diff options
Diffstat (limited to 'guzzlehttp/psr7/src/MessageTrait.php')
| -rw-r--r-- | guzzlehttp/psr7/src/MessageTrait.php | 66 |
1 files changed, 61 insertions, 5 deletions
diff --git a/guzzlehttp/psr7/src/MessageTrait.php b/guzzlehttp/psr7/src/MessageTrait.php index 99203bb4..0ac8663d 100644 --- a/guzzlehttp/psr7/src/MessageTrait.php +++ b/guzzlehttp/psr7/src/MessageTrait.php @@ -157,17 +157,22 @@ trait MessageTrait } } + /** + * @param mixed $value + * + * @return string[] + */ private function normalizeHeaderValue($value) { if (!is_array($value)) { - return $this->trimHeaderValues([$value]); + return $this->trimAndValidateHeaderValues([$value]); } if (count($value) === 0) { throw new \InvalidArgumentException('Header value can not be an empty array.'); } - return $this->trimHeaderValues($value); + return $this->trimAndValidateHeaderValues($value); } /** @@ -178,13 +183,13 @@ trait MessageTrait * header-field = field-name ":" OWS field-value OWS * OWS = *( SP / HTAB ) * - * @param string[] $values Header values + * @param mixed[] $values Header values * * @return string[] Trimmed header values * * @see https://tools.ietf.org/html/rfc7230#section-3.2.4 */ - private function trimHeaderValues(array $values) + private function trimAndValidateHeaderValues(array $values) { return array_map(function ($value) { if (!is_scalar($value) && null !== $value) { @@ -194,10 +199,20 @@ trait MessageTrait )); } - return trim((string) $value, " \t"); + $trimmed = trim((string) $value, " \t"); + $this->assertValue($trimmed); + + return $trimmed; }, array_values($values)); } + /** + * @see https://tools.ietf.org/html/rfc7230#section-3.2 + * + * @param mixed $header + * + * @return void + */ private function assertHeader($header) { if (!is_string($header)) { @@ -210,5 +225,46 @@ trait MessageTrait if ($header === '') { throw new \InvalidArgumentException('Header name can not be empty.'); } + + if (! preg_match('/^[a-zA-Z0-9\'`#$%&*+.^_|~!-]+$/', $header)) { + throw new \InvalidArgumentException( + sprintf( + '"%s" is not valid header name', + $header + ) + ); + } + } + + /** + * @param string $value + * + * @return void + * + * @see https://tools.ietf.org/html/rfc7230#section-3.2 + * + * field-value = *( field-content / obs-fold ) + * field-content = field-vchar [ 1*( SP / HTAB ) field-vchar ] + * field-vchar = VCHAR / obs-text + * VCHAR = %x21-7E + * obs-text = %x80-FF + * obs-fold = CRLF 1*( SP / HTAB ) + */ + private function assertValue($value) + { + // The regular expression intentionally does not support the obs-fold production, because as + // per RFC 7230#3.2.4: + // + // A sender MUST NOT generate a message that includes + // line folding (i.e., that has any field-value that contains a match to + // the obs-fold rule) unless the message is intended for packaging + // within the message/http media type. + // + // Clients must not send a request with line folding and a server sending folded headers is + // likely very rare. Line folding is a fairly obscure feature of HTTP/1.1 and thus not accepting + // folding is not likely to break any legitimate use case. + if (! preg_match('/^[\x20\x09\x21-\x7E\x80-\xFF]*$/', $value)) { + throw new \InvalidArgumentException(sprintf('"%s" is not valid header value', $value)); + } } } |