Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

[http] Adapt header field name validation to RFC definition #5301

Closed
wants to merge 1 commit into from

3 participants

@Maks3w
Collaborator

No description provided.

@Maks3w Maks3w commented on the diff
library/Zend/Http/Header/GenericHeader.php
@@ -69,13 +69,17 @@ public function setFieldName($fieldName)
throw new Exception\InvalidArgumentException('Header name must be a string');
}
- // Pre-filter to normalize valid characters, change underscore to dash
- $fieldName = str_replace(' ', '-', ucwords(str_replace(array('_', '-'), ' ', $fieldName)));
@Maks3w Collaborator
Maks3w added a note

@ralphschindler @weierophinney Why this was needed?

@weierophinney Owner

Apache, basically. The PhpEnvironment-specfic request object may pull the headers from get_headers(), and those often substitute underscores for dashes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@weierophinney weierophinney referenced this pull request from a commit
@weierophinney weierophinney [#5301] re-add normalization
- s/_/-/ in header field names
0d675a6
@fuashley

Causes a BC break in code being used against OAuth2 spec servers. Should be a configurable option (default off).

@Maks3w
Collaborator

@fuashley Please open a new issue with your problem. This thread is closed

@weierophinney weierophinney referenced this pull request from a commit
Commit has since been removed from the repository and is no longer available.
@weierophinney weierophinney referenced this pull request from a commit
Commit has since been removed from the repository and is no longer available.
@weierophinney weierophinney referenced this pull request from a commit
Commit has since been removed from the repository and is no longer available.
@weierophinney weierophinney referenced this pull request from a commit
Commit has since been removed from the repository and is no longer available.
@weierophinney weierophinney referenced this pull request from a commit in zendframework/zend-http
@weierophinney weierophinney Merge pull request zendframework/zf2#5301 from Maks3w/hotfix/http-fie…
…ldname-check

[http] Adapt header field name validation to RFC definition
fb43d3c
@weierophinney weierophinney referenced this pull request from a commit in zendframework/zend-http
@weierophinney weierophinney [zendframework/zf2#5301] re-add normalization
- s/_/-/ in header field names
682c863
@weierophinney weierophinney referenced this pull request from a commit in zendframework/zend-http
@weierophinney weierophinney Merge branch 'hotfix/5301' 03dc917
@weierophinney weierophinney referenced this pull request from a commit in zendframework/zend-http
@weierophinney weierophinney Merge branch 'hotfix/5301' into develop a78d295
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
This page is out of date. Refresh to see the latest.
View
18 library/Zend/Http/Header/GenericHeader.php
@@ -61,7 +61,7 @@ public function __construct($fieldName = null, $fieldValue = null)
*
* @param string $fieldName
* @return GenericHeader
- * @throws Exception\InvalidArgumentException(
+ * @throws Exception\InvalidArgumentException If the name does not match with RFC 2616 format.
*/
public function setFieldName($fieldName)
{
@@ -69,13 +69,17 @@ public function setFieldName($fieldName)
throw new Exception\InvalidArgumentException('Header name must be a string');
}
- // Pre-filter to normalize valid characters, change underscore to dash
- $fieldName = str_replace(' ', '-', ucwords(str_replace(array('_', '-'), ' ', $fieldName)));
@Maks3w Collaborator
Maks3w added a note

@ralphschindler @weierophinney Why this was needed?

@weierophinney Owner

Apache, basically. The PhpEnvironment-specfic request object may pull the headers from get_headers(), and those often substitute underscores for dashes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
-
- // Validate what we have
- if (!preg_match('/^[a-z][a-z0-9-]*$/i', $fieldName)) {
+ /*
+ * Following RFC 2616 section 4.2
+ *
+ * message-header = field-name ":" [ field-value ]
+ * field-name = token
+ *
+ * @see http://tools.ietf.org/html/rfc2616#section-2.2 for token definition.
+ */
+ if (!preg_match('/^[!#-\'*+\-\.0-9A-Z\^-z|~]+$/', $fieldName)) {
throw new Exception\InvalidArgumentException(
- 'Header name must start with a letter, and consist of only letters, numbers, and dashes'
+ 'Header name must be a valid RFC 2616 (section 4.2) field-name.'
);
}
View
116 tests/ZendTest/Http/Header/GenericHeaderTest.php
@@ -0,0 +1,116 @@
+<?php
+/**
+ * Zend Framework (http://framework.zend.com/)
+ *
+ * @link http://github.com/zendframework/zf2 for the canonical source repository
+ * @copyright Copyright (c) 2005-2013 Zend Technologies USA Inc. (http://www.zend.com)
+ * @license http://framework.zend.com/license/new-bsd New BSD License
+ */
+
+namespace ZendTest\Http\Header;
+
+use Zend\Http\Header\Exception\InvalidArgumentException;
+use Zend\Http\Header\GenericHeader;
+use PHPUnit_Framework_TestCase as TestCase;
+
+class GenericHeaderTest extends TestCase
+{
+ /**
+ * @param string $name
+ * @dataProvider validFieldNameChars
+ */
+ public function testValidFieldName($name)
+ {
+ try {
+ new GenericHeader($name);
+ } catch (InvalidArgumentException $e) {
+ $this->assertEquals(
+ $e->getMessage(),
+ 'Header name must be a valid RFC 2616 (section 4.2) field-name.'
+ );
+ $this->fail('Allowed char rejected: ' . ord($name)); // For easy debug
+ }
+ }
+
+ /**
+ * @param string $name
+ * @dataProvider invalidFieldNameChars
+ */
+ public function testInvalidFieldName($name)
+ {
+ try {
+ new GenericHeader($name);
+ $this->fail('Invalid char allowed: ' . ord($name)); // For easy debug
+ } catch (InvalidArgumentException $e) {
+ $this->assertEquals(
+ $e->getMessage(),
+ 'Header name must be a valid RFC 2616 (section 4.2) field-name.'
+ );
+ }
+ }
+
+ /**
+ * Valid field name characters.
+ *
+ * @return string[]
+ */
+ public function validFieldNameChars()
+ {
+ return array(
+ array('!'),
+ array('#'),
+ array('$'),
+ array('%'),
+ array('&'),
+ array("'"),
+ array('*'),
+ array('+'),
+ array('-'),
+ array('.'),
+ array('0'), // Begin numeric range
+ array('9'), // End numeric range
+ array('A'), // Begin upper range
+ array('Z'), // End upper range
+ array('^'),
+ array('_'),
+ array('`'),
+ array('a'), // Begin lower range
+ array('z'), // End lower range
+ array('|'),
+ array('~'),
+ );
+ }
+
+ /**
+ * Invalid field name characters.
+ *
+ * @return string[]
+ */
+ public function invalidFieldNameChars()
+ {
+ return array(
+ array("\x00"), // Min CTL invalid character range.
+ array("\x1F"), // Max CTL invalid character range.
+ array('('),
+ array(')'),
+ array('<'),
+ array('>'),
+ array('@'),
+ array(','),
+ array(';'),
+ array(':'),
+ array('\\'),
+ array('"'),
+ array('/'),
+ array('['),
+ array(']'),
+ array('?'),
+ array('='),
+ array('{'),
+ array('}'),
+ array(' '),
+ array("\t"),
+ array("\x7F"), // DEL CTL invalid character.
+ );
+ }
+}
Something went wrong with that request. Please try again.