From: vrana Operating system: Irrelevant PHP version: 5.4.0RC5 Package: HTTP related Bug Type: Bug Bug description:Setting user_agent can send other headers
Description: ------------ Setting 'user_agent' INI value to a string containing a newline causes sending a new header. This behavior is even documented: http://php.net/wrappers.http#wrappers.http.example.custom.headers It is wrong for two reasons: 1. 'user_agent' INI setting should be used only for setting a User-Agent header and not for anything else. 2. It is a potential security risk (header injection) similar to the one fixed in PHP 5.1.2 (but with low impact). (See also bug #52979 but I believe that I am providing a better reasoning.) Test script: --------------- <?php $_POST['user_agent'] = "Robot\r\nX-Command: delete-all"; ini_set('user_agent', $_POST['user_agent']); readfile('http://private/service.php'); ?> Expected result: ---------------- Sending just a User-Agent header, not X-Command header. Actual result: -------------- Sending User-Agent and X-Command headers. If http://private/service.php accepts connections only from trusted sources and parses its commands from headers then it will execute the malicious action. -- Edit bug report at https://bugs.php.net/bug.php?id=60668&edit=1 -- Try a snapshot (PHP 5.4): https://bugs.php.net/fix.php?id=60668&r=trysnapshot54 Try a snapshot (PHP 5.3): https://bugs.php.net/fix.php?id=60668&r=trysnapshot53 Try a snapshot (trunk): https://bugs.php.net/fix.php?id=60668&r=trysnapshottrunk Fixed in SVN: https://bugs.php.net/fix.php?id=60668&r=fixed Fixed in SVN and need be documented: https://bugs.php.net/fix.php?id=60668&r=needdocs Fixed in release: https://bugs.php.net/fix.php?id=60668&r=alreadyfixed Need backtrace: https://bugs.php.net/fix.php?id=60668&r=needtrace Need Reproduce Script: https://bugs.php.net/fix.php?id=60668&r=needscript Try newer version: https://bugs.php.net/fix.php?id=60668&r=oldversion Not developer issue: https://bugs.php.net/fix.php?id=60668&r=support Expected behavior: https://bugs.php.net/fix.php?id=60668&r=notwrong Not enough info: https://bugs.php.net/fix.php?id=60668&r=notenoughinfo Submitted twice: https://bugs.php.net/fix.php?id=60668&r=submittedtwice register_globals: https://bugs.php.net/fix.php?id=60668&r=globals PHP 4 support discontinued: https://bugs.php.net/fix.php?id=60668&r=php4 Daylight Savings: https://bugs.php.net/fix.php?id=60668&r=dst IIS Stability: https://bugs.php.net/fix.php?id=60668&r=isapi Install GNU Sed: https://bugs.php.net/fix.php?id=60668&r=gnused Floating point limitations: https://bugs.php.net/fix.php?id=60668&r=float No Zend Extensions: https://bugs.php.net/fix.php?id=60668&r=nozend MySQL Configuration Error: https://bugs.php.net/fix.php?id=60668&r=mysqlcfg
