Merge pull request #10584 from creative-commoners/pulls/4.11/cve-2022-38462

Don't allow CRLF in header values
This commit is contained in:
Guy Sartorelli 2022-11-21 13:02:25 +13:00 committed by GitHub
commit e5b81109de
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 29 additions and 1 deletions

View File

@ -267,7 +267,7 @@ class HTTPResponse
public function addHeader($header, $value) public function addHeader($header, $value)
{ {
$header = strtolower($header ?? ''); $header = strtolower($header ?? '');
$this->headers[$header] = $value; $this->headers[$header] = $this->sanitiseHeader($value);
return $this; return $this;
} }
@ -310,6 +310,14 @@ class HTTPResponse
return $this; return $this;
} }
/**
* Sanitise header values to avoid possible XSS vectors
*/
private function sanitiseHeader(string $value): string
{
return preg_replace('/\v/', '', $value);
}
/** /**
* @param string $dest * @param string $dest
* @param int $code * @param int $code

View File

@ -45,6 +45,26 @@ class HTTPResponseTest extends SapphireTest
$this->assertEmpty($response->getHeader('X-Animal')); $this->assertEmpty($response->getHeader('X-Animal'));
} }
public function providerSanitiseHeaders()
{
return [
'plain text is retained' => ['some arbitrary value1', 'some arbitrary value1'],
'special chars are retained' => ['`~!@#$%^&*()_+-=,./<>?;\':"[]{}\\|', '`~!@#$%^&*()_+-=,./<>?;\':"[]{}\\|'],
'line breaks are removed' => ['no line breaks', "n\ro line \nbreaks\r\n"],
];
}
/**
* @dataProvider providerSanitiseHeaders
*/
public function testSanitiseHeaders(string $expected, string $value)
{
$response = new HTTPResponse();
$response->addHeader('X-Sanitised', $value);
$this->assertSame($expected, $response->getHeader('X-Sanitised'));
}
public function providerTestValidStatusCodes() public function providerTestValidStatusCodes()
{ {
return [ return [