On Fri, Feb 3, 2012 at 7:01 AM, Gustavo Lopes <glo...@nebm.ist.utl.pt>wrote:
> On Fri, 03 Feb 2012 13:03:24 +0100, Gustavo Lopes <glo...@nebm.ist.utl.pt> > wrote: > > On Fri, 03 Feb 2012 12:06:26 +0100, Stefan Esser < >> stefan.es...@sektioneins.de> wrote: >> >> [snip] >>> obviously inside PHP no one cares about reviewing security patches. >>> >>> >> Perhaps then you'd want to comment on: http://nebm.ist.utl.pt/~** >> glopes/misc/bug60227.diff<http://nebm.ist.utl.pt/%7Eglopes/misc/bug60227.diff>, >> which addresses the NUL byte issue, although now I'm thinking that since >> we're in the business of validating HTTP headers, we could also forbid the >> other control characters that are forbidden by the spec (not just LF and >> CR). >> >> > I've committed a different version that also forbids \0 (since, as Stefan > says, a NUL byte can result in the truncation of the rest of the header) > and that accepts a CRLF: > > http://svn.php.net/viewvc/php/**php-src/trunk/main/SAPI.c?r1=** > 323043&r2=323042&pathrev=**323043<http://svn.php.net/viewvc/php/php-src/trunk/main/SAPI.c?r1=323043&r2=323042&pathrev=323043> > > If you or anyone else find any problem, please report a bug; otherwise > I'll merge to 5.3 and 5.4 once 5.4 is out of code freeze. > > Thanks > > > -- > Gustavo Lopes > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > I could be wrong, but doesn't: (header_line[i+1] != ' ' && header_line[i+1] != '\t') access an element past the end of the header_line array on the last iteration of the for loop? shouldn't the for loop go until header_line_len - 1? John
