PHP :: Bug #52979 :: ini variable user_agent allows arbitrary injection

Bug #52979	ini variable user_agent allows arbitrary injection
Submitted:	2010-10-03 15:06 UTC	Modified:	2010-11-25 20:45 UTC
From:	marco at vmsoft-gbr dot de	Assigned:
Status:	Not a bug	Package:	Streams related
PHP Version:	5.3.3	OS:	all
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2010-10-03 15:06 UTC] marco at vmsoft-gbr dot de

Description:
------------
The php.ini variable user_agent is not properly sanitized. This allows arbitrary header injection for any HTTP(S) request made using the http stream wrapper (see code). This bug has grown a feature, but now using stream_context_set_option this behaviour should be deprecated.




Test script:
---------------
<?php
// before, insecure:
ini_set('user_agent', "PHP\r\nX-MyCustomHeader: Foo");
$f=file_get_contents('http://www.example.com/index.php');

// now, proper way of adding headers:
$s=stream_context_create();
stream_context_set_option($s,"http","header","X-MyCustomHeader: Foo");
ini_set('user_agent', "PHPX-MyCustomHeader: Foo");
$f=file_get_contents('http://www.example.com/index.php',false,$s);
?>

Patches

sanitize-ini-user_agent.patch (last revision 2010-10-03 13:07 UTC by marco at vmsoft-gbr dot de)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2010-10-03 15:08 UTC] marco at vmsoft-gbr dot de

Cut out the "ini_set('user_agent', "PHPX-MyCustomHeader: Foo");" in the testscript, this was a copy mistake

[2010-10-03 15:10 UTC] marco at vmsoft-gbr dot de

The patch sanitizes the user_agent ini variable, so that this can't be exploited any more. It also gives out a warning so people update their buggy scripts.

[2010-11-25 20:45 UTC] iliaa@php.net

-Status: Open +Status: Bogus

[2010-11-25 20:45 UTC] iliaa@php.net

Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions.  Due to the volume
of reports we can not explain in detail here why your report is not
a bug.  The support channels will be able to provide an explanation
for you.

Thank you for your interest in PHP.

It is a code bug, if injection occurs into your code the problem is with the code 
itself.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Wed Apr 24 06:01:29 2024 UTC