php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #52979 ini variable user_agent allows arbitrary injection
Submitted: 2010-10-03 15:06 UTC Modified: 2010-11-25 20:45 UTC
From: marco at vmsoft-gbr dot de Assigned:
Status: Not a bug Package: Streams related
PHP Version: 5.3.3 OS: all
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: marco at vmsoft-gbr dot de
New email:
PHP Version: OS:

 

 [2010-10-03 15:06 UTC] marco at vmsoft-gbr dot de
Description:
------------
The php.ini variable user_agent is not properly sanitized. This allows arbitrary header injection for any HTTP(S) request made using the http stream wrapper (see code). This bug has grown a feature, but now using stream_context_set_option this behaviour should be deprecated.




Test script:
---------------
<?php
// before, insecure:
ini_set('user_agent', "PHP\r\nX-MyCustomHeader: Foo");
$f=file_get_contents('http://www.example.com/index.php');

// now, proper way of adding headers:
$s=stream_context_create();
stream_context_set_option($s,"http","header","X-MyCustomHeader: Foo");
ini_set('user_agent', "PHPX-MyCustomHeader: Foo");
$f=file_get_contents('http://www.example.com/index.php',false,$s);
?>



Patches

sanitize-ini-user_agent.patch (last revision 2010-10-03 13:07 UTC by marco at vmsoft-gbr dot de)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-10-03 15:08 UTC] marco at vmsoft-gbr dot de
Cut out the "ini_set('user_agent', "PHPX-MyCustomHeader: Foo");" in the testscript, this was a copy mistake
 [2010-10-03 15:10 UTC] marco at vmsoft-gbr dot de
The patch sanitizes the user_agent ini variable, so that this can't be exploited any more. It also gives out a warning so people update their buggy scripts.
 [2010-11-25 20:45 UTC] iliaa@php.net
-Status: Open +Status: Bogus
 [2010-11-25 20:45 UTC] iliaa@php.net
Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions.  Due to the volume
of reports we can not explain in detail here why your report is not
a bug.  The support channels will be able to provide an explanation
for you.

Thank you for your interest in PHP.

It is a code bug, if injection occurs into your code the problem is with the code 
itself.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Dec 30 16:01:29 2024 UTC