Skip to content

fix(security): Response header injection + open redirect + cache hardening (v2.3.4)#23

Merged
devsimsek merged 1 commit into
mainfrom
dev
Jul 5, 2026
Merged

fix(security): Response header injection + open redirect + cache hardening (v2.3.4)#23
devsimsek merged 1 commit into
mainfrom
dev

Conversation

@devsimsek

@devsimsek devsimsek commented Jul 5, 2026

Copy link
Copy Markdown
Owner

Summary

Resolves 5 High severity findings from the security audit. Non-breaking patch release bumping 2.3.3 → 2.3.4.

Fixes

Batch A - Response hardening

ID Surface Fix
SDF-69 Response::setHeader() / addHeader() Reject CR/LF/NUL in header names and values; throw InvalidArgumentException. Defense-in-depth on top of PHP's native header() CRLF rejection.
SDF-70 Response::redirect() Validate URL via isSafeRedirectUrl() - blocks protocol-relative (//evil.com), javascript:, data:, vbscript:; allows relative paths + http(s)://.
SDF-71 Response::download() Sanitize filename per RFC 6266 - strip " \r \n \0, emit both filename="..." and filename*=UTF-8''... for cross-browser compatibility.

Batch C - Cache/Fuse hardening

ID Surface Fix
SDF-67 FileDriver::write() + saveTagIndex() + Core.php chmod 0600 always (removed SAPI guard); saveTagIndex() converted to atomic temp+rename+chmod; Core config cache legacy branch chmods.
SDF-68 Fuse::render() cache write Changed from unlocked file_put_contents to atomic temp+LOCK_EX+chmod+rename. Closes TOCTOU cache-poisoning RCE on shared hosting.

Tests

9 new security tests in tests/ResponseTest.php:

  • CRLF injection rejection (setHeader + addHeader)
  • LF injection rejection
  • Null byte rejection
  • Protocol-relative URL rejection
  • javascript: / data: scheme rejection
  • Relative path allowed
  • http(s):// allowed

Verification

  • PHPUnit: 456 tests, 795 assertions, 0 failures (9 new)
  • PHPStan level 5: No errors
  • PHP-CS-Fixer: 0 files need fixing

Wiki

  • wiki/libraries/response.md - setHeader/addHeader throws notes, redirect URL validation, download filename sanitization, error handling updates
  • wiki/libraries/caching.md - new "Atomic writes and file permissions (v2.3.4+)" section
  • wiki/libraries/fuse.md - new "Atomic cache writes (v2.3.4+)" section

…ening (SDF-69,70,71,67,68)

Batch A (Response):
- SDF-69: setHeader/addHeader reject CR/LF/NUL (response splitting)
- SDF-70: redirect() validates URL scheme (open redirect)
- SDF-71: download() sanitizes filename per RFC 6266

Batch C (Cache/Fuse):
- SDF-67: FileDriver chmod always (removed SAPI guard); saveTagIndex
  atomic; Core config cache legacy branch chmods
- SDF-68: Fuse cache write atomic (temp+LOCK_EX+rename+chmod)

9 new ResponseTest security tests. Bump 2.3.3 -> 2.3.4.
@devsimsek

Copy link
Copy Markdown
Owner Author

All checks have passed, ready for code review.

@devsimsek devsimsek left a comment

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@devsimsek devsimsek merged commit ad27970 into main Jul 5, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant