PHP :: Bug #79265 :: Improper injection of Host header when using fopen for http requests

Bug #79265	Improper injection of Host header when using fopen for http requests
Submitted:	2020-02-12 16:47 UTC	Modified:	2021-10-11 12:08 UTC
From:	miguelxpn2 at gmail dot com	Assigned:	cmb (profile)
Status:	Closed	Package:	HTTP related
PHP Version:	master-Git-2020-02-12 (Git)	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

[2020-02-12 16:47 UTC] miguelxpn2 at gmail dot com

Description:
------------
If there is any header in the http request that contains the string 'host:' in their value before the actual host header the requests ends up being sent with two headers Host, the one specified by the user and the default one that's injected in case the header wasn't present.

Test script:
---------------
<?php
$opts = array(
  'http'=>array(
    'method'=>"GET",
    'header'=>"RandomHeader: localhost:8080\r\n" .
              "Cookie: foo=bar\r\n" .
              "Host: testcustomheader  \r\n"
  )
);
$context = stream_context_create($opts);
$fp = fopen('http://myserver.com', 'r', false, $context);
fpassthru($fp);

Expected result:
----------------
The raw headers should only contain the host header specified by the user that was sent in the context.

Actual result:
--------------
We get a faulty request with two Host headers instead:

GET / HTTP/1.0
Host: myserver.com
RandomHeader: localhost:8080
Cookie: foo=bar
Host: testcustomhostheader

Patches

Pull Requests

Pull requests:

Fixes #79265: Improper injection of Host header when using fopen for http requests (php-src/5201)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2020-02-12 16:50 UTC] miguelxpn2 at gmail dot com

I dug into the source code to find out why this happens. This seems to be caused by an improper search of the Host: header to find out whether we should inject it or not.

Inside http_fopen_wrapper.c we use strstr to search an occurrence of the string 'host:' in the headers, and if that occurrence is in the beginning of a line then we set the have_header variable with HTTP_HEADER_HOST flag. If you try to send the Host header after another header that contains the string host: in the value of the header that flag won't be set and the default header will be injected.

A fix would be to check for every occurence of the host: string instead of just getting the first one.

[2020-02-24 05:09 UTC] miguelxpn2 at gmail dot com

The following pull request has been associated:

Patch Name: Fixes #79265: Improper injection of Host header when using fopen for http requests
On GitHub:  https://github.com/php/php-src/pull/5201
Patch:      https://github.com/php/php-src/pull/5201.patch

[2021-10-11 12:08 UTC] cmb@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: cmb

[2021-10-11 12:08 UTC] cmb@php.net

The PR has been applied[1], so this ticket can be closed.

[1] <https://github.com/php/php-src/commit/d0d60503b54b528d42546acf1ca34914fb8aea55>

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Feb 22 16:01:29 2025 UTC