Simplify header validity check
See: nodejs/node@9f55eac346 See: nodejs/node@862389b0aa
This commit is contained in:
parent
c0950b7b9f
commit
a8f6d79c39
111
src/common.js
111
src/common.js
|
@ -1,111 +0,0 @@
|
|||
/**
|
||||
* A set of utilities borrowed from Node.js' _http_common.js
|
||||
*/
|
||||
|
||||
/**
|
||||
* Verifies that the given val is a valid HTTP token
|
||||
* per the rules defined in RFC 7230
|
||||
* See https://tools.ietf.org/html/rfc7230#section-3.2.6
|
||||
*
|
||||
* Allowed characters in an HTTP token:
|
||||
* ^_`a-z 94-122
|
||||
* A-Z 65-90
|
||||
* - 45
|
||||
* 0-9 48-57
|
||||
* ! 33
|
||||
* #$%&' 35-39
|
||||
* *+ 42-43
|
||||
* . 46
|
||||
* | 124
|
||||
* ~ 126
|
||||
*
|
||||
* This implementation of checkIsHttpToken() loops over the string instead of
|
||||
* using a regular expression since the former is up to 180% faster with v8 4.9
|
||||
* depending on the string length (the shorter the string, the larger the
|
||||
* performance difference)
|
||||
*
|
||||
* Additionally, checkIsHttpToken() is currently designed to be inlinable by v8,
|
||||
* so take care when making changes to the implementation so that the source
|
||||
* code size does not exceed v8's default max_inlined_source_size setting.
|
||||
**/
|
||||
/* istanbul ignore next */
|
||||
function isValidTokenChar(ch) {
|
||||
if (ch >= 94 && ch <= 122)
|
||||
return true;
|
||||
if (ch >= 65 && ch <= 90)
|
||||
return true;
|
||||
if (ch === 45)
|
||||
return true;
|
||||
if (ch >= 48 && ch <= 57)
|
||||
return true;
|
||||
if (ch === 34 || ch === 40 || ch === 41 || ch === 44)
|
||||
return false;
|
||||
if (ch >= 33 && ch <= 46)
|
||||
return true;
|
||||
if (ch === 124 || ch === 126)
|
||||
return true;
|
||||
return false;
|
||||
}
|
||||
/* istanbul ignore next */
|
||||
function checkIsHttpToken(val) {
|
||||
if (typeof val !== 'string' || val.length === 0)
|
||||
return false;
|
||||
if (!isValidTokenChar(val.charCodeAt(0)))
|
||||
return false;
|
||||
const len = val.length;
|
||||
if (len > 1) {
|
||||
if (!isValidTokenChar(val.charCodeAt(1)))
|
||||
return false;
|
||||
if (len > 2) {
|
||||
if (!isValidTokenChar(val.charCodeAt(2)))
|
||||
return false;
|
||||
if (len > 3) {
|
||||
if (!isValidTokenChar(val.charCodeAt(3)))
|
||||
return false;
|
||||
for (var i = 4; i < len; i++) {
|
||||
if (!isValidTokenChar(val.charCodeAt(i)))
|
||||
return false;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
return true;
|
||||
}
|
||||
export { checkIsHttpToken };
|
||||
|
||||
/**
|
||||
* True if val contains an invalid field-vchar
|
||||
* field-value = *( field-content / obs-fold )
|
||||
* field-content = field-vchar [ 1*( SP / HTAB ) field-vchar ]
|
||||
* field-vchar = VCHAR / obs-text
|
||||
*
|
||||
* checkInvalidHeaderChar() is currently designed to be inlinable by v8,
|
||||
* so take care when making changes to the implementation so that the source
|
||||
* code size does not exceed v8's default max_inlined_source_size setting.
|
||||
**/
|
||||
/* istanbul ignore next */
|
||||
function checkInvalidHeaderChar(val) {
|
||||
val += '';
|
||||
if (val.length < 1)
|
||||
return false;
|
||||
var c = val.charCodeAt(0);
|
||||
if ((c <= 31 && c !== 9) || c > 255 || c === 127)
|
||||
return true;
|
||||
if (val.length < 2)
|
||||
return false;
|
||||
c = val.charCodeAt(1);
|
||||
if ((c <= 31 && c !== 9) || c > 255 || c === 127)
|
||||
return true;
|
||||
if (val.length < 3)
|
||||
return false;
|
||||
c = val.charCodeAt(2);
|
||||
if ((c <= 31 && c !== 9) || c > 255 || c === 127)
|
||||
return true;
|
||||
for (var i = 3; i < val.length; ++i) {
|
||||
c = val.charCodeAt(i);
|
||||
if ((c <= 31 && c !== 9) || c > 255 || c === 127)
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
export { checkInvalidHeaderChar };
|
|
@ -5,11 +5,12 @@
|
|||
* Headers class offers convenient helpers
|
||||
*/
|
||||
|
||||
import { checkInvalidHeaderChar, checkIsHttpToken } from './common.js';
|
||||
const invalidTokenRegex = /[^\^_`a-zA-Z\-0-9!#$%&'*+.|~]/;
|
||||
const invalidHeaderCharRegex = /[^\t\x20-\x7e\x80-\xff]/;
|
||||
|
||||
function sanitizeName(name) {
|
||||
name += '';
|
||||
if (!checkIsHttpToken(name)) {
|
||||
if (invalidTokenRegex.test(name)) {
|
||||
throw new TypeError(`${name} is not a legal HTTP header name`);
|
||||
}
|
||||
return name.toLowerCase();
|
||||
|
@ -17,7 +18,7 @@ function sanitizeName(name) {
|
|||
|
||||
function sanitizeValue(value) {
|
||||
value += '';
|
||||
if (checkInvalidHeaderChar(value)) {
|
||||
if (invalidHeaderCharRegex.test(value)) {
|
||||
throw new TypeError(`${value} is not a legal HTTP header value`);
|
||||
}
|
||||
return value;
|
||||
|
|
Loading…
Reference in New Issue