|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #52979 ini variable user_agent allows arbitrary injection
Submitted: 2010-10-03 15:06 UTC Modified: 2010-11-25 20:45 UTC
From: marco at vmsoft-gbr dot de Assigned:
Status: Not a bug Package: Streams related
PHP Version: 5.3.3 OS: all
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
15 + 14 = ?
Subscribe to this entry?

 [2010-10-03 15:06 UTC] marco at vmsoft-gbr dot de
The php.ini variable user_agent is not properly sanitized. This allows arbitrary header injection for any HTTP(S) request made using the http stream wrapper (see code). This bug has grown a feature, but now using stream_context_set_option this behaviour should be deprecated.

Test script:
// before, insecure:
ini_set('user_agent', "PHP\r\nX-MyCustomHeader: Foo");

// now, proper way of adding headers:
stream_context_set_option($s,"http","header","X-MyCustomHeader: Foo");
ini_set('user_agent', "PHPX-MyCustomHeader: Foo");


sanitize-ini-user_agent.patch (last revision 2010-10-03 13:07 UTC by marco at vmsoft-gbr dot de)

Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2010-10-03 15:08 UTC] marco at vmsoft-gbr dot de
Cut out the "ini_set('user_agent', "PHPX-MyCustomHeader: Foo");" in the testscript, this was a copy mistake
 [2010-10-03 15:10 UTC] marco at vmsoft-gbr dot de
The patch sanitizes the user_agent ini variable, so that this can't be exploited any more. It also gives out a warning so people update their buggy scripts.
 [2010-11-25 20:45 UTC]
-Status: Open +Status: Bogus
 [2010-11-25 20:45 UTC]
Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit as this bug system is not the
appropriate forum for asking support questions.  Due to the volume
of reports we can not explain in detail here why your report is not
a bug.  The support channels will be able to provide an explanation
for you.

Thank you for your interest in PHP.

It is a code bug, if injection occurs into your code the problem is with the code 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun May 26 10:01:33 2024 UTC