 7230#3.2.4, as sending folded lines
// is deprecated and rare. This obscure HTTP/1.1 feature is unlikely to impact legitimate
// use cases. Libraries like Guzzle and AMPHP follow the same principle.
if (preg_match('/^[\x20\x09\x21-\x7E\x80-\xFF]*$/D', $value) !== 1) {
throw new InvalidArgumentException('The header value is not valid as per RFC 7230.');
}
}
}

81
tests/system/HTTP/HeaderTest.php
View File

@ -15,6 +15,8 @@ namespace CodeIgniter\HTTP;
use CodeIgniter\Test\CIUnitTestCase;
use Error;
use InvalidArgumentException;
use PHPUnit\Framework\Attributes\DataProvider;
use PHPUnit\Framework\Attributes\Group;
use stdClass;
@ -234,4 +236,83 @@ final class HeaderTest extends CIUnitTestCase
$this->assertSame($expected, (string) $header);
}
/**
* @param string $name
*/
#[DataProvider('invalidNamesProvider')]
public function testInvalidHeaderNames($name): void
{
$this->expectException(InvalidArgumentException::class);
new Header($name, 'text/html');
}
/**
* @return list<list<string>>
*/
public static function invalidNamesProvider(): array
{
return [
["Content-Type\r\n\r\n"],
["Content-Type\r\n"],
["Content-Type\n"],
["\tContent-Type\t"],
["\n\nContent-Type\n\n"],
["\r\nContent-Type"],
["\nContent-Type"],
["Content\r\n-Type"],
["\n"],
["\r\n"],
["\t"],
[' Content-Type '],
['Content - Type'],
["Content\x00Type"],
[':Content-Type'],
['Content-Type:'],
[''],
];
}
/**
* @param array<int|string, array<string, string>|string>|string|null $value
*/
#[DataProvider('invalidValuesProvider')]
public function testInvalidHeaderValues($value): void
{
$this->expectException(InvalidArgumentException::class);
new Header('X-Test-Header', $value);
}
/**
* @return list<list<array<(int|string), string>|string>>
*/
public static function invalidValuesProvider(): array
{
return [
["Header\n Value"],
["Header\r\n Value"],
["Header\r Value"],
["Header Value\n"],
["\nHeader Value"],
["Header Value\r\n"],
["\n\rHeader Value"],
["\n\nHeader Value\n\n"],
[
["Header\n Value"],
["Header\r\n Value"],
],
[
[
"Header\n" => 'Value',
],
],
[
[
'Header' => "Value\r\n",
],
],
];
}
}

8
user_guide_src/source/changelogs/v4.5.8.rst
View File

@ -10,6 +10,14 @@ Release Date: Unreleased
:local:
:depth: 3
********
SECURITY
********
- **Header:** *Validation of header name and value* was fixed.
See the `Security advisory GHSA-x5mq-jjr3-vmx6 <https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-x5mq-jjr3-vmx6>`_
for more information.
********
BREAKING
********