php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #66912 header() can send multiple headers
Submitted: 2014-03-16 02:11 UTC Modified: 2014-03-16 07:25 UTC
From: yusei1128 at gmail dot com Assigned:
Status: Not a bug Package: Unknown/Other Function
PHP Version: Irrelevant OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: yusei1128 at gmail dot com
New email:
PHP Version: OS:

 

 [2014-03-16 02:11 UTC] yusei1128 at gmail dot com
Description:
------------
header() can send multiple headers.

Normally, header function verify not contains [CR] or [CR][LF].

But, most browsers, e.g. Chromium, can handle headers using [LF] separate even if it is not [CR][LF].

This problem be in danger of rewriting/adding headers from outsider when using value of input parameters to value of headers.

Relate RFC 2616#Sec19.3

Test script:
---------------
<?php

header("X-Foo: Bar\rX-Token: Bar");
var_dump(apache_response_headers());

Expected result:
----------------
Cause Fatal Error

Actual result:
--------------
header outputs(chromium developer tools):
X-Foo:Bar
X-Token:Bar

body outputs:
array(1) {
  ["X-Foo"]=>
  string(16) "Bar
X-Token: Bar"
}

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-03-16 02:24 UTC] stas@php.net
-Status: Open +Status: Feedback
 [2014-03-16 02:24 UTC] stas@php.net
I can not reproduce it. Instead, I am getting: 

Warning: Header may not contain more than a single header, new line detected in /Applications/MAMP/htdocs/t.php on line 3
array(1) { ["X-Powered-By"]=> string(10) "PHP/5.4.25" }

Which PHP version/build did you use? Which SAPI?
 [2014-03-16 03:09 UTC] yusei1128 at gmail dot com
-Status: Feedback +Status: Open
 [2014-03-16 03:09 UTC] yusei1128 at gmail dot com
Umm.

I tried this problem on various environment, but I could not find a main factor.

---
Apache Mode PHP/5.2.5(on Apache 1.3) => This problem occurred.

CGI/FastCGI Mode PHP/5.3.27 => Cause Warning
Apache Mode PHP/5.3.3 => Cause Warning

Occurred by Apache 1.3?

How can i get a version of SAPI?
 [2014-03-16 03:36 UTC] stas@php.net
-Status: Open +Status: Not a bug
 [2014-03-16 03:36 UTC] stas@php.net
Thank you for taking the time to report a problem with PHP.
Unfortunately you are not using a current version of PHP -- 
the problem might already be fixed. Please download a new
PHP version from http://www.php.net/downloads.php

If you are able to reproduce the bug with one of the latest
versions of PHP, please change the PHP version on this bug report
to the version you tested and change the status back to "Open".
Again, thank you for your continued support of PHP.

Support for PHP 5.2 has been discontinued since 2011. Please upgrade to more recent version of PHP.
 [2014-03-16 07:25 UTC] pajoye@php.net
There is no SAPI version, they are bundled with PHP and this is the version you can rely on.

As Rasmus told you on the security list, 5.2 is discontinued and should not be used. Also this bug has been fixed years ago. Please consider an upgrade.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Dec 26 11:01:30 2024 UTC