[PHP-BUG] Bug #60227 [NEW]: header() cannot detect the multi-line header with CR(0x0D).

[rui_hirokawa at yahoo dot co dot jp]

From:             
Operating system: Ubuntu Linux 11.10
PHP version:      trunk-SVN-2011-11-06 (SVN)
Package:          HTTP related
Bug Type:         Bug
Bug description:header() cannot detect the multi-line header with CR(0x0D).

Description:
------------
As of PHP 5.1.2, header() can no longer be used to send multiple response
headers 
in a single call to prevent the HTTP Response Splitting Attack.
header() only checks the linefeed (LF, 0x0A) as line-end marker, it doesn't
check 
the carriage-return (CR, 0x0D).

However, some browsers including Google Chrome, IE also recognize CR as the
line-
end (it is reported by Mr. Tokumaru).

The current specification of header() still has the vulnerability against
the 
HTTP header splitting attack.




Test script:
---------------
<?php 
header('Location: '.$_GET['url']);
print_r($_COOKIE);
?>

accessed from the url like:
http://example.com/head1.php?url=http://example.com/head1.php%0DSet-Cookie:+NAME=foo

It should be executed with Google Chrome or IE.


Expected result:
----------------
Warning: Header may not contain more than a single header, new line
detected. in 
/xxxx/head1.php on line 2
Array ( )

Actual result:
--------------
Array (NAME=>'foo')


-- 
Edit bug report at https://bugs.php.net/bug.php?id=60227&edit=1
-- 
Try a snapshot (PHP 5.4):            
https://bugs.php.net/fix.php?id=60227&r=trysnapshot54
Try a snapshot (PHP 5.3):            
https://bugs.php.net/fix.php?id=60227&r=trysnapshot53
Try a snapshot (trunk):              
https://bugs.php.net/fix.php?id=60227&r=trysnapshottrunk
Fixed in SVN:                        
https://bugs.php.net/fix.php?id=60227&r=fixed
Fixed in SVN and need be documented: 
https://bugs.php.net/fix.php?id=60227&r=needdocs
Fixed in release:                    
https://bugs.php.net/fix.php?id=60227&r=alreadyfixed
Need backtrace:                      
https://bugs.php.net/fix.php?id=60227&r=needtrace
Need Reproduce Script:               
https://bugs.php.net/fix.php?id=60227&r=needscript
Try newer version:                   
https://bugs.php.net/fix.php?id=60227&r=oldversion
Not developer issue:                 
https://bugs.php.net/fix.php?id=60227&r=support
Expected behavior:                   
https://bugs.php.net/fix.php?id=60227&r=notwrong
Not enough info:                     
https://bugs.php.net/fix.php?id=60227&r=notenoughinfo
Submitted twice:                     
https://bugs.php.net/fix.php?id=60227&r=submittedtwice
register_globals:                    
https://bugs.php.net/fix.php?id=60227&r=globals
PHP 4 support discontinued:          
https://bugs.php.net/fix.php?id=60227&r=php4
Daylight Savings:                    https://bugs.php.net/fix.php?id=60227&r=dst
IIS Stability:                       
https://bugs.php.net/fix.php?id=60227&r=isapi
Install GNU Sed:                     
https://bugs.php.net/fix.php?id=60227&r=gnused
Floating point limitations:          
https://bugs.php.net/fix.php?id=60227&r=float
No Zend Extensions:                  
https://bugs.php.net/fix.php?id=60227&r=nozend
MySQL Configuration Error:           
https://bugs.php.net/fix.php?id=60227&r=mysqlcfg