Edit report at http://bugs.php.net/bug.php?id=52979&edit=1
ID: 52979
User updated by: marco at vmsoft-gbr dot de
Reported by: marco at vmsoft-gbr dot de
Summary: ini variable user_agent allows arbitrary injection
Status: Open
Type: Bug
Package: Streams related
Operating System: all
PHP Version: 5.3.3
Block user comment: N
New Comment:
The patch sanitizes the user_agent ini variable, so that this can't be
exploited any more. It also gives out a warning so people update their
buggy scripts.
Previous Comments:
------------------------------------------------------------------------
[2010-10-03 15:08:01] marco at vmsoft-gbr dot de
Cut out the "ini_set('user_agent', "PHPX-MyCustomHeader: Foo");" in the
testscript, this was a copy mistake
------------------------------------------------------------------------
[2010-10-03 15:06:16] marco at vmsoft-gbr dot de
Description:
------------
The php.ini variable user_agent is not properly sanitized. This allows
arbitrary header injection for any HTTP(S) request made using the http
stream wrapper (see code). This bug has grown a feature, but now using
stream_context_set_option this behaviour should be deprecated.
Test script:
---------------
<?php
// before, insecure:
ini_set('user_agent', "PHP\r\nX-MyCustomHeader: Foo");
$f=file_get_contents('http://www.example.com/index.php');
// now, proper way of adding headers:
$s=stream_context_create();
stream_context_set_option($s,"http","header","X-MyCustomHeader: Foo");
ini_set('user_agent', "PHPX-MyCustomHeader: Foo");
$f=file_get_contents('http://www.example.com/index.php',false,$s);
?>
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/bug.php?id=52979&edit=1
