Nyholm / psr7-server

Helper classes to use any PSR7 implementation as your main request and response
MIT License
91 stars 21 forks source link

Filter headers consisting only of whitespace before creating a ServerRequest #47

Open barnabywalters opened 3 years ago

barnabywalters commented 3 years ago

As documented in this issue, apache_request_headers()/getallheaders() isn’t guaranteed to return valid header data, even when the request made was valid. Specifically, in some server configurations, an Expect: 100-continue header (sent by e.g. cURL when making large file upload requests) is removed by converting each character in the key and value to a space, rather than just ignoring the header.

I propose that ServerRequestCreator::fromGlobals() should filter out the following invalid header data before creating a ServerRequestInterface:

I’d be happy to work on a PR for this if the maintainers agree that it’s a necessary fix.

Nyholm commented 3 years ago

Hey. Thank you.

Sure, I agree with this. But I dont understand why headers on only underscores should be filtered. Could you elaborate?

barnabywalters commented 3 years ago

The reason for filtering headers where the key only has underscores in (e.g. HTTP_______) is that the erroneous header value has both a key and value containing only whitespace, and when the header key is converted into a $_SERVER['HTTP_*'] key, the whitespace is converted into underscores. There’s some example data in the issue I linked.