mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
Merge pull request #10584 from creative-commoners/pulls/4.11/cve-2022-38462
Don't allow CRLF in header values
This commit is contained in:
commit
e5b81109de
@ -267,7 +267,7 @@ class HTTPResponse
|
|||||||
public function addHeader($header, $value)
|
public function addHeader($header, $value)
|
||||||
{
|
{
|
||||||
$header = strtolower($header ?? '');
|
$header = strtolower($header ?? '');
|
||||||
$this->headers[$header] = $value;
|
$this->headers[$header] = $this->sanitiseHeader($value);
|
||||||
return $this;
|
return $this;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -310,6 +310,14 @@ class HTTPResponse
|
|||||||
return $this;
|
return $this;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Sanitise header values to avoid possible XSS vectors
|
||||||
|
*/
|
||||||
|
private function sanitiseHeader(string $value): string
|
||||||
|
{
|
||||||
|
return preg_replace('/\v/', '', $value);
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @param string $dest
|
* @param string $dest
|
||||||
* @param int $code
|
* @param int $code
|
||||||
|
@ -45,6 +45,26 @@ class HTTPResponseTest extends SapphireTest
|
|||||||
$this->assertEmpty($response->getHeader('X-Animal'));
|
$this->assertEmpty($response->getHeader('X-Animal'));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function providerSanitiseHeaders()
|
||||||
|
{
|
||||||
|
return [
|
||||||
|
'plain text is retained' => ['some arbitrary value1', 'some arbitrary value1'],
|
||||||
|
'special chars are retained' => ['`~!@#$%^&*()_+-=,./<>?;\':"[]{}\\|', '`~!@#$%^&*()_+-=,./<>?;\':"[]{}\\|'],
|
||||||
|
'line breaks are removed' => ['no line breaks', "n\ro line \nbreaks\r\n"],
|
||||||
|
];
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @dataProvider providerSanitiseHeaders
|
||||||
|
*/
|
||||||
|
public function testSanitiseHeaders(string $expected, string $value)
|
||||||
|
{
|
||||||
|
$response = new HTTPResponse();
|
||||||
|
|
||||||
|
$response->addHeader('X-Sanitised', $value);
|
||||||
|
$this->assertSame($expected, $response->getHeader('X-Sanitised'));
|
||||||
|
}
|
||||||
|
|
||||||
public function providerTestValidStatusCodes()
|
public function providerTestValidStatusCodes()
|
||||||
{
|
{
|
||||||
return [
|
return [
|
||||||
|
Loading…
Reference in New Issue
Block a user