Issues

ZF-6333: Wrong header validation

Issue Type: Bug Created: 2009-04-17T05:10:49.000+0000 Last Updated: 2012-05-29T18:57:05.000+0000 Status: Open Fix version(s): Reporter: Janez Novak (shadow80k) Assignee: Shahar Evron (shahar) Tags: - Zend_Http_Client

Related issues: - ZF-2019

Attachments:

Description

if (! preg_match('/^[a-zA-Z0-9-]+$/', $name)) { is plain wrong according to the RFC a lot of characters are missing e.g _ is one of them...

rfc2616 HTTP header fields, which include general-header (section 4.5), request-header (section 5.3), response-header (section 6.2), and entity-header (section 7.1) fields, follow the same generic format as that given in Section 3.1 of RFC 822 [9]. Each header field consists of a name followed by a colon (":") and the field value

rfc822 field = field-name ":" [ field-body ] CRLF field-name = 1*

Comments

Posted by Shahar Evron (shahar) on 2009-07-23T16:16:51.000+0000

Hi,

I can easily fix this of course but just out of curiosity, have you encountered any problems or is this just for being RFC-like sake?

Thanks,

Shahar.

Posted by Shahar Evron (shahar) on 2009-07-24T04:25:46.000+0000

We might want to consider "reversing" the fix for ZF-2019 (rev. 6648) if we change this

Posted by Shahar Evron (shahar) on 2009-07-24T04:36:28.000+0000

BTW it looks like there is some ambiguity - while Zend_Http_Client does wrong validation anyway, RFC 2616 states both that, as you mentioned, headers should follow the RFC 822 definition - but also at the same place defines:

<pre class="highlight">
       message-header = field-name ":" [ field-value ]
       field-name     = token

and:

<pre class="highlight">
       token          = 1*
       separators     = "(" | ")" | "<" | ">" | "@"
                      | "," | ";" | ":" | "\" | <">
                      | "/" | "[" | "]" | "?" | "="
                      | "{" | "}" | SP | HT

I would go with the RFC 2616 definition as it seems to make quite a lot of sense while still being pretty permissive.

Posted by Janez Novak (shadow80k) on 2009-08-25T03:59:34.000+0000

Hi, sorry for late response, yes i did. I have to connect to an outside API, which has some additional headers which use _ as a "separator" between words and not the more standard -.

Posted by Ralph Schindler (ralph) on 2011-02-18T09:45:06.000+0000

Any movement on this?

Posted by Adam Lundrigan (adamlundrigan) on 2012-05-29T18:57:05.000+0000

Is this something we should fix for 1.12?

Have you found an issue?

See the Overview section for more details.

Copyright

© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.

Contacts