Skip to content

Tighten handshake validation and freeze trim characters#35

Merged
GrahamCampbell merged 1 commit into
1.9from
trim-and-pcre-1.9
Jul 6, 2026
Merged

Tighten handshake validation and freeze trim characters#35
GrahamCampbell merged 1 commit into
1.9from
trim-and-pcre-1.9

Conversation

@GrahamCampbell

Copy link
Copy Markdown
Member

Without the PCRE D modifier a trailing $ anchor also matches immediately before a final newline, and getRequestHeaders cuts the handshake request line at the first CRLF, so a client sending a bare line feed before its first CRLF produced a request line with a trailing newline that still validated. The request-line pattern also left both dots in HTTP/1.1 unescaped, so versions such as HTTP/1x1 were accepted. The pattern now escapes the dots and carries D, the server_ssl_ option-key pattern gains the same anchor, and a new test pins both rejections through validateRequestHandshake.

This also passes the pre-8.6 trim character set explicitly at the six calls that relied on the PHP default, in the handshake header parsing, key extraction, and failure diagnostics, since PHP 8.6 adds form feed to that default. This is the wrench counterpart of chrome-php/chrome#751.

@GrahamCampbell GrahamCampbell merged commit cfd5962 into 1.9 Jul 6, 2026
20 checks passed
@GrahamCampbell GrahamCampbell deleted the trim-and-pcre-1.9 branch July 6, 2026 19:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

1 participant