phorge-phorge/src/aphront/sink/AphrontHTTPSink.php

<?php

/**
 * Abstract class which wraps some sort of output mechanism for HTTP responses.
 * Normally this is just @{class:AphrontPHPHTTPSink}, which uses "echo" and
 * "header()" to emit responses.
 *
 * Mostly, this class allows us to do install security or metrics hooks in the
 * output pipeline.
 *
 * @task write  Writing Response Components
 * @task emit   Emitting the Response
 *
 * @group aphront
 */
abstract class AphrontHTTPSink {


/* -(  Writing Response Components  )---------------------------------------- */


  /**
   * Write an HTTP status code to the output.
   *
   * @param int Numeric HTTP status code.
   * @return void
   */
  final public function writeHTTPStatus($code) {
    if (!preg_match('/^\d{3}$/', $code)) {
      throw new Exception("Malformed HTTP status code '{$code}'!");
    }

    $code = (int)$code;
    $this->emitHTTPStatus($code);
  }


  /**
   * Write HTTP headers to the output.
   *
   * @param list<pair> List of <name, value> pairs.
   * @return void
   */
  final public function writeHeaders(array $headers) {
    foreach ($headers as $header) {
      if (!is_array($header) || count($header) !== 2) {
        throw new Exception('Malformed header.');
      }
      list($name, $value) = $header;

      if (strpos($name, ':') !== false) {
        throw new Exception(
          "Declining to emit response with malformed HTTP header name: ".
          $name);
      }

      // Attackers may perform an "HTTP response splitting" attack by making
      // the application emit certain types of headers containing newlines:
      //
      //   http://en.wikipedia.org/wiki/HTTP_response_splitting
      //
      // PHP has built-in protections against HTTP response-splitting, but they
      // are of dubious trustworthiness:
      //
      //   http://news.php.net/php.internals/57655

      if (preg_match('/[\r\n\0]/', $name.$value)) {
        throw new Exception(
          "Declining to emit response with unsafe HTTP header: ".
          "<'".$name."', '".$value."'>.");
      }
    }

    foreach ($headers as $header) {
      list($name, $value) = $header;
      $this->emitHeader($name, $value);
    }
  }


  /**
   * Write HTTP body data to the output.
   *
   * @param string Body data.
   * @return void
   */
  final public function writeData($data) {
    $this->emitData($data);
  }


  /**
   * Write an entire @{class:AphrontResponse} to the output.
   *
   * @param AphrontResponse The response object to write.
   * @return void
   */
  final public function writeResponse(AphrontResponse $response) {
    // Do this first, in case it throws.
    $response_string = $response->buildResponseString();

    $all_headers = array_merge(
      $response->getHeaders(),
      $response->getCacheHeaders());

    $this->writeHTTPStatus($response->getHTTPResponseCode());
    $this->writeHeaders($all_headers);
    $this->writeData($response_string);
  }


/* -(  Emitting the Response  )---------------------------------------------- */


  abstract protected function emitHTTPStatus($code);
  abstract protected function emitHeader($name, $value);
  abstract protected function emitData($data);
}
Provide software protections for HTTP response splitting Summary: This addresses a few things: - Provide a software HTTP response spliting guard as an extra layer of security, see http://news.php.net/php.internals/57655 and who knows what HPHP/i does. - Cleans up webroot/index.php a little bit, I want to get that file under control eventually. - Eventually I want to collect bytes in/out metrics and this allows us to do that easily. - We may eventually want to write to a socket or do something else like that, ala Litespawn. Test Plan: - Ran unit tests. - Browsed around, checked headers and HTTP status codes. Reviewers: btrahan, vrana Reviewed By: btrahan CC: aran, epriestley Differential Revision: https://secure.phabricator.com/D1564 2012-02-06 09:59:34 -08:00			`<?php`

			`/**`
			`* Abstract class which wraps some sort of output mechanism for HTTP responses.`
			`* Normally this is just @{class:AphrontPHPHTTPSink}, which uses "echo" and`
			`* "header()" to emit responses.`
			`*`
			`* Mostly, this class allows us to do install security or metrics hooks in the`
			`* output pipeline.`
			`*`
			`* @task write Writing Response Components`
			`* @task emit Emitting the Response`
			`*`
			`* @group aphront`
			`*/`
			`abstract class AphrontHTTPSink {`


			`/* -( Writing Response Components )---------------------------------------- */`


			`/**`
			`* Write an HTTP status code to the output.`
			`*`
			`* @param int Numeric HTTP status code.`
			`* @return void`
			`*/`
			`final public function writeHTTPStatus($code) {`
			`if (!preg_match('/^\d{3}$/', $code)) {`
			`throw new Exception("Malformed HTTP status code '{$code}'!");`
			`}`

			`$code = (int)$code;`
			`$this->emitHTTPStatus($code);`
			`}`


			`/**`
			`* Write HTTP headers to the output.`
			`*`
			`* @param list<pair> List of <name, value> pairs.`
			`* @return void`
			`*/`
			`final public function writeHeaders(array $headers) {`
			`foreach ($headers as $header) {`
			`if (!is_array($header) \|\| count($header) !== 2) {`
			`throw new Exception('Malformed header.');`
			`}`
			`list($name, $value) = $header;`

			`if (strpos($name, ':') !== false) {`
			`throw new Exception(`
			`"Declining to emit response with malformed HTTP header name: ".`
			`$name);`
			`}`

			`// Attackers may perform an "HTTP response splitting" attack by making`
			`// the application emit certain types of headers containing newlines:`
			`//`
			`// http://en.wikipedia.org/wiki/HTTP_response_splitting`
			`//`
			`// PHP has built-in protections against HTTP response-splitting, but they`
			`// are of dubious trustworthiness:`
			`//`
			`// http://news.php.net/php.internals/57655`

			`if (preg_match('/[\r\n\0]/', $name.$value)) {`
			`throw new Exception(`
			`"Declining to emit response with unsafe HTTP header: ".`
			`"<'".$name."', '".$value."'>.");`
			`}`
			`}`

			`foreach ($headers as $header) {`
Obvious: emit each header once, not the last header N times. 2012-02-06 13:14:17 -08:00			`list($name, $value) = $header;`
Provide software protections for HTTP response splitting Summary: This addresses a few things: - Provide a software HTTP response spliting guard as an extra layer of security, see http://news.php.net/php.internals/57655 and who knows what HPHP/i does. - Cleans up webroot/index.php a little bit, I want to get that file under control eventually. - Eventually I want to collect bytes in/out metrics and this allows us to do that easily. - We may eventually want to write to a socket or do something else like that, ala Litespawn. Test Plan: - Ran unit tests. - Browsed around, checked headers and HTTP status codes. Reviewers: btrahan, vrana Reviewed By: btrahan CC: aran, epriestley Differential Revision: https://secure.phabricator.com/D1564 2012-02-06 09:59:34 -08:00			`$this->emitHeader($name, $value);`
			`}`
			`}`


			`/**`
			`* Write HTTP body data to the output.`
			`*`
			`* @param string Body data.`
			`* @return void`
			`*/`
			`final public function writeData($data) {`
			`$this->emitData($data);`
			`}`


Encode "<" and ">" in JSON/Ajax responses to prevent content-sniffing attacks Summary: Some browsers will still sniff content types even with "Content-Type" and "X-Content-Type-Options: nosniff". Encode "<" and ">" to prevent them from sniffing the content as HTML. See T865. Also unified some of the code on this pathway. Test Plan: Verified Opera no longer sniffs the Conduit response into HTML for the test case in T865. Unit tests pass. Reviewers: cbg, btrahan Reviewed By: cbg CC: aran, epriestley Maniphest Tasks: T139, T865 Differential Revision: https://secure.phabricator.com/D1606 2012-02-14 14:51:51 -08:00			`/**`
			`* Write an entire @{class:AphrontResponse} to the output.`
			`*`
			`* @param AphrontResponse The response object to write.`
			`* @return void`
			`*/`
			`final public function writeResponse(AphrontResponse $response) {`
Share more HTTPSink code Summary: In the past, we did some additional magic on `$response_string` (adding profiling headers? Or DarkConsole?), so we could not share the pathway with HTTPSink. We no longer do this; share the pathways. Also remove error handler initialization (duplicated in PhabricatorEnv), and move $sink initialization earlier. My general goal here is to allow PhabricatorSetup to emit a normal Response object and share as much code as possible with normal pages. Test Plan: Loaded page. Reviewers: btrahan, vrana Reviewed By: btrahan CC: aran Maniphest Tasks: T2228 Differential Revision: https://secure.phabricator.com/D4285 2012-12-25 06:17:45 -08:00			`// Do this first, in case it throws.`
			`$response_string = $response->buildResponseString();`

Encode "<" and ">" in JSON/Ajax responses to prevent content-sniffing attacks Summary: Some browsers will still sniff content types even with "Content-Type" and "X-Content-Type-Options: nosniff". Encode "<" and ">" to prevent them from sniffing the content as HTML. See T865. Also unified some of the code on this pathway. Test Plan: Verified Opera no longer sniffs the Conduit response into HTML for the test case in T865. Unit tests pass. Reviewers: cbg, btrahan Reviewed By: cbg CC: aran, epriestley Maniphest Tasks: T139, T865 Differential Revision: https://secure.phabricator.com/D1606 2012-02-14 14:51:51 -08:00			`$all_headers = array_merge(`
			`$response->getHeaders(),`
			`$response->getCacheHeaders());`

			`$this->writeHTTPStatus($response->getHTTPResponseCode());`
			`$this->writeHeaders($all_headers);`
Share more HTTPSink code Summary: In the past, we did some additional magic on `$response_string` (adding profiling headers? Or DarkConsole?), so we could not share the pathway with HTTPSink. We no longer do this; share the pathways. Also remove error handler initialization (duplicated in PhabricatorEnv), and move $sink initialization earlier. My general goal here is to allow PhabricatorSetup to emit a normal Response object and share as much code as possible with normal pages. Test Plan: Loaded page. Reviewers: btrahan, vrana Reviewed By: btrahan CC: aran Maniphest Tasks: T2228 Differential Revision: https://secure.phabricator.com/D4285 2012-12-25 06:17:45 -08:00			`$this->writeData($response_string);`
Encode "<" and ">" in JSON/Ajax responses to prevent content-sniffing attacks Summary: Some browsers will still sniff content types even with "Content-Type" and "X-Content-Type-Options: nosniff". Encode "<" and ">" to prevent them from sniffing the content as HTML. See T865. Also unified some of the code on this pathway. Test Plan: Verified Opera no longer sniffs the Conduit response into HTML for the test case in T865. Unit tests pass. Reviewers: cbg, btrahan Reviewed By: cbg CC: aran, epriestley Maniphest Tasks: T139, T865 Differential Revision: https://secure.phabricator.com/D1606 2012-02-14 14:51:51 -08:00			`}`


Provide software protections for HTTP response splitting Summary: This addresses a few things: - Provide a software HTTP response spliting guard as an extra layer of security, see http://news.php.net/php.internals/57655 and who knows what HPHP/i does. - Cleans up webroot/index.php a little bit, I want to get that file under control eventually. - Eventually I want to collect bytes in/out metrics and this allows us to do that easily. - We may eventually want to write to a socket or do something else like that, ala Litespawn. Test Plan: - Ran unit tests. - Browsed around, checked headers and HTTP status codes. Reviewers: btrahan, vrana Reviewed By: btrahan CC: aran, epriestley Differential Revision: https://secure.phabricator.com/D1564 2012-02-06 09:59:34 -08:00			`/* -( Emitting the Response )---------------------------------------------- */`


			`abstract protected function emitHTTPStatus($code);`
			`abstract protected function emitHeader($name, $value);`
			`abstract protected function emitData($data);`
			`}`