Filter headers consisting only of whitespace before creating a ServerRequest

[barnabywalters]

As documented in this issue, apache_request_headers()/getallheaders() isn’t guaranteed to return valid header data, even when the request made was valid. Specifically, in some server configurations, an Expect: 100-continue header (sent by e.g. cURL when making large file upload requests) is removed by converting each character in the key and value to a space, rather than just ignoring the header.

I propose that ServerRequestCreator::fromGlobals() should filter out the following invalid header data before creating a ServerRequestInterface:

• Key/value pairs from getallheaders() where both the key and value consist entirely of whitespace
• Key/value pairs from $_SERVER['HTTP_*'] where the header key consists only of underscores, and the value only contains whitespace

I’d be happy to work on a PR for this if the maintainers agree that it’s a necessary fix.

[Nyholm]

Hey. Thank you.

Sure, I agree with this. But I dont understand why headers on only underscores should be filtered. Could you elaborate?

[barnabywalters]

The reason for filtering headers where the key only has underscores in (e.g. HTTP_______) is that the erroneous header value has both a key and value containing only whitespace, and when the header key is converted into a $_SERVER['HTTP_*'] key, the whitespace is converted into underscores. There’s some example data in the issue I linked.