php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #52979 ini variable user_agent allows arbitrary injection
Submitted: 2010-10-03 15:06 UTC Modified: 2010-11-25 20:45 UTC
From: marco at vmsoft-gbr dot de Assigned:
Status: Not a bug Package: Streams related
PHP Version: 5.3.3 OS: all
Private report: No CVE-ID:
 [2010-10-03 15:06 UTC] marco at vmsoft-gbr dot de
Description:
------------
The php.ini variable user_agent is not properly sanitized. This allows arbitrary header injection for any HTTP(S) request made using the http stream wrapper (see code). This bug has grown a feature, but now using stream_context_set_option this behaviour should be deprecated.




Test script:
---------------
<?php
// before, insecure:
ini_set('user_agent', "PHP\r\nX-MyCustomHeader: Foo");
$f=file_get_contents('http://www.example.com/index.php');

// now, proper way of adding headers:
$s=stream_context_create();
stream_context_set_option($s,"http","header","X-MyCustomHeader: Foo");
ini_set('user_agent', "PHPX-MyCustomHeader: Foo");
$f=file_get_contents('http://www.example.com/index.php',false,$s);
?>



Patches

sanitize-ini-user_agent.patch (last revision 2010-10-03 13:07 UTC) by marco at vmsoft-gbr dot de)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-10-03 15:08 UTC] marco at vmsoft-gbr dot de
Cut out the "ini_set('user_agent', "PHPX-MyCustomHeader: Foo");" in the testscript, this was a copy mistake
 [2010-10-03 15:10 UTC] marco at vmsoft-gbr dot de
The patch sanitizes the user_agent ini variable, so that this can't be exploited any more. It also gives out a warning so people update their buggy scripts.
 [2010-11-25 20:45 UTC] iliaa@php.net
-Status: Open +Status: Bogus
 [2010-11-25 20:45 UTC] iliaa@php.net
Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions.  Due to the volume
of reports we can not explain in detail here why your report is not
a bug.  The support channels will be able to provide an explanation
for you.

Thank you for your interest in PHP.

It is a code bug, if injection occurs into your code the problem is with the code 
itself.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 23 14:02:33 2014 UTC