[ZF2015-04] Fix CRLF injections in HTTP and Mail

This patch mirrors that made in ZF2 to address ZF2015-04. It adds the following
classes:

- `Zend_Http_Header_HeaderValue`, which provides functionality for validating,
  filtering, and asserting that header values follow RFC 2822.
- `Zend_Mail_Header_HeaderName`, which provides functionality for validating,
  filtering, and asserting that header names follow RFC 2822.
- `Zend_Mail_Header_HeaderValue`, which provides functionality for validating,
  filtering, and asserting that header values follow RFC 7230.

The following specific changes were made to existing functionality:

- `Zend_Mail_Part::__construct()` was modified in order to validate mail headers
  provided to it.
- `Zend_Http_Header_SetCookie`'s `setName()`, `setValue()`, `setDomain()`, and
  `setPath()` methods were modified to validate incoming values.
- `Zend_Http_Response::extractHeaders()` was modified to follow RFC 7230 and
  only split on `\r\n` sequences when splitting header lines. Each value
  extracted is tested for validity.
- `Zend_Http_Response::extractBody()` was modified to follow RFC 7230 and
  only split on `\r\n` sequences when splitting the message from the headers.
- `Zend_Http_Client::setHeaders()` was modified to validate incoming header
  values.

Author: weierophinney

library/Zend/Http/Client.php

@@ -39,6 +39,12 @@
 require_once 'Zend/Http/Client/Adapter/Interface.php';
 
 
+/**
+ * @see Zend_Http_Header_HeaderValue
+ */
+require_once 'Zend/Http/Header/HeaderValue.php';
+
+
 /**
  * @see Zend_Http_Response
  */
@@ -431,38 +437,40 @@ public function setHeaders($name, $value = null)
             foreach ($name as $k => $v) {
                 if (is_string($k)) {
                     $this->setHeaders($k, $v);
-                } else {
-                    $this->setHeaders($v, null);
+                    continue;
                 }
+                $this->setHeaders($v, null);
             }
-        } else {
-            // Check if $name needs to be split
-            if ($value === null && (strpos($name, ':') > 0)) {
-                list($name, $value) = explode(':', $name, 2);
-            }
+            return $this;
+        }
 
-            // Make sure the name is valid if we are in strict mode
-            if ($this->config['strict'] && (! preg_match('/^[a-zA-Z0-9-]+$/', $name))) {
-                /** @see Zend_Http_Client_Exception */
-                require_once 'Zend/Http/Client/Exception.php';
-                throw new Zend_Http_Client_Exception("{$name} is not a valid HTTP header name");
-            }
+        // Check if $name needs to be split
+        if ($value === null && (strpos($name, ':') > 0)) {
+            list($name, $value) = explode(':', $name, 2);
+        }
 
-            $normalized_name = strtolower($name);
+        // Make sure the name is valid if we are in strict mode
+        if ($this->config['strict'] && (! preg_match('/^[a-zA-Z0-9-]+$/', $name))) {
+            require_once 'Zend/Http/Client/Exception.php';
+            throw new Zend_Http_Client_Exception("{$name} is not a valid HTTP header name");
+        }
 
-            // If $value is null or false, unset the header
-            if ($value === null || $value === false) {
-                unset($this->headers[$normalized_name]);
+        $normalized_name = strtolower($name);
 
-            // Else, set the header
-            } else {
-                // Header names are stored lowercase internally.
-                if (is_string($value)) {
-                    $value = trim($value);
-                }
-                $this->headers[$normalized_name] = array($name, $value);
-            }
+        // If $value is null or false, unset the header
+        if ($value === null || $value === false) {
+            unset($this->headers[$normalized_name]);
+            return $this;
+        }
+
+        // Validate value
+        $this->_validateHeaderValue($value);
+
+        // Header names are stored lowercase internally.
+        if (is_string($value)) {
+            $value = trim($value);
         }
+        $this->headers[$normalized_name] = array($name, $value);
 
         return $this;
     }
@@ -1568,4 +1576,27 @@ protected static function _flattenParametersArray($parray, $prefix = null)
         return $parameters;
     }
 
+    /**
+     * Ensure a header value is valid per RFC 7230.
+     *
+     * @see http://tools.ietf.org/html/rfc7230#section-3.2
+     * @param string|object|array $value
+     * @param bool $recurse
+     */
+    protected function _validateHeaderValue($value, $recurse = true)
+    {
+        if (is_array($value) && $recurse) {
+            foreach ($value as $v) {
+                $this->_validateHeaderValue($v, false);
+            }
+            return;
+        }
+
+        if (! is_string($value) && (! is_object($value) || ! method_exists($value, '__toString'))) {
+            require_once 'Zend/Http/Exception.php';
+            throw new Zend_Http_Exception('Invalid header value detected');
+        }
+
+        Zend_Http_Header_HeaderValue::assertValid($value);
+    }
 }

library/Zend/Http/Header/HeaderValue.php

@@ -0,0 +1,127 @@
+<?php
+/**
+ * Zend Framework
+ *
+ * LICENSE
+ *
+ * This source file is subject to the new BSD license that is bundled
+ * with this package in the file LICENSE.txt.
+ * It is also available through the world-wide-web at this URL:
+ * http://framework.zend.com/license/new-bsd
+ * If you did not receive a copy of the license and are unable to
+ * obtain it through the world-wide-web, please send an email
+ * to [email protected] so we can send you a copy immediately.
+ *
+ * @category   Zend
+ * @package    Zend_Http
+ * @subpackage Header
+ * @version    $Id$
+ * @copyright  Copyright (c) 2005-2015 Zend Technologies USA Inc. (http://www.zend.com)
+ * @license    http://framework.zend.com/license/new-bsd     New BSD License
+ */
+
+
+/**
+ * @category   Zend
+ * @package    Zend_Http
+ * @subpackage Header
+ * @copyright  Copyright (c) 2005-2015 Zend Technologies USA Inc. (http://www.zend.com)
+ * @license    http://framework.zend.com/license/new-bsd     New BSD License
+ */
+final class Zend_Http_Header_HeaderValue
+{
+    /**
+     * Private constructor; non-instantiable.
+     */
+    private function __construct()
+    {
+    }
+
+    /**
+     * Filter a header value
+     *
+     * Ensures CRLF header injection vectors are filtered.
+     *
+     * Per RFC 7230, only VISIBLE ASCII characters, spaces, and horizontal
+     * tabs are allowed in values; only one whitespace character is allowed
+     * between visible characters.
+     *
+     * @see http://en.wikipedia.org/wiki/HTTP_response_splitting
+     * @param string $value
+     * @return string
+     */
+    public static function filter($value)
+    {
+        $value  = (string) $value;
+        $length = strlen($value);
+        $string = '';
+        for ($i = 0; $i < $length; $i += 1) {
+            $ascii = ord($value[$i]);
+
+            // Non-visible, non-whitespace characters
+            // 9 === horizontal tab
+            // 32-126, 128-254 === visible
+            // 127 === DEL
+            // 255 === null byte
+            if (($ascii < 32 && $ascii !== 9)
+                || $ascii === 127
+                || $ascii > 254
+            ) {
+                continue;
+            }
+
+            $string .= $value[$i];
+        }
+
+        return $string;
+    }
+
+    /**
+     * Validate a header value.
+     *
+     * Per RFC 7230, only VISIBLE ASCII characters, spaces, and horizontal
+     * tabs are allowed in values; only one whitespace character is allowed
+     * between visible characters.
+     *
+     * @see http://en.wikipedia.org/wiki/HTTP_response_splitting
+     * @param string $value
+     * @return bool
+     */
+    public static function isValid($value)
+    {
+        $value  = (string) $value;
+        $length = strlen($value);
+        for ($i = 0; $i < $length; $i += 1) {
+            $ascii = ord($value[$i]);
+
+            // Non-visible, non-whitespace characters
+            // 9 === horizontal tab
+            // 32-126, 128-254 === visible
+            // 127 === DEL
+            // 255 === null byte
+            if (($ascii < 32 && $ascii !== 9)
+                || $ascii === 127
+                || $ascii > 254
+            ) {
+                return false;
+            }
+        }
+
+        return true;
+    }
+
+    /**
+     * Assert a header value is valid.
+     *
+     * @param string $value
+     * @throws Exception\RuntimeException for invalid values
+     * @return void
+     */
+    public static function assertValid($value)
+    {
+        if (! self::isValid($value)) {
+            require_once 'Zend/Http/Header/Exception/InvalidArgumentException.php';
+            throw new Zend_Http_Header_Exception_InvalidArgumentException('Invalid header value');
+        }
+    }
+}

library/Zend/Http/Header/SetCookie.php

@@ -31,6 +31,11 @@
  */
 require_once "Zend/Http/Header/Exception/RuntimeException.php";
 
+/**
+ * @see Zend_Http_Header_HeaderValue
+ */
+require_once "Zend/Http/Header/HeaderValue.php";
+
 /**
  * Zend_Http_Client is an implementation of an HTTP client in PHP. The client
  * supports basic features like sending different HTTP requests and handling
@@ -311,6 +316,7 @@ public function getName()
      */
     public function setValue($value)
     {
+        Zend_Http_Header_HeaderValue::assertValid($value);
         $this->value = $value;
         return $this;
     }
@@ -405,6 +411,7 @@ public function getExpires($inSeconds = false)
      */
     public function setDomain($domain)
     {
+        Zend_Http_Header_HeaderValue::assertValid($domain);
         $this->domain = $domain;
         return $this;
     }
@@ -422,6 +429,7 @@ public function getDomain()
      */
     public function setPath($path)
     {
+        Zend_Http_Header_HeaderValue::assertValid($path);
         $this->path = $path;
         return $this;
     }

library/Zend/Http/Response.php

@@ -21,6 +21,11 @@
  * @license    http://framework.zend.com/license/new-bsd     New BSD License
  */
 
+/**
+ * @see Zend_Http_Header_HeaderValue
+ */
+require_once 'Zend/Http/Header/HeaderValue.php';
+
 /**
  * Zend_Http_Response represents an HTTP 1.0 / 1.1 response message. It
  * includes easy access to all the response's different elemts, as well as some
@@ -394,7 +399,7 @@ public function getHeadersAsString($status_line = true, $br = "\n")
      * @param string $br Line breaks (eg. "\n", "\r\n", "<br />")
      * @return string
      */
-    public function asString($br = "\n")
+    public function asString($br = "\r\n")
     {
         return $this->getHeadersAsString(true, $br) . $br . $this->getRawBody();
     }
@@ -496,44 +501,75 @@ public static function extractHeaders($response_str)
     {
         $headers = array();
 
-        // First, split body and headers
-        $parts = preg_split('|(?:\r?\n){2}|m', $response_str, 2);
-        if (! $parts[0]) return $headers;
+        // First, split body and headers. Headers are separated from the
+        // message at exactly the sequence "\r\n\r\n"
+        $parts = preg_split('|(?:\r\n){2}|m', $response_str, 2);
+        if (! $parts[0]) {
+            return $headers;
+        }
 
-        // Split headers part to lines
-        $lines = explode("\n", $parts[0]);
+        // Split headers part to lines; "\r\n" is the only valid line separator.
+        $lines = explode("\r\n", $parts[0]);
         unset($parts);
         $last_header = null;
 
-        foreach($lines as $line) {
-            $line = trim($line, "\r\n");
-            if ($line == "") break;
+        foreach($lines as $index => $line) {
+            if ($index === 0 && preg_match('#^HTTP/\d+(?:\.\d+) [1-5]\d+#', $line)) {
+                // Status line; ignore
+                continue;
+            }
+
+            if ($line == "") {
+                // Done processing headers
+                break;
+            }
 
             // Locate headers like 'Location: ...' and 'Location:...' (note the missing space)
-            if (preg_match("|^([\w-]+):\s*(.+)|", $line, $m)) {
+            if (preg_match("|^([\w-]+):\s*(.+)|s", $line, $m)) {
                 unset($last_header);
-                $h_name = strtolower($m[1]);
+                $h_name  = strtolower($m[1]);
                 $h_value = $m[2];
+                Zend_Http_Header_HeaderValue::assertValid($h_value);
 
                 if (isset($headers[$h_name])) {
                     if (! is_array($headers[$h_name])) {
                         $headers[$h_name] = array($headers[$h_name]);
                     }
 
                     $headers[$h_name][] = $h_value;
-                } else {
-                    $headers[$h_name] = $h_value;
+                    $last_header = $h_name;
+                    continue;
                 }
+
+                $headers[$h_name] = $h_value;
                 $last_header = $h_name;
-            } elseif (preg_match("|^\s+(.+)$|", $line, $m) && $last_header !== null) {
+                continue;
+            }
+
+            // Identify header continuations
+            if (preg_match("|^[ \t](.+)$|s", $line, $m) && $last_header !== null) {
+                $h_value = trim($m[1]);
                 if (is_array($headers[$last_header])) {
                     end($headers[$last_header]);
                     $last_header_key = key($headers[$last_header]);
-                    $headers[$last_header][$last_header_key] .= $m[1];
-                } else {
-                    $headers[$last_header] .= $m[1];
+
+                    $h_value = $headers[$last_header][$last_header_key] . $h_value;
+                    Zend_Http_Header_HeaderValue::assertValid($h_value);
+
+                    $headers[$last_header][$last_header_key] = $h_value;
+                    continue;
                 }
+
+                $h_value = $headers[$last_header] . $h_value;
+                Zend_Http_Header_HeaderValue::assertValid($h_value);
+
+                $headers[$last_header] = $h_value;
+                continue;
             }
+
+            // Anything else is an error condition
+            require_once 'Zend/Http/Exception.php';
+            throw new Zend_Http_Exception('Invalid header line detected');
         }
 
         return $headers;
@@ -547,7 +583,7 @@ public static function extractHeaders($response_str)
      */
     public static function extractBody($response_str)
     {
-        $parts = preg_split('|(?:\r?\n){2}|m', $response_str, 2);
+        $parts = preg_split('|(?:\r\n){2}|m', $response_str, 2);
         if (isset($parts[1])) {
             return $parts[1];
         }