[CVE-2022-38462] Don't allow CRLF in header values

This commit is contained in:
Guy Sartorelli 2022-09-06 15:06:35 +12:00
parent a7c8ce8d0c
commit d3c28579b7
No known key found for this signature in database
GPG Key ID: F313E3B9504D496A
2 changed files with 29 additions and 1 deletions

View File

@ -267,7 +267,7 @@ class HTTPResponse
public function addHeader($header, $value)
{
$header = strtolower($header ?? '');
$this->headers[$header] = $value;
$this->headers[$header] = $this->sanitiseHeader($value);
return $this;
}
@ -310,6 +310,14 @@ class HTTPResponse
return $this;
}
/**
* Sanitise header values to avoid possible XSS vectors
*/
private function sanitiseHeader(string $value): string
{
return preg_replace('/\v/', '', $value);
}
/**
* @param string $dest
* @param int $code

View File

@ -45,6 +45,26 @@ class HTTPResponseTest extends SapphireTest
$this->assertEmpty($response->getHeader('X-Animal'));
}
public function providerSanitiseHeaders()
{
return [
'plain text is retained' => ['some arbitrary value1', 'some arbitrary value1'],
'special chars are retained' => ['`~!@#$%^&*()_+-=,./<>?;\':"[]{}\\|', '`~!@#$%^&*()_+-=,./<>?;\':"[]{}\\|'],
'line breaks are removed' => ['no line breaks', "n\ro line \nbreaks\r\n"],
];
}
/**
* @dataProvider providerSanitiseHeaders
*/
public function testSanitiseHeaders(string $expected, string $value)
{
$response = new HTTPResponse();
$response->addHeader('X-Sanitised', $value);
$this->assertSame($expected, $response->getHeader('X-Sanitised'));
}
public function providerTestValidStatusCodes()
{
return [