3 * Zend Framework (http://framework.zend.com/)
5 * @see http://github.com/zendframework/zend-diactoros for the canonical source repository
6 * @copyright Copyright (c) 2015-2016 Zend Technologies USA Inc. (http://www.zend.com)
7 * @license https://github.com/zendframework/zend-diactoros/blob/master/LICENSE.md New BSD License
10 namespace Zend\Diactoros;
12 use InvalidArgumentException;
15 * Provide security tools around HTTP headers to prevent common injection vectors.
17 * Code is largely lifted from the Zend\Http\Header\HeaderValue implementation in
18 * Zend Framework, released with the copyright and license below.
20 * @copyright Copyright (c) 2005-2015 Zend Technologies USA Inc. (http://www.zend.com)
21 * @license http://framework.zend.com/license/new-bsd New BSD License
23 final class HeaderSecurity
26 * Private constructor; non-instantiable.
29 private function __construct()
34 * Filter a header value
36 * Ensures CRLF header injection vectors are filtered.
38 * Per RFC 7230, only VISIBLE ASCII characters, spaces, and horizontal
39 * tabs are allowed in values; header continuations MUST consist of
40 * a single CRLF sequence followed by a space or horizontal tab.
42 * This method filters any values not allowed from the string, and is
45 * @see http://en.wikipedia.org/wiki/HTTP_response_splitting
46 * @param string $value
49 public static function filter($value)
51 $value = (string) $value;
52 $length = strlen($value);
54 for ($i = 0; $i < $length; $i += 1) {
55 $ascii = ord($value[$i]);
57 // Detect continuation sequences
59 $lf = ord($value[$i + 1]);
60 $ws = ord($value[$i + 2]);
61 if ($lf === 10 && in_array($ws, [9, 32], true)) {
62 $string .= $value[$i] . $value[$i + 1];
69 // Non-visible, non-whitespace characters
70 // 9 === horizontal tab
71 // 32-126, 128-254 === visible
74 if (($ascii < 32 && $ascii !== 9)
81 $string .= $value[$i];
88 * Validate a header value.
90 * Per RFC 7230, only VISIBLE ASCII characters, spaces, and horizontal
91 * tabs are allowed in values; header continuations MUST consist of
92 * a single CRLF sequence followed by a space or horizontal tab.
94 * @see http://en.wikipedia.org/wiki/HTTP_response_splitting
95 * @param string $value
98 public static function isValid($value)
100 $value = (string) $value;
103 // \n not preceded by \r, OR
104 // \r not followed by \n, OR
105 // \r\n not followed by space or horizontal tab; these are all CRLF attacks
106 if (preg_match("#(?:(?:(?<!\r)\n)|(?:\r(?!\n))|(?:\r\n(?![ \t])))#", $value)) {
110 // Non-visible, non-whitespace characters
111 // 9 === horizontal tab
113 // 13 === carriage return
114 // 32-126, 128-254 === visible
115 // 127 === DEL (disallowed)
116 // 255 === null byte (disallowed)
117 if (preg_match('/[^\x09\x0a\x0d\x20-\x7E\x80-\xFE]/', $value)) {
125 * Assert a header value is valid.
127 * @param string $value
128 * @throws InvalidArgumentException for invalid values
130 public static function assertValid($value)
132 if (! is_string($value) && ! is_numeric($value)) {
133 throw new InvalidArgumentException(sprintf(
134 'Invalid header value type; must be a string or numeric; received %s',
135 (is_object($value) ? get_class($value) : gettype($value))
138 if (! self::isValid($value)) {
139 throw new InvalidArgumentException(sprintf(
140 '"%s" is not valid header value',
147 * Assert whether or not a header name is valid.
149 * @see http://tools.ietf.org/html/rfc7230#section-3.2
151 * @throws InvalidArgumentException
153 public static function assertValidName($name)
155 if (! is_string($name)) {
156 throw new InvalidArgumentException(sprintf(
157 'Invalid header name type; expected string; received %s',
158 (is_object($name) ? get_class($name) : gettype($name))
161 if (! preg_match('/^[a-zA-Z0-9\'`#$%&*+.^_|~!-]+$/', $name)) {
162 throw new InvalidArgumentException(sprintf(
163 '"%s" is not valid header name',