Open barnabywalters opened 3 years ago
Hey. Thank you.
Sure, I agree with this. But I dont understand why headers on only underscores should be filtered. Could you elaborate?
The reason for filtering headers where the key only has underscores in (e.g. HTTP_______
) is that the erroneous header value has both a key and value containing only whitespace, and when the header key is converted into a $_SERVER['HTTP_*']
key, the whitespace is converted into underscores. There’s some example data in the issue I linked.
As documented in this issue,
apache_request_headers()
/getallheaders()
isn’t guaranteed to return valid header data, even when the request made was valid. Specifically, in some server configurations, anExpect: 100-continue
header (sent by e.g. cURL when making large file upload requests) is removed by converting each character in the key and value to a space, rather than just ignoring the header.I propose that
ServerRequestCreator::fromGlobals()
should filter out the following invalid header data before creating aServerRequestInterface
:getallheaders()
where both the key and value consist entirely of whitespace$_SERVER['HTTP_*']
where the header key consists only of underscores, and the value only contains whitespaceI’d be happy to work on a PR for this if the maintainers agree that it’s a necessary fix.