New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ignore obviously malformed host
headers when constructing a ServerRequest
#97
Conversation
Signed-off-by: Tim Düsterhus <duesterhus@woltlab.com>
…equest I opted to ignore the `host` header instead of throwing an Exception to not introduce a remotely triggerable exception. Signed-off-by: Tim Düsterhus <duesterhus@woltlab.com>
4101908
to
d2f2859
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Quick question: does the Uri
class not already disallow these values? Or is the change here primarily to just reject the Host
header as a source for creating a Uri
instance if it is malformed?
In other words, I'm wondering if we don't already get an exception that occurs for malformed Host
headers.
No, the Lines 297 to 316 in c272a93
No, we don't. We likely should, but that would probably be a BC break. With this PR I wanted to add some minimally invasive checks to reject/ignore the most egregious violations that might actually cause harm, as the |
return [ | ||
'comma' => ['example.com,example.net'], | ||
'space' => ['example com'], | ||
'tab' => ["example\tcom"], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add another case here for entries containing newlines.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These are already rejected by HeaderSecurity
and thus the request completely fails to construct. See: https://github.com/laminas/laminas-diactoros/runs/7151517319?check_suite_focus=true
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should the usage.md
be updated to explain that ServerRequestFactory
may throw based on user input and any exceptions need to be gracefully handled: https://github.com/laminas/laminas-diactoros/blob/2.12.x/docs/book/v2/usage.md#marshaling-an-incoming-request?
see WoltLab/WCF#4888
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure about it, but this discussion can be deferred to a different issue
f3c6243
to
d2f2859
Compare
Should this go against |
This technically has a (tiny) chance for breakage and is intended as a defense in depth measure. The web server / load balancer in front should already prevent those requests from reaching Diactoros. IMO 2.12 is fine. |
* @param mixed $default Default value to return if header not found | ||
* @return mixed | ||
* @param T $default Default value to return if header not found | ||
* @return string|T |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice improvement!
Description
The comment within the code should be self-explanatory. This adds some very basic checks to the host header as a hardening measure.