php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #52979 ini variable user_agent allows arbitrary injection
Submitted: 2010-10-03 15:06 UTC Modified: 2010-11-25 20:45 UTC
From: marco at vmsoft-gbr dot de Assigned:
Status: Not a bug Package: Streams related
PHP Version: 5.3.3 OS: all
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: marco at vmsoft-gbr dot de
New email:
PHP Version: OS:

 

 [2010-10-03 15:06 UTC] marco at vmsoft-gbr dot de 
Description:
------------
The php.ini variable user_agent is not properly sanitized. This allows arbitrary header injection for any HTTP(S) request made using the http stream wrapper (see code). This bug has grown a feature, but now using stream_context_set_option this behaviour should be deprecated.




Test script:
---------------
<?php
// before, insecure:
ini_set('user_agent', "PHP\r\nX-MyCustomHeader: Foo");
$f=file_get_contents('http://www.example.com/index.php');

// now, proper way of adding headers:
$s=stream_context_create();
stream_context_set_option($s,"http","header","X-MyCustomHeader: Foo");
ini_set('user_agent', "PHPX-MyCustomHeader: Foo");
$f=file_get_contents('http://www.example.com/index.php',false,$s);
?>

Patches

sanitize-ini-user_agent.patch (last revision 2010-10-03 13:07 UTC by marco at vmsoft-gbr dot de)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-10-03 15:08 UTC] marco at vmsoft-gbr dot de 
Cut out the "ini_set('user_agent', "PHPX-MyCustomHeader: Foo");" in the testscript, this was a copy mistake
 [2010-10-03 15:10 UTC] marco at vmsoft-gbr dot de 
The patch sanitizes the user_agent ini variable, so that this can't be exploited any more. It also gives out a warning so people update their buggy scripts.
 [2010-11-25 20:45 UTC] iliaa@php.net
-Status: Open +Status: Bogus
 [2010-11-25 20:45 UTC] iliaa@php.net 
Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions.  Due to the volume
of reports we can not explain in detail here why your report is not
a bug.  The support channels will be able to provide an explanation
for you.

Thank you for your interest in PHP.

It is a code bug, if injection occurs into your code the problem is with the code 
itself.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Mon Oct 27 04:00:02 2025 UTC