[PHP-BUG] Bug #52979 [NEW]: ini variable user_agent allows arbitrary injection

Sun, 03 Oct 2010 06:06:29 -0700 

From:             
Operating system: all
PHP version:      5.3.3
Package:          Streams related
Bug Type:         Bug
Bug description:ini variable user_agent allows arbitrary injection

Description:
------------
The php.ini variable user_agent is not properly sanitized. This allows
arbitrary header injection for any HTTP(S) request made using the http
stream wrapper (see code). This bug has grown a feature, but now using
stream_context_set_option this behaviour should be deprecated.







Test script:
---------------
<?php

// before, insecure:

ini_set('user_agent', "PHP\r\nX-MyCustomHeader: Foo");

$f=file_get_contents('http://www.example.com/index.php');



// now, proper way of adding headers:

$s=stream_context_create();

stream_context_set_option($s,"http","header","X-MyCustomHeader: Foo");

ini_set('user_agent', "PHPX-MyCustomHeader: Foo");

$f=file_get_contents('http://www.example.com/index.php',false,$s);

?>




-- 
Edit bug report at http://bugs.php.net/bug.php?id=52979&edit=1
-- 
Try a snapshot (PHP 5.2):            
http://bugs.php.net/fix.php?id=52979&r=trysnapshot52
Try a snapshot (PHP 5.3):            
http://bugs.php.net/fix.php?id=52979&r=trysnapshot53
Try a snapshot (trunk):              
http://bugs.php.net/fix.php?id=52979&r=trysnapshottrunk
Fixed in SVN:                        
http://bugs.php.net/fix.php?id=52979&r=fixed
Fixed in SVN and need be documented: 
http://bugs.php.net/fix.php?id=52979&r=needdocs
Fixed in release:                    
http://bugs.php.net/fix.php?id=52979&r=alreadyfixed
Need backtrace:                      
http://bugs.php.net/fix.php?id=52979&r=needtrace
Need Reproduce Script:               
http://bugs.php.net/fix.php?id=52979&r=needscript
Try newer version:                   
http://bugs.php.net/fix.php?id=52979&r=oldversion
Not developer issue:                 
http://bugs.php.net/fix.php?id=52979&r=support
Expected behavior:                   
http://bugs.php.net/fix.php?id=52979&r=notwrong
Not enough info:                     
http://bugs.php.net/fix.php?id=52979&r=notenoughinfo
Submitted twice:                     
http://bugs.php.net/fix.php?id=52979&r=submittedtwice
register_globals:                    
http://bugs.php.net/fix.php?id=52979&r=globals
PHP 4 support discontinued:          http://bugs.php.net/fix.php?id=52979&r=php4
Daylight Savings:                    http://bugs.php.net/fix.php?id=52979&r=dst
IIS Stability:                       
http://bugs.php.net/fix.php?id=52979&r=isapi
Install GNU Sed:                     
http://bugs.php.net/fix.php?id=52979&r=gnused
Floating point limitations:          
http://bugs.php.net/fix.php?id=52979&r=float
No Zend Extensions:                  
http://bugs.php.net/fix.php?id=52979&r=nozend
MySQL Configuration Error:           
http://bugs.php.net/fix.php?id=52979&r=mysqlcfg

Reply via email to