Bug #60227 [Opn->Csd]: header() cannot detect the multi-line header with CR(0x0D).

Sun, 06 Nov 2011 03:19:53 -0800 

Edit report at https://bugs.php.net/bug.php?id=60227&edit=1

 ID:                 60227
 Updated by:         hirok...@php.net
 Reported by:        rui_hirokawa at yahoo dot co dot jp
 Summary:            header() cannot detect the multi-line header with
                     CR(0x0D).
-Status:             Open
+Status:             Closed
 Type:               Bug
 Package:            HTTP related
 Operating System:   Ubuntu Linux 11.10
 PHP Version:        trunk-SVN-2011-11-06 (SVN)
-Assigned To:        
+Assigned To:        hirokawa
 Block user comment: N
 Private report:     N

 New Comment:

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.




Previous Comments:
------------------------------------------------------------------------
[2011-11-06 11:07:07] hirok...@php.net

Automatic comment from SVN on behalf of hirokawa
Revision: http://svn.php.net/viewvc/?view=revision&revision=318820
Log: fixed bug #60227: header() cannot detect the multi-line header with CR.

------------------------------------------------------------------------
[2011-11-06 07:04:50] rui_hirokawa at yahoo dot co dot jp

Description:
------------
As of PHP 5.1.2, header() can no longer be used to send multiple response 
headers 
in a single call to prevent the HTTP Response Splitting Attack.
header() only checks the linefeed (LF, 0x0A) as line-end marker, it doesn't 
check 
the carriage-return (CR, 0x0D).

However, some browsers including Google Chrome, IE also recognize CR as the 
line-
end (it is reported by Mr. Tokumaru).

The current specification of header() still has the vulnerability against the 
HTTP header splitting attack.




Test script:
---------------
<?php 
header('Location: '.$_GET['url']);
print_r($_COOKIE);
?>

accessed from the url like:
http://example.com/head1.php?url=http://example.com/head1.php%0DSet-Cookie:+NAME=foo

It should be executed with Google Chrome or IE.


Expected result:
----------------
Warning: Header may not contain more than a single header, new line detected. 
in 
/xxxx/head1.php on line 2
Array ( )

Actual result:
--------------
Array (NAME=>'foo')



------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=60227&edit=1

Reply via email to