Edit report at https://bugs.php.net/bug.php?id=60668&edit=1
ID: 60668 Comment by: me at ktamura dot com Reported by: vr...@php.net Summary: Setting user_agent can send other headers Status: Open Type: Bug Package: HTTP related Operating System: Irrelevant PHP Version: 5.4.0RC5 Block user comment: N Private report: N New Comment: vrana: I think this is a pretty bad security issue. Here is a proposed diff as a github gist: https://gist.github.com/1675788 Previous Comments: ------------------------------------------------------------------------ [2012-01-06 10:08:41] vr...@php.net Description: ------------ Setting 'user_agent' INI value to a string containing a newline causes sending a new header. This behavior is even documented: http://php.net/wrappers.http#wrappers.http.example.custom.headers It is wrong for two reasons: 1. 'user_agent' INI setting should be used only for setting a User-Agent header and not for anything else. 2. It is a potential security risk (header injection) similar to the one fixed in PHP 5.1.2 (but with low impact). (See also bug #52979 but I believe that I am providing a better reasoning.) Test script: --------------- <?php $_POST['user_agent'] = "Robot\r\nX-Command: delete-all"; ini_set('user_agent', $_POST['user_agent']); readfile('http://private/service.php'); ?> Expected result: ---------------- Sending just a User-Agent header, not X-Command header. Actual result: -------------- Sending User-Agent and X-Command headers. If http://private/service.php accepts connections only from trusted sources and parses its commands from headers then it will execute the malicious action. ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=60668&edit=1