Merge commit from fork

Co-authored-by: neznaika0 <[email protected]> Co-authored-by: John Paul E. Balandan, CPA <[email protected]>
codeigniter4 · Jan 18, 2025 · 5f8aa24 · 5f8aa24
1 parent 119330c
commit 5f8aa24
Show file tree

Hide file tree

Showing 3 changed files with 159 additions and 2 deletions.
diff --git a/system/HTTP/Header.php b/system/HTTP/Header.php
@@ -13,6 +13,7 @@
 
 namespace CodeIgniter\HTTP;
 
+use InvalidArgumentException;
 use Stringable;
 
 /**
@@ -54,7 +55,7 @@ class Header implements Stringable
      */
     public function __construct(string $name, $value = null)
     {
-        $this->name = $name;
+        $this->setName($name);
         $this->setValue($value);
     }
 
@@ -81,9 +82,12 @@ public function getValue()
      * Sets the name of the header, overwriting any previous value.
      *
      * @return $this
+     *
+     * @throws InvalidArgumentException
      */
     public function setName(string $name)
     {
+        $this->validateName($name);
         $this->name = $name;
 
         return $this;
@@ -95,10 +99,16 @@ public function setName(string $name)
      * @param array<int|string, array<string, string>|string>|string|null $value
      *
      * @return $this
+     *
+     * @throws InvalidArgumentException
      */
     public function setValue($value = null)
     {
-        $this->value = is_array($value) ? $value : (string) $value;
+        $value = is_array($value) ? $value : (string) $value;
+
+        $this->validateValue($value);
+
+        $this->value = $value;
 
         return $this;
     }
@@ -110,13 +120,17 @@ public function setValue($value = null)
      * @param array<string, string>|string|null $value
      *
      * @return $this
+     *
+     * @throws InvalidArgumentException
      */
     public function appendValue($value = null)
     {
         if ($value === null) {
             return $this;
         }
 
+        $this->validateValue($value);
+
         if (! is_array($this->value)) {
             $this->value = [$this->value];
         }
@@ -135,13 +149,17 @@ public function appendValue($value = null)
      * @param array<string, string>|string|null $value
      *
      * @return $this
+     *
+     * @throws InvalidArgumentException
      */
     public function prependValue($value = null)
     {
         if ($value === null) {
             return $this;
         }
 
+        $this->validateValue($value);
+
         if (! is_array($this->value)) {
             $this->value = [$this->value];
         }
@@ -193,4 +211,54 @@ public function __toString(): string
     {
         return $this->name . ': ' . $this->getValueLine();
     }
+
+    /**
+     * Validate header name.
+     *
+     * Regex is based on code from a guzzlehttp/psr7 library.
+     *
+     * @see https://datatracker.ietf.org/doc/html/rfc7230#section-3.2
+     *
+     * @throws InvalidArgumentException
+     */
+    private function validateName(string $name): void
+    {
+        if (preg_match('/^[a-zA-Z0-9\'`#$%&*+.^_|~!-]+$/D', $name) !== 1) {
+            throw new InvalidArgumentException('The header name is not valid as per RFC 7230.');
+        }
+    }
+
+    /**
+     * Validate header value.
+     *
+     * Regex is based on code from a guzzlehttp/psr7 library.
+     *
+     * @see https://datatracker.ietf.org/doc/html/rfc7230#section-3.2
+     *
+     * @param array<int|string, array<string, string>|string>|int|string $value
+     *
+     * @throws InvalidArgumentException
+     */
+    private function validateValue(array|int|string $value): void
+    {
+        if (is_int($value)) {
+            return;
+        }
+
+        if (is_array($value)) {
+            foreach ($value as $key => $val) {
+                $this->validateValue($key);
+                $this->validateValue($val);
+            }
+
+            return;
+        }
+
+        // The regular expression excludes obs-fold per RFC 7230#3.2.4, as sending folded lines
+        // is deprecated and rare. This obscure HTTP/1.1 feature is unlikely to impact legitimate
+        // use cases. Libraries like Guzzle and AMPHP follow the same principle.
+        if (preg_match('/^[\x20\x09\x21-\x7E\x80-\xFF]*$/D', $value) !== 1) {
+            throw new InvalidArgumentException('The header value is not valid as per RFC 7230.');
+        }
+    }
 }
diff --git a/tests/system/HTTP/HeaderTest.php b/tests/system/HTTP/HeaderTest.php
@@ -15,6 +15,8 @@
 
 use CodeIgniter\Test\CIUnitTestCase;
 use Error;
+use InvalidArgumentException;
+use PHPUnit\Framework\Attributes\DataProvider;
 use PHPUnit\Framework\Attributes\Group;
 use stdClass;
 
@@ -234,4 +236,83 @@ public function testHeaderToStringShowsEntireHeader(): void
 
         $this->assertSame($expected, (string) $header);
     }
+
+    /**
+     * @param string $name
+     */
+    #[DataProvider('invalidNamesProvider')]
+    public function testInvalidHeaderNames($name): void
+    {
+        $this->expectException(InvalidArgumentException::class);
+
+        new Header($name, 'text/html');
+    }
+
+    /**
+     * @return list<list<string>>
+     */
+    public static function invalidNamesProvider(): array
+    {
+        return [
+            ["Content-Type\r\n\r\n"],
+            ["Content-Type\r\n"],
+            ["Content-Type\n"],
+            ["\tContent-Type\t"],
+            ["\n\nContent-Type\n\n"],
+            ["\r\nContent-Type"],
+            ["\nContent-Type"],
+            ["Content\r\n-Type"],
+            ["\n"],
+            ["\r\n"],
+            ["\t"],
+            ['   Content-Type   '],
+            ['Content - Type'],
+            ["Content\x00Type"],
+            [':Content-Type'],
+            ['Content-Type:'],
+            [''],
+        ];
+    }
+
+    /**
+     * @param array<int|string, array<string, string>|string>|string|null $value
+     */
+    #[DataProvider('invalidValuesProvider')]
+    public function testInvalidHeaderValues($value): void
+    {
+        $this->expectException(InvalidArgumentException::class);
+
+        new Header('X-Test-Header', $value);
+    }
+
+    /**
+     * @return list<list<array<(int|string), string>|string>>
+     */
+    public static function invalidValuesProvider(): array
+    {
+        return [
+            ["Header\n Value"],
+            ["Header\r\n Value"],
+            ["Header\r Value"],
+            ["Header Value\n"],
+            ["\nHeader Value"],
+            ["Header Value\r\n"],
+            ["\n\rHeader Value"],
+            ["\n\nHeader Value\n\n"],
+            [
+                ["Header\n Value"],
+                ["Header\r\n Value"],
+            ],
+            [
+                [
+                    "Header\n" => 'Value',
+                ],
+            ],
+            [
+                [
+                    'Header' => "Value\r\n",
+                ],
+            ],
+        ];
+    }
 }
diff --git a/user_guide_src/source/changelogs/v4.5.8.rst b/user_guide_src/source/changelogs/v4.5.8.rst
@@ -10,6 +10,14 @@ Release Date: Unreleased
     :local:
     :depth: 3
 
+********
+SECURITY
+********
+
+- **Header:** *Validation of header name and value* was fixed.
+  See the `Security advisory GHSA-x5mq-jjr3-vmx6 <https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-x5mq-jjr3-vmx6>`_
+  for more information.
+
 ********
 BREAKING
 ********