minor #30561 [HttpClient] strengthen bearer validation (nicolas-grekas)

This PR was merged into the 4.3-dev branch. Discussion ---------- [HttpClient] strengthen bearer validation | Q | A | ------------- | --- | Branch? | master | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | - | License | MIT | Doc PR | - Better be sure CR/LF/etc cannot be passed inside raw header values, opening potential security risks. Commits ------- e6e1620 [HttpClient] strengthen bearer validation
symfony · Mar 15, 2019 · 9ee5ff7 · 9ee5ff7
2 parents 59e6380 + e6e1620
commit 9ee5ff7
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 3 deletions.
diff --git a/src/Symfony/Component/HttpClient/HttpClientTrait.php b/src/Symfony/Component/HttpClient/HttpClientTrait.php
@@ -84,8 +84,8 @@ private static function prepareRequest(?string $method, ?string $url, array $opt
             throw new InvalidArgumentException(sprintf('Option "auth_basic" must be string or an array, %s given.', \gettype($options['auth_basic'])));
         }
 
-        if (!\is_string($options['auth_bearer'] ?? '')) {
-            throw new InvalidArgumentException(sprintf('Option "auth_bearer" must be string, %s given.', \gettype($options['auth_bearer'])));
+        if (isset($options['auth_bearer']) && (!\is_string($options['auth_bearer']) || !preg_match('{^[-._~+/0-9a-zA-Z]++=*+$}', $options['auth_bearer']))) {
+            throw new InvalidArgumentException(sprintf('Option "auth_bearer" must be a string containing only characters from the base 64 alphabet, %s given.', \is_string($options['auth_bearer']) ? 'invalid string' : \gettype($options['auth_bearer'])));
         }
 
         if (isset($options['auth_basic'], $options['auth_bearer'])) {

diff --git a/src/Symfony/Component/HttpClient/Tests/HttpClientTraitTest.php b/src/Symfony/Component/HttpClient/Tests/HttpClientTraitTest.php
@@ -174,13 +174,22 @@ public function testAuthBearerOption()
 
     /**
      * @expectedException \Symfony\Component\HttpClient\Exception\InvalidArgumentException
-     * @expectedExceptionMessage Option "auth_bearer" must be string, object given.
+     * @expectedExceptionMessage Option "auth_bearer" must be a string containing only characters from the base 64 alphabet, object given.
      */
     public function testInvalidAuthBearerOption()
     {
         self::prepareRequest('POST', 'http://example.com', ['auth_bearer' => new \stdClass()], HttpClientInterface::OPTIONS_DEFAULTS);
     }
 
+    /**
+     * @expectedException \Symfony\Component\HttpClient\Exception\InvalidArgumentException
+     * @expectedExceptionMessage Option "auth_bearer" must be a string containing only characters from the base 64 alphabet, invalid string given.
+     */
+    public function testInvalidAuthBearerValue()
+    {
+        self::prepareRequest('POST', 'http://example.com', ['auth_bearer' => "a\nb"], HttpClientInterface::OPTIONS_DEFAULTS);
+    }
+
     /**
      * @expectedException \Symfony\Component\HttpClient\Exception\InvalidArgumentException
      * @expectedExceptionMessage Define either the "auth_basic" or the "auth_bearer" option, setting both is not supported.