Added CRLF filter

riverside · riverside · commit 51420f03610d · 2023-07-03T17:23:28.000+03:00
diff --git a/src/Filter/CRLF.php b/src/Filter/CRLF.php
@@ -0,0 +1,43 @@
+<?php
+namespace PhpWaf\Filter;
+
+use PhpWaf\BaseFilter;
+
+/**
+ * Class CRLF
+ *
+ * @package PhpWaf\Filter
+ */
+class CRLF extends BaseFilter
+{
+    /**
+     * @var string
+     */
+    protected $payloads_file = "crlf.txt";
+
+    /**
+     * Check given string
+     *
+     * @param string $value
+     * @return bool
+     */
+    public function safe(string $value): bool
+    {
+        foreach ($this->payloads as $payload)
+        {
+            $payload = trim($payload);
+
+            if (empty($payload) || strpos($payload, '#') === 0)
+            {
+                continue;
+            }
+
+            if ($payload == $value || stripos($value, $payload) !== false)
+            {
+                return false;
+            }
+        }
+
+        return true;
+    }
+}
diff --git a/src/payloads/crlf.txt b/src/payloads/crlf.txt
@@ -0,0 +1,11 @@
+# Add cookie
+%0D%0ASet-Cookie:mycookie=myvalue
+
+# CRLF - Add a cookie - XSS Bypass
+%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23%0d%0a<svg%20onload=alert(document.domain)>%0d%0a0%0d%0a/%2f%2e%2e
+
+# CRLF - Write HTML
+%0D%0AContent-Length%3A%200%0A%20%0AHTTP/1.1%20200%20OK%0AContent-Type%3A%20text/html%0ALast-Modified%3A%20Mon%2C%2027%20Oct%202060%2014%3A50%3A18%20GMT%0AContent-Length%3A%2034%0A%20%0A%3Chtml%3EYou%20have%20been%20Phished%3C/html%3E
+
+# CRLF - Filter Bypass
+%E5%98%8A%E5%98%8Dcontent-type:text/html%E5%98%8A%E5%98%8Dlocation:%E5%98%8A%E5%98%8D%E5%98%8A%E5%98%8D%E5%98%BCsvg/onload=alert%28innerHTML%28%29%E5%98%BE
