Bug #52979 [Opn->Bgs]: ini variable user_agent allows arbitrary injection

Thu, 25 Nov 2010 11:45:15 -0800 

Edit report at http://bugs.php.net/bug.php?id=52979&edit=1

 ID:                 52979
 Updated by:         il...@php.net
 Reported by:        marco at vmsoft-gbr dot de
 Summary:            ini variable user_agent allows arbitrary injection
-Status:             Open
+Status:             Bogus
 Type:               Bug
 Package:            Streams related
 Operating System:   all
 PHP Version:        5.3.3
 Block user comment: N
 Private report:     N

 New Comment:

Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions.  Due to the volume
of reports we can not explain in detail here why your report is not
a bug.  The support channels will be able to provide an explanation
for you.

Thank you for your interest in PHP.

It is a code bug, if injection occurs into your code the problem is with
the code 

itself.


Previous Comments:
------------------------------------------------------------------------
[2010-10-03 15:10:22] marco at vmsoft-gbr dot de

The patch sanitizes the user_agent ini variable, so that this can't be
exploited any more. It also gives out a warning so people update their
buggy scripts.

------------------------------------------------------------------------
[2010-10-03 15:08:01] marco at vmsoft-gbr dot de

Cut out the "ini_set('user_agent', "PHPX-MyCustomHeader: Foo");" in the
testscript, this was a copy mistake

------------------------------------------------------------------------
[2010-10-03 15:06:16] marco at vmsoft-gbr dot de

Description:
------------
The php.ini variable user_agent is not properly sanitized. This allows
arbitrary header injection for any HTTP(S) request made using the http
stream wrapper (see code). This bug has grown a feature, but now using
stream_context_set_option this behaviour should be deprecated.







Test script:
---------------
<?php

// before, insecure:

ini_set('user_agent', "PHP\r\nX-MyCustomHeader: Foo");

$f=file_get_contents('http://www.example.com/index.php');



// now, proper way of adding headers:

$s=stream_context_create();

stream_context_set_option($s,"http","header","X-MyCustomHeader: Foo");

ini_set('user_agent', "PHPX-MyCustomHeader: Foo");

$f=file_get_contents('http://www.example.com/index.php',false,$s);

?>





------------------------------------------------------------------------



-- 
Edit this bug report at http://bugs.php.net/bug.php?id=52979&edit=1

Reply via email to