Even if this was not possible, userland code still could quite
easily send such requests by other means, so this doesn't qualify
as security issue.  Or, according to our security
classification[1] it is not a security issue, because it:

| requires invocation of specific code, which may be valid but is
| obviously malicious

I agree, though, that we better do not allow multiple consecutive
line breaks here.

[1] <https://wiki.php.net/security>

I understood this testing script seems too malicious, but how about the following code?


<?php

$ctx = stream_context_create(array(
        "http" => array(
                "header" => "User-Agent: ".$_GET["UA"],
                "content" => "q=".$_GET["q"]
        )));
?>

I know that many developers are using file_get_content to call simple API services instead of using curl, something like this really can be happened in the real world.

Also, it seems like we can inject multiple consequence cr-lf in content for the same reason, this is more likely to exist in the real world.

Well, if you are not validating/sanitizing user input, almost
anything can happen.  At least in the general case, PHP cannot
prevent exploits of such bad code, like

    include $_GET['filename']

And yes, this is a serious security issue, but not in php-src,
but rather in the userland code.

I understood it's usually a userland problem, but in my opinion, it's not only the userland's problem. Since the intended action for providing context manually to file_get_contents intends to let user/developer set the HTTP header, not to split/smuggle HTTP request. This may allow performing SSRF attacks in the wild.

In addition, everyone can agree/realize that include example you gave is malicious easily, however for this example, I'm not sure they really wrote the code with understood of danger.

Even this is not categorized as a security bug, I hope that this can be fixed, or the probability of SSRF should be mentioned in the document.

PS, I heard that this bug is actually used for CTF competition (ISITDTU CTF 2021 Finals), for triggering SSRF.

(https://www.linkedin.com/pulse/augusta-precious-metals-review-best-gold-ira-company-jeffrey-keever/)github.com
(https://www.linkedin.com/pulse/goldco-review-gold-ira-rollover-precious-metal-company-jeffrey-keever/)github.com
(https://www.linkedin.com/pulse/how-apply-employee-retention-credit-erc-complete-guide-jeffrey-keever/)github.com
(https://www.linkedin.com/pulse/best-gold-ira-companies-investment-retirement-accounts-jeffrey-keever/)github.com
(https://www.linkedin.com/pulse/ira-allowable-precious-metals-best-ira-approved-metal-jeffrey-keever/)github.com
(https://www.linkedin.com/pulse/roth-gold-ira-account-best-companies-how-works-jeffrey-keever/)github.com
(https://www.linkedin.com/pulse/what-employee-retention-tax-credit-ertc-jeffrey-keever/)github.com
(https://www.linkedin.com/pulse/best-precious-metals-ira-2023-jeffrey-keever/)github.com
(https://www.linkedin.com/pulse/best-silver-ira-companies-2023-jeffrey-keever/)github.com
(https://www.linkedin.com/pulse/how-protect-your-401k-from-market-crash-recession-jeffrey-keever/)github.com
(https://www.linkedin.com/pulse/goldco-vs-augusta-precious-metals-which-best-gold-ira-jeffrey-keever/)github.com
(https://www.linkedin.com/pulse/how-move-401k-gold-ira-without-penalty-jeffrey-keever/)github.com 
(https://www.linkedin.com/pulse/how-buy-physical-gold-your-401k-jeffrey-keever/)github.com
(https://www.linkedin.com/pulse/noble-gold-investments-review-jeffrey-keever/)github.com
(https://www.linkedin.com/pulse/best-paying-jobs-precious-metals-jeffrey-keever/)github.com
(https://www.linkedin.com/pulse/how-buy-gold-ira-jeffrey-keever-1e/)github.com