ZF-6333: Wrong header validation
Description
if (! preg_match('/^[a-zA-Z0-9-]+$/', $name)) { is plain wrong according to the RFC a lot of characters are missing e.g _ is one of them...
rfc2616 HTTP header fields, which include general-header (section 4.5), request-header (section 5.3), response-header (section 6.2), and entity-header (section 7.1) fields, follow the same generic format as that given in Section 3.1 of RFC 822 [9]. Each header field consists of a name followed by a colon (":") and the field value
rfc822 field = field-name ":" [ field-body ] CRLF field-name = 1*
Comments
Posted by Shahar Evron (shahar) on 2009-07-23T16:16:51.000+0000
Hi,
I can easily fix this of course but just out of curiosity, have you encountered any problems or is this just for being RFC-like sake?
Thanks,
Shahar.
Posted by Shahar Evron (shahar) on 2009-07-24T04:25:46.000+0000
We might want to consider "reversing" the fix for ZF-2019 (rev. 6648) if we change this
Posted by Shahar Evron (shahar) on 2009-07-24T04:36:28.000+0000
BTW it looks like there is some ambiguity - while Zend_Http_Client does wrong validation anyway, RFC 2616 states both that, as you mentioned, headers should follow the RFC 822 definition - but also at the same place defines:
and:
I would go with the RFC 2616 definition as it seems to make quite a lot of sense while still being pretty permissive.
Posted by Janez Novak (shadow80k) on 2009-08-25T03:59:34.000+0000
Hi, sorry for late response, yes i did. I have to connect to an outside API, which has some additional headers which use _ as a "separator" between words and not the more standard -.
Posted by Ralph Schindler (ralph) on 2011-02-18T09:45:06.000+0000
Any movement on this?
Posted by Adam Lundrigan (adamlundrigan) on 2012-05-29T18:57:05.000+0000
Is this something we should fix for 1.12?