Merge branch 'security/zf2015-04'

ZF2015-04 patch

Author: weierophinney

README.md

@@ -13,6 +13,17 @@ Released on MMMMMMMM DD, YYYY.
 IMPORTANT FIXES FOR 1.12.12
 ---------------------------
 
+**This release contains security updates:**
+
+- **ZF2015-04:** `Zend_Mail` and `Zend_Http` were both susceptible to CRLF Injection
+  Attack vectors (for HTTP, this is often referred to as HTTP Response
+  Splitting). Both components were updated to perform header value validations
+  to ensure no values contain characters not detailed in their corresponding
+  specifications, and will raise exceptions on detection. Each also provides new
+  facilities for both validating and filtering header values prior to injecting
+  them into header classes. If you use either `Zend_Mail` or `Zend_Http`,
+  we recommend upgrading immediately.
+
 See http://framework.zend.com/changelog for full details.
 
 NEW FEATURES

library/Zend/Http/Client.php

@@ -39,6 +39,12 @@
 require_once 'Zend/Http/Client/Adapter/Interface.php';
 
 
+/**
+ * @see Zend_Http_Header_HeaderValue
+ */
+require_once 'Zend/Http/Header/HeaderValue.php';
+
+
 /**
  * @see Zend_Http_Response
  */
@@ -431,38 +437,40 @@ public function setHeaders($name, $value = null)
             foreach ($name as $k => $v) {
                 if (is_string($k)) {
                     $this->setHeaders($k, $v);
-                } else {
-                    $this->setHeaders($v, null);
+                    continue;
                 }
+                $this->setHeaders($v, null);
             }
-        } else {
-            // Check if $name needs to be split
-            if ($value === null && (strpos($name, ':') > 0)) {
-                list($name, $value) = explode(':', $name, 2);
-            }
+            return $this;
+        }
 
-            // Make sure the name is valid if we are in strict mode
-            if ($this->config['strict'] && (! preg_match('/^[a-zA-Z0-9-]+$/', $name))) {
-                /** @see Zend_Http_Client_Exception */
-                require_once 'Zend/Http/Client/Exception.php';
-                throw new Zend_Http_Client_Exception("{$name} is not a valid HTTP header name");
-            }
+        // Check if $name needs to be split
+        if ($value === null && (strpos($name, ':') > 0)) {
+            list($name, $value) = explode(':', $name, 2);
+        }
 
-            $normalized_name = strtolower($name);
+        // Make sure the name is valid if we are in strict mode
+        if ($this->config['strict'] && (! preg_match('/^[a-zA-Z0-9-]+$/', $name))) {
+            require_once 'Zend/Http/Client/Exception.php';
+            throw new Zend_Http_Client_Exception("{$name} is not a valid HTTP header name");
+        }
 
-            // If $value is null or false, unset the header
-            if ($value === null || $value === false) {
-                unset($this->headers[$normalized_name]);
+        $normalized_name = strtolower($name);
 
-            // Else, set the header
-            } else {
-                // Header names are stored lowercase internally.
-                if (is_string($value)) {
-                    $value = trim($value);
-                }
-                $this->headers[$normalized_name] = array($name, $value);
-            }
+        // If $value is null or false, unset the header
+        if ($value === null || $value === false) {
+            unset($this->headers[$normalized_name]);
+            return $this;
+        }
+
+        // Validate value
+        $this->_validateHeaderValue($value);
+
+        // Header names are stored lowercase internally.
+        if (is_string($value)) {
+            $value = trim($value);
         }
+        $this->headers[$normalized_name] = array($name, $value);
 
         return $this;
     }
@@ -1568,4 +1576,27 @@ protected static function _flattenParametersArray($parray, $prefix = null)
         return $parameters;
     }
 
+    /**
+     * Ensure a header value is valid per RFC 7230.
+     *
+     * @see http://tools.ietf.org/html/rfc7230#section-3.2
+     * @param string|object|array $value
+     * @param bool $recurse
+     */
+    protected function _validateHeaderValue($value, $recurse = true)
+    {
+        if (is_array($value) && $recurse) {
+            foreach ($value as $v) {
+                $this->_validateHeaderValue($v, false);
+            }
+            return;
+        }
+
+        if (! is_string($value) && (! is_object($value) || ! method_exists($value, '__toString'))) {
+            require_once 'Zend/Http/Exception.php';
+            throw new Zend_Http_Exception('Invalid header value detected');
+        }
+
+        Zend_Http_Header_HeaderValue::assertValid($value);
+    }
 }

library/Zend/Http/Header/HeaderValue.php

@@ -0,0 +1,127 @@
+<?php
+/**
+ * Zend Framework
+ *
+ * LICENSE
+ *
+ * This source file is subject to the new BSD license that is bundled
+ * with this package in the file LICENSE.txt.
+ * It is also available through the world-wide-web at this URL:
+ * http://framework.zend.com/license/new-bsd
+ * If you did not receive a copy of the license and are unable to
+ * obtain it through the world-wide-web, please send an email
+ * to [email protected] so we can send you a copy immediately.
+ *
+ * @category   Zend
+ * @package    Zend_Http
+ * @subpackage Header
+ * @version    $Id$
+ * @copyright  Copyright (c) 2005-2015 Zend Technologies USA Inc. (http://www.zend.com)
+ * @license    http://framework.zend.com/license/new-bsd     New BSD License
+ */
+
+
+/**
+ * @category   Zend
+ * @package    Zend_Http
+ * @subpackage Header
+ * @copyright  Copyright (c) 2005-2015 Zend Technologies USA Inc. (http://www.zend.com)
+ * @license    http://framework.zend.com/license/new-bsd     New BSD License
+ */
+final class Zend_Http_Header_HeaderValue
+{
+    /**
+     * Private constructor; non-instantiable.
+     */
+    private function __construct()
+    {
+    }
+
+    /**
+     * Filter a header value
+     *
+     * Ensures CRLF header injection vectors are filtered.
+     *
+     * Per RFC 7230, only VISIBLE ASCII characters, spaces, and horizontal
+     * tabs are allowed in values; only one whitespace character is allowed
+     * between visible characters.
+     *
+     * @see http://en.wikipedia.org/wiki/HTTP_response_splitting
+     * @param string $value
+     * @return string
+     */
+    public static function filter($value)
+    {
+        $value  = (string) $value;
+        $length = strlen($value);
+        $string = '';
+        for ($i = 0; $i < $length; $i += 1) {
+            $ascii = ord($value[$i]);
+
+            // Non-visible, non-whitespace characters
+            // 9 === horizontal tab
+            // 32-126, 128-254 === visible
+            // 127 === DEL
+            // 255 === null byte
+            if (($ascii < 32 && $ascii !== 9)
+                || $ascii === 127
+                || $ascii > 254
+            ) {
+                continue;
+            }
+
+            $string .= $value[$i];
+        }
+
+        return $string;
+    }
+
+    /**
+     * Validate a header value.
+     *
+     * Per RFC 7230, only VISIBLE ASCII characters, spaces, and horizontal
+     * tabs are allowed in values; only one whitespace character is allowed
+     * between visible characters.
+     *
+     * @see http://en.wikipedia.org/wiki/HTTP_response_splitting
+     * @param string $value
+     * @return bool
+     */
+    public static function isValid($value)
+    {
+        $value  = (string) $value;
+        $length = strlen($value);
+        for ($i = 0; $i < $length; $i += 1) {
+            $ascii = ord($value[$i]);
+
+            // Non-visible, non-whitespace characters
+            // 9 === horizontal tab
+            // 32-126, 128-254 === visible
+            // 127 === DEL
+            // 255 === null byte
+            if (($ascii < 32 && $ascii !== 9)
+                || $ascii === 127
+                || $ascii > 254
+            ) {
+                return false;
+            }
+        }
+
+        return true;
+    }
+
+    /**
+     * Assert a header value is valid.
+     *
+     * @param string $value
+     * @throws Exception\RuntimeException for invalid values
+     * @return void
+     */
+    public static function assertValid($value)
+    {
+        if (! self::isValid($value)) {
+            require_once 'Zend/Http/Header/Exception/InvalidArgumentException.php';
+            throw new Zend_Http_Header_Exception_InvalidArgumentException('Invalid header value');
+        }
+    }
+}

library/Zend/Http/Header/SetCookie.php

@@ -31,6 +31,11 @@
  */
 require_once "Zend/Http/Header/Exception/RuntimeException.php";
 
+/**
+ * @see Zend_Http_Header_HeaderValue
+ */
+require_once "Zend/Http/Header/HeaderValue.php";
+
 /**
  * Zend_Http_Client is an implementation of an HTTP client in PHP. The client
  * supports basic features like sending different HTTP requests and handling
@@ -311,6 +316,7 @@ public function getName()
      */
     public function setValue($value)
     {
+        Zend_Http_Header_HeaderValue::assertValid($value);
         $this->value = $value;
         return $this;
     }
@@ -405,6 +411,7 @@ public function getExpires($inSeconds = false)
      */
     public function setDomain($domain)
     {
+        Zend_Http_Header_HeaderValue::assertValid($domain);
         $this->domain = $domain;
         return $this;
     }
@@ -422,6 +429,7 @@ public function getDomain()
      */
     public function setPath($path)
     {
+        Zend_Http_Header_HeaderValue::assertValid($path);
         $this->path = $path;
         return $this;
     }