-
-
Notifications
You must be signed in to change notification settings - Fork 64
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Handle request headers with numeric keys #11
Comments
Note: technically, RFC7230 defines it as following:
Originally posted by @Xerkus at zendframework/zend-diactoros#286 (comment) |
@Xerkus in that case, do you think that I should update Originally posted by @jeshuaborges at zendframework/zend-diactoros#286 (comment) |
@jeshuaborges looks like there is a bug, this pattern should allow it Originally posted by @Xerkus at zendframework/zend-diactoros#286 (comment) |
Could you open a new PR with a test for all those allowed characters? Originally posted by @Xerkus at zendframework/zend-diactoros#286 (comment) |
@Xerkus Yes. Originally posted by @jeshuaborges at zendframework/zend-diactoros#286 (comment) |
Actually, what was exact error? Was it Originally posted by @Xerkus at zendframework/zend-diactoros#286 (comment) |
I bet header names are used as array keys and php converts them to integers if they are numeric, so it is not a pattern issue. It is actually more serious. @weierophinney you need to take a look at this. I do not think there is a practical use for numeric headers, so omitting them might be acceptable. Originally posted by @Xerkus at zendframework/zend-diactoros#286 (comment) |
It's not up to us to decide what's acceptable; RFC 7230 decides that, and numeric header names are clearly indicated as acceptable by that specification. We just need to fix the Originally posted by @weierophinney at zendframework/zend-diactoros#286 (comment) |
@weierophinney integer keys with strict types enabled would be a bad breaking surprise for consumers. For example: https://3v4l.org/XUj6h
In that case issue about possibility of integer keys have to be elevated to FIG, for the warning to be included in PSR-7 and interface typehints to be amended Originally posted by @Xerkus at zendframework/zend-diactoros#286 (comment) |
I was having trouble understanding your argument until I followed the 3v4l link; that was enlightening. So, what do you propose we do, @Xerkus ? Originally posted by @weierophinney at zendframework/zend-diactoros#286 (comment) |
I never found a workaround to force string numerics as keys, and it bit me a number of times in the past. My cases I solved by hacks: changed code to have all keys prefixed with a static string, it is not possible in his case Originally posted by @Xerkus at zendframework/zend-diactoros#286 (comment) |
@jeshuaborges For the interim, what I would suggest is doing some pre-processing of Originally posted by @weierophinney at zendframework/zend-diactoros#286 (comment) |
@weierophinney @Xerkus Thank you both for looking into this and circling back. Originally posted by @jeshuaborges at zendframework/zend-diactoros#286 (comment) |
Tentatively putting this on 3.0.0 milestone. Proposed partial mitigation for the behavior is to filter out integer numeric headers names in @weierophinney I would like to ask you to propose errata for PSR-7 outlining this quirk of PHP and its effect on headers. PHP bug tracker link for the behavior is https://bugs.php.net/bug.php?id=80309 |
If we want to do this based on PSR-7 errata, we should release 3 first, and not wait; errata takes months, minimum, to work through the process. More interesting... I'm not sure that we can do anything in What we could potentially do is modify I'm going to go with this approach, as it would solve the OP's issue, conforms to RFC-7230, and would not require any errata. |
In There is already partial fix that skips numeric keys but it does not account for keys converting to int after prefixes were stripped. laminas-diactoros/src/functions/marshal_headers_from_sapi.php Lines 33 to 35 in 6fce157
|
You're missing the order of operations. That function is looking at the |
RFC 7230 allows for numeric header names, both integers and floats, though the expectation is that they are provided as string values. Since PHP casts integer strings into integers for purposes of array keys, this can lead to a scenario where `HeaderSecurity` was then flagging the value as invalid - despite the fact that the regex used on strings clearly allows the value. This patch modifies `HeaderSecurity::assertValidName()` to allow for numeric names, and casts them to a string when performing validations. Fixes laminas#11 Signed-off-by: Matthew Weier O'Phinney <[email protected]>
You are correct. Sorry, I am too tired and distracted. What I had in mind is to filter out the array of headers produced from SAPI to prevent type errors that would prevent request instance creation. Once So in array of headers here we can filter out anything that turned into int:
If |
RFC 7230 allows for numeric header names, both integers and floats, though the expectation is that they are provided as string values. Since PHP casts integer strings into integers for purposes of array keys, this can lead to a scenario where `HeaderSecurity` was then flagging the value as invalid - despite the fact that the regex used on strings clearly allows the value. This patch modifies `HeaderSecurity::assertValidName()` to allow for numeric names, and casts them to a string when performing validations. Fixes laminas#11 Signed-off-by: Matthew Weier O'Phinney <[email protected]>
RFC 7230 allows for numeric header names, both integers and floats, though the expectation is that they are provided as string values. Since PHP casts integer strings into integers for purposes of array keys, this can lead to a scenario where `HeaderSecurity` was then flagging the value as invalid - despite the fact that the regex used on strings clearly allows the value. This patch modifies `HeaderSecurity::assertValidName()` to allow for numeric names, and casts them to a string when performing validations. Fixes laminas#11 Signed-off-by: Matthew Weier O'Phinney <[email protected]>
RFC 7230 allows for numeric header names, both integers and floats, though the expectation is that they are provided as string values. Since PHP casts integer strings into integers for purposes of array keys, this can lead to a scenario where `HeaderSecurity` was then flagging the value as invalid - despite the fact that the regex used on strings clearly allows the value. This patch modifies `HeaderSecurity::assertValidName()` to allow for numeric names, and casts them to a string when performing validations. Fixes laminas#11 Signed-off-by: Matthew Weier O'Phinney <[email protected]>
Here, at getpocket.com, we have had a client hit our servers with header keys as integers. In doing so
HeaderSecurity::assertValidName
is throwing an exception because! is_string(-1) === true
.I have been unable to identify any documentation which would suggest that these values could be valid. At this point I believe the best behavior is to ignore these keys.
Originally posted by @jeshuaborges at zendframework/zend-diactoros#286
The text was updated successfully, but these errors were encountered: