Add check for malformed headers (long strings) (#50)

* Check for malformed (long) headers all the time
Riverline · Mar 12, 2024 · 7a9f464 · 7a9f464
1 parent 2418bdf
commit 7a9f464
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 0 deletions.
diff --git a/src/StreamedPart.php b/src/StreamedPart.php
@@ -92,6 +92,13 @@ public function __construct($stream)
 
         $this->headers = [];
         foreach ($headerLines as $line) {
+            // We don't allow malformed headers that could have a very long length.
+            // Indeed, in HTTP contexts these could be used for DoS/DoW attacks by slowing down the parsing.
+            // Most web server allow a maximum of 8192 characters for an header line, so we'll use that value.
+            if (strlen($line) > 8192) {
+                throw new \InvalidArgumentException('Malformed header: header value is too long');
+            }
+
             $lineSplit = explode(':', $line, 2);
 
             if (2 === count($lineSplit)) {

diff --git a/tests/StreamedPartTest.php b/tests/StreamedPartTest.php
@@ -231,6 +231,26 @@ public function testHeaderHelpers()
         self::assertEquals('foo', StreamedPart::getHeaderOption($header, 'name'));
     }
 
+    /**
+     * Test reading headers with very long values that could cause a DoS or DoW
+     */
+    public function testInvalidHeadersAreRejected()
+    {
+        $content = "Content-Type: multipart/form-data; boundary=a\n".
+            "\n" .
+            "--a\n" .
+            "Content-Disposition: form-data; name=\"0\";\n" .
+            "Content-Type: ; *=auto''" . str_repeat('a', 10000) .
+            "\r\n\r\n\r\n--a--\r\n";
+        $stream = fopen('php://temp', 'rw');
+        fwrite($stream, $content);
+        rewind($stream);
+
+        $this->expectException(\InvalidArgumentException::class);
+        $this->expectExceptionMessage('Malformed header: header value is too long');
+        new StreamedPart($stream);
+    }
+
     /**
      * Test file helper
      */