You are here

public static function HeaderSecurity::isValid in Zircon Profile 8

Same name and namespace in other branches
  1. 8.0 vendor/zendframework/zend-diactoros/src/HeaderSecurity.php \Zend\Diactoros\HeaderSecurity::isValid()

Validate a header value.

Per RFC 7230, only VISIBLE ASCII characters, spaces, and horizontal tabs are allowed in values; header continuations MUST consist of a single CRLF sequence followed by a space or horizontal tab.

Parameters

string $value:

Return value

bool

See also

http://en.wikipedia.org/wiki/HTTP_response_splitting

1 call to HeaderSecurity::isValid()
HeaderSecurity::assertValid in vendor/zendframework/zend-diactoros/src/HeaderSecurity.php
Assert a header value is valid.

File

vendor/zendframework/zend-diactoros/src/HeaderSecurity.php, line 97

Class

HeaderSecurity
Provide security tools around HTTP headers to prevent common injection vectors.

Namespace

Zend\Diactoros

Code

public static function isValid($value) {
  $value = (string) $value;

  // Look for:
  // \n not preceded by \r, OR
  // \r not followed by \n, OR
  // \r\n not followed by space or horizontal tab; these are all CRLF attacks
  if (preg_match("#(?:(?:(?<!\r)\n)|(?:\r(?!\n))|(?:\r\n(?![ \t])))#", $value)) {
    return false;
  }

  // Non-visible, non-whitespace characters
  // 9 === horizontal tab
  // 10 === line feed
  // 13 === carriage return
  // 32-126, 128-254 === visible
  // 127 === DEL (disallowed)
  // 255 === null byte (disallowed)
  if (preg_match('/[^\\x09\\x0a\\x0d\\x20-\\x7E\\x80-\\xFE]/', $value)) {
    return false;
  }
  return true;
}