Edit report at https://bugs.php.net/bug.php?id=60668&edit=1
ID: 60668 Updated by: il...@php.net Reported by: vr...@php.net Summary: Setting user_agent can send other headers -Status: Open +Status: Not a bug Type: Bug Package: HTTP related Operating System: Irrelevant PHP Version: 5.4.0RC5 Block user comment: N Private report: N New Comment: Sorry, but your problem does not imply a bug in PHP itself. For a list of more appropriate places to ask for help using PHP, please visit http://www.php.net/support.php as this bug system is not the appropriate forum for asking support questions. Due to the volume of reports we can not explain in detail here why your report is not a bug. The support channels will be able to provide an explanation for you. Thank you for your interest in PHP. It is up-to the developer to ensure that input supplied by the user is properly validated before being transmitted back to the user or external services. In this particular case the issue is input validation. You can do the same operation with any stream operation by feeding it user data. For example: $fp = fsockopen(web_server, 80); fwrite($fp, $user_input); ... Previous Comments: ------------------------------------------------------------------------ [2012-01-25 10:48:38] me at ktamura dot com vrana: I think this is a pretty bad security issue. Here is a proposed diff as a github gist: https://gist.github.com/1675788 ------------------------------------------------------------------------ [2012-01-06 10:08:41] vr...@php.net Description: ------------ Setting 'user_agent' INI value to a string containing a newline causes sending a new header. This behavior is even documented: http://php.net/wrappers.http#wrappers.http.example.custom.headers It is wrong for two reasons: 1. 'user_agent' INI setting should be used only for setting a User-Agent header and not for anything else. 2. It is a potential security risk (header injection) similar to the one fixed in PHP 5.1.2 (but with low impact). (See also bug #52979 but I believe that I am providing a better reasoning.) Test script: --------------- <?php $_POST['user_agent'] = "Robot\r\nX-Command: delete-all"; ini_set('user_agent', $_POST['user_agent']); readfile('http://private/service.php'); ?> Expected result: ---------------- Sending just a User-Agent header, not X-Command header. Actual result: -------------- Sending User-Agent and X-Command headers. If http://private/service.php accepts connections only from trusted sources and parses its commands from headers then it will execute the malicious action. ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=60668&edit=1
