iliaa Mon Dec 5 22:39:46 2005 EDT
Modified files: (Branch: PHP_5_1)
/php-src NEWS
/php-src/main SAPI.c
Log:
MFH: Prevent header injection by limiting each header to a single line.
http://cvs.php.net/diff.php/php-src/NEWS?r1=1.2027.2.276&r2=1.2027.2.277&ty=u
Index: php-src/NEWS
diff -u php-src/NEWS:1.2027.2.276 php-src/NEWS:1.2027.2.277
--- php-src/NEWS:1.2027.2.276 Mon Dec 5 22:09:23 2005
+++ php-src/NEWS Mon Dec 5 22:39:45 2005
@@ -18,6 +18,7 @@
. Fixed isset/empty/(bool) behavior
. Fixed iterator edge cases
. Added methods getNamespaces(), getDocNamespaces()
+- Prevent header injection by limiting each header to a single line. (Ilia)
- Fixed possible XSS inside error reporting functionality. (Ilia)
- Fixed many bugs in OCI8. (Tony)
- Fixed crash and leak in mysqli when using 4.1.x client libraries and
http://cvs.php.net/diff.php/php-src/main/SAPI.c?r1=1.202.2.4&r2=1.202.2.5&ty=u
Index: php-src/main/SAPI.c
diff -u php-src/main/SAPI.c:1.202.2.4 php-src/main/SAPI.c:1.202.2.5
--- php-src/main/SAPI.c:1.202.2.4 Sun Nov 6 17:08:30 2005
+++ php-src/main/SAPI.c Mon Dec 5 22:39:45 2005
@@ -18,7 +18,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: SAPI.c,v 1.202.2.4 2005/11/06 22:08:30 sniper Exp $ */
+/* $Id: SAPI.c,v 1.202.2.5 2005/12/06 03:39:45 iliaa Exp $ */
#include <ctype.h>
#include <sys/stat.h>
@@ -566,6 +566,19 @@
while(isspace(header_line[header_line_len-1]))
header_line[--header_line_len]='\0';
+ /* new line safety check */
+ {
+ char *s = header_line, *e = header_line + header_line_len, *p;
+ while (s < e && (p = memchr(s, '\n', (e - s)))) {
+ if (*(p + 1) == ' ' || *(p + 1) == '\t') {
+ s = p + 1;
+ continue;
+ }
+ efree(header_line);
+ sapi_module.sapi_error(E_WARNING, "Header may not
contain more then a single header, new line detected.");
+ return FAILURE;
+ }
+ }
sapi_header.header = header_line;
sapi_header.header_len = header_line_len;
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
