Edit report at https://bugs.php.net/bug.php?id=60227&edit=1
ID: 60227 Updated by: hirok...@php.net Reported by: rui_hirokawa at yahoo dot co dot jp Summary: header() cannot detect the multi-line header with CR(0x0D). -Status: Open +Status: Closed Type: Bug Package: HTTP related Operating System: Ubuntu Linux 11.10 PHP Version: trunk-SVN-2011-11-06 (SVN) -Assigned To: +Assigned To: hirokawa Block user comment: N Private report: N New Comment: This bug has been fixed in SVN. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. For Windows: http://windows.php.net/snapshots/ Thank you for the report, and for helping us make PHP better. Previous Comments: ------------------------------------------------------------------------ [2011-11-06 11:07:07] hirok...@php.net Automatic comment from SVN on behalf of hirokawa Revision: http://svn.php.net/viewvc/?view=revision&revision=318820 Log: fixed bug #60227: header() cannot detect the multi-line header with CR. ------------------------------------------------------------------------ [2011-11-06 07:04:50] rui_hirokawa at yahoo dot co dot jp Description: ------------ As of PHP 5.1.2, header() can no longer be used to send multiple response headers in a single call to prevent the HTTP Response Splitting Attack. header() only checks the linefeed (LF, 0x0A) as line-end marker, it doesn't check the carriage-return (CR, 0x0D). However, some browsers including Google Chrome, IE also recognize CR as the line- end (it is reported by Mr. Tokumaru). The current specification of header() still has the vulnerability against the HTTP header splitting attack. Test script: --------------- <?php header('Location: '.$_GET['url']); print_r($_COOKIE); ?> accessed from the url like: http://example.com/head1.php?url=http://example.com/head1.php%0DSet-Cookie:+NAME=foo It should be executed with Google Chrome or IE. Expected result: ---------------- Warning: Header may not contain more than a single header, new line detected. in /xxxx/head1.php on line 2 Array ( ) Actual result: -------------- Array (NAME=>'foo') ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=60227&edit=1