Merge pull request #10584 from creative-commoners/pulls/4.11/cve-2022-38462

Don't allow CRLF in header values

src/Control/HTTPResponse.php

@@ -267,7 +267,7 @@ class HTTPResponse
     public function addHeader($header, $value)
     {
         $header = strtolower($header ?? '');
-        $this->headers[$header] = $value;
+        $this->headers[$header] = $this->sanitiseHeader($value);
         return $this;
     }
 
@@ -310,6 +310,14 @@ class HTTPResponse
         return $this;
     }
 
+    /**
+     * Sanitise header values to avoid possible XSS vectors
+     */
+    private function sanitiseHeader(string $value): string
+    {
+        return preg_replace('/\v/', '', $value);
+    }
+
     /**
      * @param string $dest
      * @param int $code

tests/php/Control/HTTPResponseTest.php

@@ -45,6 +45,26 @@ class HTTPResponseTest extends SapphireTest
         $this->assertEmpty($response->getHeader('X-Animal'));
     }
 
+    public function providerSanitiseHeaders()
+    {
+        return [
+            'plain text is retained' => ['some arbitrary value1', 'some arbitrary value1'],
+            'special chars are retained' => ['`~!@#$%^&*()_+-=,./<>?;\':"[]{}\\|', '`~!@#$%^&*()_+-=,./<>?;\':"[]{}\\|'],
+            'line breaks are removed' => ['no line breaks', "n\ro line \nbreaks\r\n"],
+        ];
+    }
+
+    /**
+     * @dataProvider providerSanitiseHeaders
+     */
+    public function testSanitiseHeaders(string $expected, string $value)
+    {
+        $response = new HTTPResponse();
+
+        $response->addHeader('X-Sanitised', $value);
+        $this->assertSame($expected, $response->getHeader('X-Sanitised'));
+    }
+
     public function providerTestValidStatusCodes()
     {
         return [