Merge pull request #14 from mimmi20/updates

filter invalid headers
mimmi20 · Apr 26, 2018 · a5b5a63 · a5b5a63
2 parents 9fe2f0d + 2ac7d37
commit a5b5a63
Show file tree

Hide file tree

Showing 3 changed files with 73 additions and 4 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -32,7 +32,7 @@ before_install:
 
 install: travis_retry composer update --optimize-autoloader --prefer-dist --prefer-stable --no-progress --no-interaction --no-suggest $COMPOSER_FLAGS -vv
 
-script: vendor/bin/phpunit --colors --columns 121 --no-coverage
+script: vendor/bin/phpunit --colors --no-coverage
 
 jobs:
   allow_failures:
@@ -51,7 +51,7 @@ jobs:
         - echo 'opcache.enable=1' >> ~/.phpenv/versions/$(phpenv version-name)/etc/php.ini
         - echo 'opcache.enable_cli=1' >> ~/.phpenv/versions/$(phpenv version-name)/etc/php.ini
         - travis_retry composer self-update
-      script: vendor/bin/phpunit --colors --columns 121 --coverage-clover=clover.xml --coverage-text
+      script: vendor/bin/phpunit --colors --coverage-clover=clover.xml --coverage-text
       after_success:
         - wget https://github.com/php-coveralls/php-coveralls/releases/download/v2.0.0/php-coveralls.phar && php -n php-coveralls.phar --verbose --coverage_clover=clover.xml
         - bash <(curl -s https://codecov.io/bash) -f clover.xml -F phpunit

diff --git a/src/GenericRequestFactory.php b/src/GenericRequestFactory.php
@@ -12,6 +12,7 @@
 namespace UaRequest;
 
 use Psr\Http\Message\MessageInterface;
+use Zend\Diactoros\HeaderSecurity;
 use Zend\Diactoros\ServerRequestFactory;
 
 class GenericRequestFactory
@@ -34,12 +35,16 @@ public function createRequestFromArray(array $headers): GenericRequest
                 $upperCaseHeader = 'HTTP_' . $upperCaseHeader;
             }
 
+            if (!HeaderSecurity::isValid($value)) {
+                $value = $this->filterHeader($value);
+            }
+
             $upperCaseHeaders[$upperCaseHeader] = $value;
         }
 
         $message = ServerRequestFactory::fromGlobals($upperCaseHeaders);
 
-        return new GenericRequest($message);
+        return $this->createRequestFromPsr7Message($message);
     }
 
     /**
@@ -51,9 +56,13 @@ public function createRequestFromArray(array $headers): GenericRequest
      */
     public function createRequestFromString(string $userAgent): GenericRequest
     {
+        if (!HeaderSecurity::isValid($userAgent)) {
+            $userAgent = $this->filterHeader($userAgent);
+        }
+
         $message = ServerRequestFactory::fromGlobals([Constants::HEADER_HTTP_USERAGENT => $userAgent]);
 
-        return new GenericRequest($message);
+        return $this->createRequestFromPsr7Message($message);
     }
 
     /**
@@ -67,4 +76,20 @@ public function createRequestFromPsr7Message(MessageInterface $message): Generic
     {
         return new GenericRequest($message);
     }
+
+    /**
+     * @param string $userAgent
+     *
+     * @return string
+     */
+    private function filterHeader(string $userAgent): string
+    {
+        $userAgent = preg_replace(
+            "#(?:(?:(?<!\r)\n)|(?:\r(?!\n))|(?:\r\n(?![ \t])))#",
+            '-',
+            $userAgent
+        );
+
+        return preg_replace('/[^\x09\x0a\x0d\x20-\x7E\x80-\xFE]/', '-', $userAgent);
+    }
 }
diff --git a/tests/GenericRequestFactoryTest.php b/tests/GenericRequestFactoryTest.php
@@ -107,4 +107,48 @@ public function testCreateRequestFromPsr7Message(): void
         self::assertSame($userAgent, $result->getBrowserUserAgent());
         self::assertSame($deviceUa, $result->getDeviceUserAgent());
     }
+
+    /**
+     * @return void
+     */
+    public function testCreateRequestFromInvalidString(): void
+    {
+        $userAgent = "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; SQQ52974OEM044059604956O~{┬ªM~┬UZUY\nPM)";
+        $resultUa  = 'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; SQQ52974OEM044059604956O~{┬ªM~┬UZUY-PM)';
+        $headers   = [
+            Constants::HEADER_HTTP_USERAGENT => $resultUa,
+        ];
+
+        $expected = new GenericRequest(ServerRequestFactory::fromGlobals($headers));
+
+        $result = $this->object->createRequestFromString($userAgent);
+
+        self::assertInstanceOf(GenericRequest::class, $result);
+        self::assertEquals($expected, $result);
+        self::assertSame($resultUa, $result->getBrowserUserAgent());
+    }
+
+    /**
+     * @return void
+     */
+    public function testCreateRequestFromInvalidArray(): void
+    {
+        $userAgent = "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; SQQ52974OEM044059604956O~{┬ªM~┬UZUY\nPM)";
+        $headers   = [
+            Constants::HEADER_HTTP_USERAGENT => $userAgent,
+        ];
+
+        $resultUa        = 'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; SQQ52974OEM044059604956O~{┬ªM~┬UZUY-PM)';
+        $expectedHeaders = [
+            Constants::HEADER_HTTP_USERAGENT => $resultUa,
+        ];
+
+        $expected = new GenericRequest(ServerRequestFactory::fromGlobals($expectedHeaders));
+
+        $result = $this->object->createRequestFromArray($headers);
+
+        self::assertInstanceOf(GenericRequest::class, $result);
+        self::assertEquals($expected, $result);
+        self::assertSame($resultUa, $result->getBrowserUserAgent());
+    }
 }