Skip to content

Commit 4c5ca4e

Browse files
Jean85Jean85
authored
Merge pull request #1274 from TimWolla/psr-7-header-validation
Add PSR-7 erratum "Validation of Header Names and Values"
2 parents 958daa5 + 8bd62b2 commit 4c5ca4e

File tree

2 files changed

+46
-0
lines changed

2 files changed

+46
-0
lines changed

accepted/PSR-7-http-message-meta.md

+44
Original file line numberDiff line numberDiff line change
@@ -647,3 +647,47 @@ used to populate the headers of an HTTP message.
647647
* Anton Serdyuk
648648
* Phil Sturgeon
649649
* Chris Wilkinson
650+
651+
## 7. Errata
652+
653+
### 7.1 Validation of Header Names and Values
654+
655+
Some special characters within the name or value of an HTTP header might affect
656+
the parsing of the serialized message in a way that the contents of unrelated
657+
headers are changed. This misparsing can open up an application to security
658+
vulnerabilities. A common type of vulnerability is CRLF injection, allowing
659+
an attacker to inject additional headers or to end the list of headers early.
660+
661+
For this reason classes implementing the `MessageInterface` SHOULD strictly
662+
validate the header names and contents according to the most recent HTTP
663+
specification ([RFC 7230#3.2][1] at the time of writing). The implementation
664+
SHOULD reject invalid values and SHOULD NOT make any attempt to automatically
665+
correct the provided values.
666+
667+
A minimally viable validator is expected to reject header names containing the
668+
following characters:
669+
670+
- NUL (0x00)
671+
- `\r` (0x0D)
672+
- `\n` (0x0A)
673+
- Any character less than or equal to 0x20.
674+
675+
Further characters or sequences in header names should be rejected according
676+
to the HTTP specification.
677+
678+
A minimally viable validator is expected to reject header values containing the
679+
following characters:
680+
681+
- NUL (0x00)
682+
- `\r` (0x0D)
683+
- `\n` (0x0A)
684+
685+
If compatibility with older systems is desired then the sequence `\r\n` (0x0D0A)
686+
within a header value MAY be accepted if and only if it is immediately followed
687+
by either SPACE (0x20) or `\t` (0x09). The full sequence SHOULD then internally
688+
be normalized to a single SPACE (0x20).
689+
690+
Further characters or sequences in header values should be rejected according
691+
to the HTTP specification.
692+
693+
[1]: https://datatracker.ietf.org/doc/html/rfc7230#section-3.2

accepted/PSR-7-http-message.md

+2
Original file line numberDiff line numberDiff line change
@@ -75,6 +75,8 @@ referring to these interfaces.
7575

7676
### 1.2 HTTP Headers
7777

78+
[cf. [errata](PSR-7-http-message-meta#71-validation-of-header-names-and-values)]
79+
7880
#### Case-insensitive header field names
7981

8082
HTTP messages include case-insensitive header field names. Headers are retrieved

0 commit comments

Comments
 (0)