php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #60227 header() cannot detect the multi-line header with CR(0x0D).
Submitted: 2011-11-06 07:04 UTC Modified: 2011-11-06 11:19 UTC
From: rui_hirokawa at yahoo dot co dot jp Assigned: hirokawa
Status: Closed Package: HTTP related
PHP Version: trunk-SVN-2011-11-06 (SVN) OS: Ubuntu Linux 11.10
Private report: No CVE-ID:
 [2011-11-06 07:04 UTC] rui_hirokawa at yahoo dot co dot jp
Description:
------------
As of PHP 5.1.2, header() can no longer be used to send multiple response headers 
in a single call to prevent the HTTP Response Splitting Attack.
header() only checks the linefeed (LF, 0x0A) as line-end marker, it doesn't check 
the carriage-return (CR, 0x0D).

However, some browsers including Google Chrome, IE also recognize CR as the line-
end (it is reported by Mr. Tokumaru).

The current specification of header() still has the vulnerability against the 
HTTP header splitting attack.




Test script:
---------------
<?php 
header('Location: '.$_GET['url']);
print_r($_COOKIE);
?>

accessed from the url like:
http://example.com/head1.php?url=http://example.com/head1.php%0DSet-Cookie:+NAME=foo

It should be executed with Google Chrome or IE.


Expected result:
----------------
Warning: Header may not contain more than a single header, new line detected. in 
/xxxx/head1.php on line 2
Array ( )

Actual result:
--------------
Array (NAME=>'foo')


Patches

SAPI.diff (last revision 2011-11-06 07:05 UTC) by rui_hirokawa at yahoo dot co dot jp)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-11-06 11:07 UTC] hirokawa@php.net
Automatic comment from SVN on behalf of hirokawa
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=318820
Log: fixed bug #60227: header() cannot detect the multi-line header with CR.
 [2011-11-06 11:19 UTC] hirokawa@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2011-11-06 11:19 UTC] hirokawa@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: hirokawa
 [2011-11-10 14:24 UTC] hirokawa@php.net
Automatic comment from SVN on behalf of hirokawa
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=318997
Log: MFH: fixed bug #60227 (header() cannot detect the multi-line header with CR(0x0D).)
 [2012-01-14 07:40 UTC] hirokawa@php.net
Automatic comment from SVN on behalf of hirokawa
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=322263
Log: MFH: fixed bug #60227: header() cannot detect the multi-line header with CR.
 [2012-02-02 18:24 UTC] cataphract@php.net
Automatic comment from SVN on behalf of cataphract
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=323033
Log: - Hopefully correct fix for bug #60227.
#No commit for 5.4 for now
 [2012-02-03 08:48 UTC] cataphract@php.net
Automatic comment from SVN on behalf of cataphract
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=323041
Log: - Merging r323033 into 5.3 (see bug #60227).
 [2012-02-03 13:56 UTC] cataphract@php.net
Automatic comment from SVN on behalf of cataphract
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=323043
Log: - Headers: forbid \r and \n also after \0, allow CRLF followed by HT or SP and
  forbid \0. See bug #60227.
 [2012-03-07 07:49 UTC] stas@php.net
Automatic comment from SVN on behalf of stas
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=323986
Log: MFH: Headers: forbid \r and \n also after \0, allow CRLF followed by HT or SP and forbid \0. See bug #60227.
 [2012-03-12 14:34 UTC] neweracracker at gmail dot com
Hello,

Isn't supposed this commit to be backported to PHP_5_3 ?

http://svn.php.net/viewvc/?view=revision&revision=323986

Thank you.
 [2012-04-18 09:47 UTC] laruence@php.net
Automatic comment on behalf of hirokawa
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d73b1a275d300ba8b30165dce16e273df57e3e08
Log: fixed bug #60227: header() cannot detect the multi-line header with CR.
 [2012-07-24 23:39 UTC] rasmus@php.net
Automatic comment on behalf of hirokawa
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d73b1a275d300ba8b30165dce16e273df57e3e08
Log: fixed bug #60227: header() cannot detect the multi-line header with CR.
 [2013-11-17 09:35 UTC] laruence@php.net
Automatic comment on behalf of hirokawa
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d73b1a275d300ba8b30165dce16e273df57e3e08
Log: fixed bug #60227: header() cannot detect the multi-line header with CR.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Mon Apr 21 12:02:07 2014 UTC