"relax" header value assertion / allow more than ascii

bkdotcom · bkdotcom · commit ef605f1a5959 · 2025-02-25T17:58:58.000-06:00
diff --git a/src/HttpMessage/AssertionTrait.php b/src/HttpMessage/AssertionTrait.php
@@ -109,7 +109,7 @@ private function assertHeaderName($name): void
             digit  => 0-9
             others => !#$%&\'*+-.^_`|~
         */
-        if (\preg_match('/^[a-zA-Z0-9!#$%&\'*+-.^_`|~]+$/', $name) !== 1) {
+        if (\preg_match('/^[a-zA-Z0-9!#$%&\'*+-.^_`|~]+$/D', $name) !== 1) {
             throw new InvalidArgumentException(\sprintf(
                 '"%s" is not valid header name, it must be an RFC 7230 compatible string.',
                 $name
@@ -151,10 +151,21 @@ private function assertHeaderValue($value): void
     /**
      * Validate header value
      *
+     * headers values should be ISO-8859-1 encoded by default
+     *
+     * field-value    = *( field-content / obs-fold )
+     * field-content  = field-vchar [ 1*( SP / HTAB ) field-vchar ]
+     * field-vchar    = VCHAR / obs-text
+     * VCHAR          = %x21-7E
+     * obs-text       = %x80-FF
+     * obs-fold       = CRLF 1*( SP / HTAB )
+
      * @param mixed $value Header value to test
      *
      * @return void
      *
+     * @see https://datatracker.ietf.org/doc/html/rfc7230#section-3.2
+     *
      * @throws InvalidArgumentException
      *
      * @psalm-assert string $value
@@ -165,20 +176,21 @@ private function assertHeaderValueLine($value): void
             return;
         }
         $this->assertString($value, 'Header value', true);
-        /*
-            https://www.rfc-editor.org/rfc/rfc7230.txt (page.25)
-
-            field-content = field-vchar [ 1*( SP / HTAB ) field-vchar ]
-            field-vchar   = VCHAR / obs-text
-            obs-text      = %x80-FF (character range outside ASCII.)
-                             NOT ALLOWED
-            SP            = space
-            HTAB          = horizontal tab
-            VCHAR         = any visible [USASCII] character. (x21-x7e)
-        */
-        if (\preg_match('/^[ \t\x21-\x7e]+$/', $value) !== 1) {
+        $value = \trim((string) $value, " \t");
+        // The regular expression intentionally does not support the obs-fold production, because as
+        // per RFC 7230#3.2.4:
+        //
+        // A sender MUST NOT generate a message that includes
+        // line folding (i.e., that has any field-value that contains a match to
+        // the obs-fold rule) unless the message is intended for packaging
+        // within the message/http media type.
+        //
+        // Clients must not send a request with line folding and a server sending folded headers is
+        // likely very rare. Line folding is a fairly obscure feature of HTTP/1.1 and thus not accepting
+        // folding is not likely to break any legitimate use case.
+        if (\preg_match('/^[\x20\x09\x21-\x7E\x80-\xFF]*$/D', $value) !== 1) {
             throw new InvalidArgumentException(\sprintf(
-                '"%s" is not valid header value, it must contains visible ASCII characters only.',
+                '"%s" is not valid header value.',
                 $value
             ));
         }
diff --git a/src/HttpMessage/Utility/Uri.php b/src/HttpMessage/Utility/Uri.php
@@ -205,6 +205,7 @@ private static function computePort(UriInterface $uri): int
     private static function parsedPartsPrep(array $parsed): array
     {
         $map = array(
+            'passwd' => 'pass',
             'password' => 'pass',
             'username' => 'user',
         );
diff --git a/tests/HttpMessage/DataProviderTrait.php b/tests/HttpMessage/DataProviderTrait.php
@@ -261,13 +261,15 @@ public function headerValuesInvalid()
             'null' => [null],
             'object' => [new stdClass()],
             'true' => [true],
+            // 'invisible' => ['This string contains many invisible spaces.'],
         ];
     }
 
     public function headerValuesValid()
     {
         return [
             [1234],
+            ['⛄'], // "opaque data"
             ['text/plain'],
             ['PHP 9.1'],
             ['text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8'],
diff --git a/tests/HttpMessage/MessageTest.php b/tests/HttpMessage/MessageTest.php
@@ -120,13 +120,6 @@ public function testWithAddedHeaderArrayValueAndKeys()
         Exceptions
     */
 
-    public function testExceptionHeaderValueInvalidString()
-    {
-        $this->expectException('InvalidArgumentException');
-        $this->createMessage()
-            ->withHeader('hello-world', 'This string contains many invisible spaces.');
-    }
-
     public function testWithHeaderRejectsMultipleHostValues()
     {
         $this->expectException('InvalidArgumentException');

Original file line number	Diff line number	Diff line change
`@@ -205,6 +205,7 @@ private static function computePort(UriInterface $uri): int`
`205`	`205`	`private static function parsedPartsPrep(array $parsed): array`
`206`	`206`	`{`
`207`	`207`	`$map = array(`
	`208`	`+ 'passwd' => 'pass',`
`208`	`209`	`'password' => 'pass',`
`209`	`210`	`'username' => 'user',`
`210`	`211`	`);`