File indexing completed on 2025-01-19 05:21:14

0001 <?php
0002 /**
0003  * Zend Framework
0004  *
0005  * LICENSE
0006  *
0007  * This source file is subject to the new BSD license that is bundled
0008  * with this package in the file LICENSE.txt.
0009  * It is also available through the world-wide-web at this URL:
0010  * http://framework.zend.com/license/new-bsd
0011  * If you did not receive a copy of the license and are unable to
0012  * obtain it through the world-wide-web, please send an email
0013  * to license@zend.com so we can send you a copy immediately.
0014  *
0015  * @category   Zend
0016  * @package    Zend_Http
0017  * @subpackage Header
0018  * @version    $Id$
0019  * @copyright  Copyright (c) 2005-2015 Zend Technologies USA Inc. (http://www.zend.com)
0020  * @license    http://framework.zend.com/license/new-bsd     New BSD License
0021  */
0022 
0023 
0024 /**
0025  * @category   Zend
0026  * @package    Zend_Http
0027  * @subpackage Header
0028  * @copyright  Copyright (c) 2005-2015 Zend Technologies USA Inc. (http://www.zend.com)
0029  * @license    http://framework.zend.com/license/new-bsd     New BSD License
0030  */
0031 final class Zend_Http_Header_HeaderValue
0032 {
0033     /**
0034      * Private constructor; non-instantiable.
0035      */
0036     private function __construct()
0037     {
0038     }
0039 
0040     /**
0041      * Filter a header value
0042      *
0043      * Ensures CRLF header injection vectors are filtered.
0044      *
0045      * Per RFC 7230, only VISIBLE ASCII characters, spaces, and horizontal
0046      * tabs are allowed in values; only one whitespace character is allowed
0047      * between visible characters.
0048      *
0049      * @see http://en.wikipedia.org/wiki/HTTP_response_splitting
0050      * @param string $value
0051      * @return string
0052      */
0053     public static function filter($value)
0054     {
0055         $value  = (string) $value;
0056         $length = strlen($value);
0057         $string = '';
0058         for ($i = 0; $i < $length; $i += 1) {
0059             $ascii = ord($value[$i]);
0060 
0061             // Non-visible, non-whitespace characters
0062             // 9 === horizontal tab
0063             // 32-126, 128-254 === visible
0064             // 127 === DEL
0065             // 255 === null byte
0066             if (($ascii < 32 && $ascii !== 9)
0067                 || $ascii === 127
0068                 || $ascii > 254
0069             ) {
0070                 continue;
0071             }
0072 
0073             $string .= $value[$i];
0074         }
0075 
0076         return $string;
0077     }
0078 
0079     /**
0080      * Validate a header value.
0081      *
0082      * Per RFC 7230, only VISIBLE ASCII characters, spaces, and horizontal
0083      * tabs are allowed in values; only one whitespace character is allowed
0084      * between visible characters.
0085      *
0086      * @see http://en.wikipedia.org/wiki/HTTP_response_splitting
0087      * @param string $value
0088      * @return bool
0089      */
0090     public static function isValid($value)
0091     {
0092         $value  = (string) $value;
0093         $length = strlen($value);
0094         for ($i = 0; $i < $length; $i += 1) {
0095             $ascii = ord($value[$i]);
0096 
0097             // Non-visible, non-whitespace characters
0098             // 9 === horizontal tab
0099             // 32-126, 128-254 === visible
0100             // 127 === DEL
0101             // 255 === null byte
0102             if (($ascii < 32 && $ascii !== 9)
0103                 || $ascii === 127
0104                 || $ascii > 254
0105             ) {
0106                 return false;
0107             }
0108         }
0109 
0110         return true;
0111     }
0112 
0113     /**
0114      * Assert a header value is valid.
0115      *
0116      * @param string $value
0117      * @throws Exception\RuntimeException for invalid values
0118      * @return void
0119      */
0120     public static function assertValid($value)
0121     {
0122         if (! self::isValid($value)) {
0123             // require_once 'Zend/Http/Header/Exception/InvalidArgumentException.php';
0124             throw new Zend_Http_Header_Exception_InvalidArgumentException('Invalid header value');
0125         }
0126     }
0127 }