[CVE-2022-38462] Don't allow CRLF in header values

2024-10-22 14:05:37 +02:00 · 2022-09-06 15:06:35 +12:00 · 2022-09-06 15:06:35 +12:00 · d3c28579b7
commit d3c28579b7
parent a7c8ce8d0c
2 changed files with 29 additions and 1 deletions
--- a/src/Control/HTTPResponse.php
+++ b/src/Control/HTTPResponse.php
@ -267,7 +267,7 @@ class HTTPResponse
    public function addHeader($header, $value)
    {
        $header = strtolower($header ?? '');
-        $this->headers[$header] = $value;
+        $this->headers[$header] = $this->sanitiseHeader($value);
        return $this;
    }

@ -310,6 +310,14 @@ class HTTPResponse
        return $this;
    }

+    /**
+     * Sanitise header values to avoid possible XSS vectors
+     */
+    private function sanitiseHeader(string $value): string
+    {
+        return preg_replace('/\v/', '', $value);
+    }
+
    /**
     * @param string $dest
     * @param int $code
--- a/tests/php/Control/HTTPResponseTest.php
+++ b/tests/php/Control/HTTPResponseTest.php
@ -45,6 +45,26 @@ class HTTPResponseTest extends SapphireTest
        $this->assertEmpty($response->getHeader('X-Animal'));
    }

+    public function providerSanitiseHeaders()
+    {
+        return [
+            'plain text is retained' => ['some arbitrary value1', 'some arbitrary value1'],
+            'special chars are retained' => ['`~!@#$%^&*()_+-=,./<>?;\':"[]{}\\|', '`~!@#$%^&*()_+-=,./<>?;\':"[]{}\\|'],
+            'line breaks are removed' => ['no line breaks', "n\ro line \nbreaks\r\n"],
+        ];
+    }
+
+    /**
+     * @dataProvider providerSanitiseHeaders
+     */
+    public function testSanitiseHeaders(string $expected, string $value)
+    {
+        $response = new HTTPResponse();
+
+        $response->addHeader('X-Sanitised', $value);
+        $this->assertSame($expected, $response->getHeader('X-Sanitised'));
+    }
+
    public function providerTestValidStatusCodes()
    {
        return [