Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Validate outgoing HTTP message headers and reject invalid messages #523

Merged
merged 1 commit into from
Mar 27, 2024

Conversation

clue
Copy link
Member

@clue clue commented Mar 27, 2024

This changeset ensures we validate all outgoing HTTP message headers and reject any invalid messages. In particular, this ensures outgoing HTTP messages do not contain any headers with newlines.

Note that this does not affect normal operation and would only affect you if you're using invalid HTTP header names or values (such as when using untrusted user input). Likewise, this has no effect on incoming HTTP message headers which already use similar validation logic anyway (see #520 and others). This change comes with 100% code coverage and does not otherwise affect the public API, so it should be safe to apply.

I've originally planned to integrate this into our PSR-7 implementation (#518 and #519), but decided against this to not introduce any potential BC breaks. The suggested change still allows you to construct messages that would contain potentially invalid HTTP message fields, but would only reject such messages when trying to send over the wire.

Copy link
Member

@SimonFrings SimonFrings left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, let's get this in 👍

Copy link
Member

@WyriHaximus WyriHaximus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚢 🇮🇹

@WyriHaximus WyriHaximus merged commit 04cb936 into reactphp:1.x Mar 27, 2024
14 checks passed
@clue clue deleted the http-validate branch March 27, 2024 15:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants