Malformed request causes 500 response

[pavattt]

Bug Report

Q	A
Version(s)	2.26

Summary

Malformed request causes 500 response when sending integers in header names.

Current behavior

Returns response with http code 500 for requests with invalid headers.

How to reproduce

Send random integer in header name in request.

Expected behavior

Returns response with http code 400 for requests with invalid headers.

If this exception code was set to 400 it would be used as http response code in ServerRequestErrorResponseGenerator.

https://github.com/laminas/laminas-diactoros/blob/2.26.x/src/HeaderSecurity.php#L152-L155

[gsteel]

It's pretty easy to trigger this exception, new Request('/foo', 'GET', 'php://temp', ['123' => 'Bar']); - PHP of course casts numeric keys to an integer, at which point HeaderSecurity::assertValidName() throws for the non-string header name.

From what I can tell, RFC 7230 does not prohibit numeric header names.

[Xerkus]

Duplicate of #11

[gsteel]

Further reference: #159

@Xerkus - has anything changed WRT PSR-7 at fig?

[Xerkus]

Not that I am aware of. I don't expect anything to change except some errata may be.

This really boils down to a php bug that php wont fix and it can only be mitigated by type casting each and every time array key is read. Not really feasible.

[gsteel]

Internally, headers could be list<array{name: non-empty-string, value: list<non-empty-string>}> - slower perhaps… at this point, users cannot expect an integer for a header name, so "fixing" the problem couldn't be considered a BC break right?

[Xerkus]

Please read original issue comments and look at closed PR attempting to solve it.

[Xerkus]

It is impossible to fix or work around:
public function getHeaders(): array;