From: Operating system: Ubuntu Linux 11.10 PHP version: trunk-SVN-2011-11-06 (SVN) Package: HTTP related Bug Type: Bug Bug description:header() cannot detect the multi-line header with CR(0x0D).
Description: ------------ As of PHP 5.1.2, header() can no longer be used to send multiple response headers in a single call to prevent the HTTP Response Splitting Attack. header() only checks the linefeed (LF, 0x0A) as line-end marker, it doesn't check the carriage-return (CR, 0x0D). However, some browsers including Google Chrome, IE also recognize CR as the line- end (it is reported by Mr. Tokumaru). The current specification of header() still has the vulnerability against the HTTP header splitting attack. Test script: --------------- <?php header('Location: '.$_GET['url']); print_r($_COOKIE); ?> accessed from the url like: http://example.com/head1.php?url=http://example.com/head1.php%0DSet-Cookie:+NAME=foo It should be executed with Google Chrome or IE. Expected result: ---------------- Warning: Header may not contain more than a single header, new line detected. in /xxxx/head1.php on line 2 Array ( ) Actual result: -------------- Array (NAME=>'foo') -- Edit bug report at https://bugs.php.net/bug.php?id=60227&edit=1 -- Try a snapshot (PHP 5.4): https://bugs.php.net/fix.php?id=60227&r=trysnapshot54 Try a snapshot (PHP 5.3): https://bugs.php.net/fix.php?id=60227&r=trysnapshot53 Try a snapshot (trunk): https://bugs.php.net/fix.php?id=60227&r=trysnapshottrunk Fixed in SVN: https://bugs.php.net/fix.php?id=60227&r=fixed Fixed in SVN and need be documented: https://bugs.php.net/fix.php?id=60227&r=needdocs Fixed in release: https://bugs.php.net/fix.php?id=60227&r=alreadyfixed Need backtrace: https://bugs.php.net/fix.php?id=60227&r=needtrace Need Reproduce Script: https://bugs.php.net/fix.php?id=60227&r=needscript Try newer version: https://bugs.php.net/fix.php?id=60227&r=oldversion Not developer issue: https://bugs.php.net/fix.php?id=60227&r=support Expected behavior: https://bugs.php.net/fix.php?id=60227&r=notwrong Not enough info: https://bugs.php.net/fix.php?id=60227&r=notenoughinfo Submitted twice: https://bugs.php.net/fix.php?id=60227&r=submittedtwice register_globals: https://bugs.php.net/fix.php?id=60227&r=globals PHP 4 support discontinued: https://bugs.php.net/fix.php?id=60227&r=php4 Daylight Savings: https://bugs.php.net/fix.php?id=60227&r=dst IIS Stability: https://bugs.php.net/fix.php?id=60227&r=isapi Install GNU Sed: https://bugs.php.net/fix.php?id=60227&r=gnused Floating point limitations: https://bugs.php.net/fix.php?id=60227&r=float No Zend Extensions: https://bugs.php.net/fix.php?id=60227&r=nozend MySQL Configuration Error: https://bugs.php.net/fix.php?id=60227&r=mysqlcfg