main SAPI.c

Ilia Alshanetsky Mon, 05 Dec 2005 19:40:25 -0800

iliaa           Mon Dec  5 22:40:10 2005 EDT

  Modified files:              (Branch: PHP_4_4)
    /php-src    NEWS 
    /php-src/main       SAPI.c 
  Log:
  MFH: Prevent header injection by limiting each header to a single line.
  
  
http://cvs.php.net/diff.php/php-src/NEWS?r1=1.1247.2.920.2.93&r2=1.1247.2.920.2.94&ty=u
Index: php-src/NEWS
diff -u php-src/NEWS:1.1247.2.920.2.93 php-src/NEWS:1.1247.2.920.2.94
--- php-src/NEWS:1.1247.2.920.2.93      Mon Dec  5 22:30:39 2005
+++ php-src/NEWS        Mon Dec  5 22:40:08 2005
@@ -1,6 +1,7 @@
 PHP 4                                                                      NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2005, Version 4.4.2
+- Prevent header injection by limiting each header to a single line. (Ilia)
 - Fixed possible XSS inside error reporting functionality. (Ilia)
 - Fixed bug #35536 (mysql_field_type() doesn't handle NEWDECIMAL). (Tony)
 - Fixed bug #35410 (wddx_deserialize() doesn't handle large ints as keys 
http://cvs.php.net/diff.php/php-src/main/SAPI.c?r1=1.155.2.24.2.2&r2=1.155.2.24.2.3&ty=u
Index: php-src/main/SAPI.c
diff -u php-src/main/SAPI.c:1.155.2.24.2.2 php-src/main/SAPI.c:1.155.2.24.2.3
--- php-src/main/SAPI.c:1.155.2.24.2.2  Wed Nov  2 09:43:08 2005
+++ php-src/main/SAPI.c Mon Dec  5 22:40:09 2005
@@ -18,7 +18,7 @@
    +----------------------------------------------------------------------+
 */
 
-/* $Id: SAPI.c,v 1.155.2.24.2.2 2005/11/02 14:43:08 mike Exp $ */
+/* $Id: SAPI.c,v 1.155.2.24.2.3 2005/12/06 03:40:09 iliaa Exp $ */
 
 #include <ctype.h>
 #include <sys/stat.h>
@@ -546,6 +546,19 @@
        while(isspace(header_line[header_line_len-1])) 
                  header_line[--header_line_len]='\0';
        
+       /* new line safety check */
+       {
+               char *s = header_line, *e = header_line + header_line_len, *p;
+               while (s < e && (p = memchr(s, '\n', (e - s)))) {
+                       if (*(p + 1) == ' ' || *(p + 1) == '\t') {
+                               s = p + 1;
+                               continue;
+                       }
+                       efree(header_line);
+                       sapi_module.sapi_error(E_WARNING, "Header may not 
contain more then a single header, new line detected.");
+                       return FAILURE;
+               }
+       }
 
        sapi_header.header = header_line;
        sapi_header.header_len = header_line_len;


-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-CVS] cvs: php-src(PHP_4_4) / NEWS /main SAPI.c

Reply via email to