fix: Add validation in CodeIgniter\HTTP\Header

neznaika0 · neznaika0 · commit 85fe2310cbdf · 2025-01-14T11:03:01.000+03:00
diff --git a/system/HTTP/Header.php b/system/HTTP/Header.php
@@ -13,6 +13,7 @@
 
 namespace CodeIgniter\HTTP;
 
+use InvalidArgumentException;
 use Stringable;
 
 /**
@@ -54,7 +55,7 @@ class Header implements Stringable
      */
     public function __construct(string $name, $value = null)
     {
-        $this->name = $name;
+        $this->setName($name);
         $this->setValue($value);
     }
 
@@ -81,9 +82,13 @@ public function getValue()
      * Sets the name of the header, overwriting any previous value.
      *
      * @return $this
+     *
+     * @throws InvalidArgumentException
      */
     public function setName(string $name)
     {
+        $this->validateName($name);
+
         $this->name = $name;
 
         return $this;
@@ -95,11 +100,15 @@ public function setName(string $name)
      * @param array<int|string, array<string, string>|string>|string|null $value
      *
      * @return $this
+     *
+     * @throws InvalidArgumentException
      */
     public function setValue($value = null)
     {
         $this->value = is_array($value) ? $value : (string) $value;
 
+        $this->validateValue($value);
+
         return $this;
     }
 
@@ -110,13 +119,17 @@ public function setValue($value = null)
      * @param array<string, string>|string|null $value
      *
      * @return $this
+     *
+     * @throws InvalidArgumentException
      */
     public function appendValue($value = null)
     {
         if ($value === null) {
             return $this;
         }
 
+        $this->validateValue($value);
+
         if (! is_array($this->value)) {
             $this->value = [$this->value];
         }
@@ -135,9 +148,13 @@ public function appendValue($value = null)
      * @param array<string, string>|string|null $value
      *
      * @return $this
+     *
+     * @throws InvalidArgumentException
      */
     public function prependValue($value = null)
     {
+        $this->validateValue($value);
+
         if ($value === null) {
             return $this;
         }
@@ -193,4 +210,34 @@ public function __toString(): string
     {
         return $this->name . ': ' . $this->getValueLine();
     }
+
+    /**
+     * @see https://datatracker.ietf.org/doc/html/rfc7230#section-3.2
+     *
+     * @throws InvalidArgumentException
+     */
+    private function validateName(string $name): void
+    {
+        if (preg_match("@^[!#$%&'*+.^_`|~0-9A-Za-z-]+$@D", $name) !== 1) {
+            throw new InvalidArgumentException('Header name must be an RFC 7230 compatible string.');
+        }
+    }
+
+    /**
+     * @param array<string, string>|string|null $value
+     *
+     * @throws InvalidArgumentException
+     */
+    private function validateValue($value): void
+    {
+        if (is_string($value) && preg_match("@^[ \t\x21-\x7E\x80-\xFF]*$@D", $value) !== 1) {
+            throw new InvalidArgumentException('Header values must be RFC 7230 compatible strings.');
+        }
+
+        if (is_array($value)) {
+            array_map(function ($v): void {
+                $this->validateValue($v);
+            }, $value);
+        }
+    }
 }
diff --git a/tests/system/HTTP/HeaderTest.php b/tests/system/HTTP/HeaderTest.php
@@ -15,6 +15,8 @@
 
 use CodeIgniter\Test\CIUnitTestCase;
 use Error;
+use InvalidArgumentException;
+use PHPUnit\Framework\Attributes\DataProvider;
 use PHPUnit\Framework\Attributes\Group;
 use stdClass;
 
@@ -234,4 +236,70 @@ public function testHeaderToStringShowsEntireHeader(): void
 
         $this->assertSame($expected, (string) $header);
     }
+
+    /**
+     * @param string $name
+     */
+    #[DataProvider('invalidNamesProvider')]
+    public function testInvalidHeaderNames($name): void
+    {
+        $this->expectException(InvalidArgumentException::class);
+
+        new Header($name, 'text/html');
+    }
+
+    /**
+     * @return list<list<string>>
+     */
+    public static function invalidNamesProvider(): array
+    {
+        return [
+            ["Content-Type\r\n\r\n"],
+            ["Content-Type\r\n"],
+            ["Content-Type\n"],
+            ["\tContent-Type\t"],
+            ["\n\nContent-Type\n\n"],
+            ["\r\nContent-Type"],
+            ["\nContent-Type"],
+            ["Content\r\n-Type"],
+            ["\n"],
+            ["\r\n"],
+            ["\t"],
+            ['   Content-Type   '],
+            ['Content - Type'],
+            [''],
+        ];
+    }
+
+    /**
+     * @param array<int|string, array<string, string>|string>|string|null $value
+     */
+    #[DataProvider('invalidValuesProvider')]
+    public function testInvalidHeaderValues($value): void
+    {
+        $this->expectException(InvalidArgumentException::class);
+
+        new Header('X-Test-Header', $value);
+    }
+
+    /**
+     * @return list<list<list<string>|string>>
+     */
+    public static function invalidValuesProvider(): array
+    {
+        return [
+            ["Header\n Value"],
+            ["Header\r\n Value"],
+            ["Header\r Value"],
+            ["Header Value\n"],
+            ["\nHeader Value"],
+            ["Header Value\r\n"],
+            ["\n\rHeader Value"],
+            ["\n\nHeader Value\n\n"],
+            [
+                ["Header\n Value"],
+                ["Header\r\n Value"],
+            ],
+        ];
+    }
 }
