Deprecate parsing folded header lines as per RFC 7230

sagikazarmark · sagikazarmark · commit 67053b353c85 · 2018-03-16T13:14:24.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,7 @@
 * Fix `AppendStream::detach` to not close streams
 * Clarify exception message when stream is detached
 * Added a test for #129 behavior
+* Deprecated parsing folded header lines as per RFC 7230
 
 ## 1.4.2 - 2017-03-20
 
diff --git a/src/Rfc7230.php b/src/Rfc7230.php
@@ -12,4 +12,5 @@ final class Rfc7230
 	 * @license https://github.com/amphp/http/blob/16e465fa82555104d1cff98cb8e412295a380214/LICENSE
 	 */
 	const HEADER_REGEX = "(^([^()<>@,;:\\\"/[\]?={}\x01-\x20\x7F]++):[ \t]*+((?:[ \t]*+[\x21-\x7E\x80-\xFF]++)*+)[ \t]*+\r\n)m";
+	const HEADER_FOLD_REGEX = "(\r\n[ \t]++)";
 }
diff --git a/src/functions.php b/src/functions.php
@@ -771,7 +771,17 @@ function _parse_message($message)
 	$rawHeaders = substr($rawHeaders, $startLineEndPosition + 2);
 
 	/** @var array[] $headerLines */
-	preg_match_all(Rfc7230::HEADER_REGEX, $rawHeaders, $headerLines, PREG_SET_ORDER);
+	$count = preg_match_all(Rfc7230::HEADER_REGEX, $rawHeaders, $headerLines, PREG_SET_ORDER);
+
+	// If these aren't the same, then one line didn't match and there's an invalid header.
+	if ($count !== substr_count($rawHeaders, "\n")) {
+		// Folding is deprecated, see https://tools.ietf.org/html/rfc7230#section-3.2.4
+		if (preg_match(Rfc7230::HEADER_FOLD_REGEX, $rawHeaders)) {
+			throw new \InvalidArgumentException('Invalid header syntax: Obsolete line folding');
+		}
+
+		throw new \InvalidArgumentException('Invalid header syntax');
+	}
 
 	foreach ($headerLines as $headerLine) {
 		$result['headers'][strtolower($headerLine[1])][] = $headerLine[2];
diff --git a/tests/FunctionsTest.php b/tests/FunctionsTest.php
@@ -353,6 +353,15 @@ public function testParsesResponseWithoutReason()
         $this->assertSame('Test', (string) $response->getBody());
     }
 
+	/**
+	 * @expectedException \InvalidArgumentException
+	 * @expectedExceptionMessage Invalid header syntax: Obsolete line folding
+	 */
+	public function testParsingFailsWithFoldedHeaders()
+	{
+		Psr7\parse_response("HTTP/1.0 200\r\nFoo: Bar\r\n Baz: Bam\r\nBaz: Qux\r\n\r\nTest");
+	}
+
     /**
      * @expectedException \InvalidArgumentException
      */

Original file line number	Diff line number	Diff line change
`@@ -12,4 +12,5 @@ final class Rfc7230`
`12`	`12`	`* @license https://github.com/amphp/http/blob/16e465fa82555104d1cff98cb8e412295a380214/LICENSE`
`13`	`13`	`*/`
`14`	`14`	`const HEADER_REGEX = "(^([^()<>@,;:\\\"/[\]?={}\x01-\x20\x7F]++):[ \t]+((?:[ \t]+[\x21-\x7E\x80-\xFF]++)+)[ \t]+\r\n)m";`
	`15`	`+ const HEADER_FOLD_REGEX = "(\r\n[ \t]++)";`
`15`	`16`	`}`