3 * @see https://github.com/zendframework/zend-diactoros for the canonical source repository
4 * @copyright Copyright (c) 2015-2017 Zend Technologies USA Inc. (http://www.zend.com)
5 * @license https://github.com/zendframework/zend-diactoros/blob/master/LICENSE.md New BSD License
8 namespace Zend\Diactoros;
10 use InvalidArgumentException;
13 * Provide security tools around HTTP headers to prevent common injection vectors.
15 * Code is largely lifted from the Zend\Http\Header\HeaderValue implementation in
16 * Zend Framework, released with the copyright and license below.
18 * @copyright Copyright (c) 2005-2015 Zend Technologies USA Inc. (http://www.zend.com)
19 * @license http://framework.zend.com/license/new-bsd New BSD License
21 final class HeaderSecurity
24 * Private constructor; non-instantiable.
27 private function __construct()
32 * Filter a header value
34 * Ensures CRLF header injection vectors are filtered.
36 * Per RFC 7230, only VISIBLE ASCII characters, spaces, and horizontal
37 * tabs are allowed in values; header continuations MUST consist of
38 * a single CRLF sequence followed by a space or horizontal tab.
40 * This method filters any values not allowed from the string, and is
43 * @see http://en.wikipedia.org/wiki/HTTP_response_splitting
44 * @param string $value
47 public static function filter($value)
49 $value = (string) $value;
50 $length = strlen($value);
52 for ($i = 0; $i < $length; $i += 1) {
53 $ascii = ord($value[$i]);
55 // Detect continuation sequences
57 $lf = ord($value[$i + 1]);
58 $ws = ord($value[$i + 2]);
59 if ($lf === 10 && in_array($ws, [9, 32], true)) {
60 $string .= $value[$i] . $value[$i + 1];
67 // Non-visible, non-whitespace characters
68 // 9 === horizontal tab
69 // 32-126, 128-254 === visible
72 if (($ascii < 32 && $ascii !== 9)
79 $string .= $value[$i];
86 * Validate a header value.
88 * Per RFC 7230, only VISIBLE ASCII characters, spaces, and horizontal
89 * tabs are allowed in values; header continuations MUST consist of
90 * a single CRLF sequence followed by a space or horizontal tab.
92 * @see http://en.wikipedia.org/wiki/HTTP_response_splitting
93 * @param string $value
96 public static function isValid($value)
98 $value = (string) $value;
101 // \n not preceded by \r, OR
102 // \r not followed by \n, OR
103 // \r\n not followed by space or horizontal tab; these are all CRLF attacks
104 if (preg_match("#(?:(?:(?<!\r)\n)|(?:\r(?!\n))|(?:\r\n(?![ \t])))#", $value)) {
108 // Non-visible, non-whitespace characters
109 // 9 === horizontal tab
111 // 13 === carriage return
112 // 32-126, 128-254 === visible
113 // 127 === DEL (disallowed)
114 // 255 === null byte (disallowed)
115 if (preg_match('/[^\x09\x0a\x0d\x20-\x7E\x80-\xFE]/', $value)) {
123 * Assert a header value is valid.
125 * @param string $value
126 * @throws InvalidArgumentException for invalid values
128 public static function assertValid($value)
130 if (! is_string($value) && ! is_numeric($value)) {
131 throw new InvalidArgumentException(sprintf(
132 'Invalid header value type; must be a string or numeric; received %s',
133 (is_object($value) ? get_class($value) : gettype($value))
136 if (! self::isValid($value)) {
137 throw new InvalidArgumentException(sprintf(
138 '"%s" is not valid header value',
145 * Assert whether or not a header name is valid.
147 * @see http://tools.ietf.org/html/rfc7230#section-3.2
149 * @throws InvalidArgumentException
151 public static function assertValidName($name)
153 if (! is_string($name)) {
154 throw new InvalidArgumentException(sprintf(
155 'Invalid header name type; expected string; received %s',
156 (is_object($name) ? get_class($name) : gettype($name))
159 if (! preg_match('/^[a-zA-Z0-9\'`#$%&*+.^_|~!-]+$/', $name)) {
160 throw new InvalidArgumentException(sprintf(
161 '"%s" is not valid header name',