Issues

ZF-6333: Wrong header validation

Description

if (! preg_match('/^[a-zA-Z0-9-]+$/', $name)) { is plain wrong according to the RFC a lot of characters are missing e.g _ is one of them...

rfc2616 HTTP header fields, which include general-header (section 4.5), request-header (section 5.3), response-header (section 6.2), and entity-header (section 7.1) fields, follow the same generic format as that given in Section 3.1 of RFC 822 [9]. Each header field consists of a name followed by a colon (":") and the field value

rfc822 field = field-name ":" [ field-body ] CRLF field-name = 1*

Comments

Hi,

I can easily fix this of course but just out of curiosity, have you encountered any problems or is this just for being RFC-like sake?

Thanks,

Shahar.

We might want to consider "reversing" the fix for ZF-2019 (rev. 6648) if we change this

BTW it looks like there is some ambiguity - while Zend_Http_Client does wrong validation anyway, RFC 2616 states both that, as you mentioned, headers should follow the RFC 822 definition - but also at the same place defines:


       message-header = field-name ":" [ field-value ]
       field-name     = token

and:


       token          = 1*
       separators     = "(" | ")" | "<" | ">" | "@"
                      | "," | ";" | ":" | "\" | <">
                      | "/" | "[" | "]" | "?" | "="
                      | "{" | "}" | SP | HT

I would go with the RFC 2616 definition as it seems to make quite a lot of sense while still being pretty permissive.

Hi, sorry for late response, yes i did. I have to connect to an outside API, which has some additional headers which use _ as a "separator" between words and not the more standard -.

Any movement on this?

Is this something we should fix for 1.12?