MFH: Prevent header injection by limiting each header to a single line.

diff --git a/NEWS b/NEWS
index 4b98b56d98772f13923e91cd2b5bf98ccb4b04f2..23d38dc31c7137c21c5bb335f778943baf359edb 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,7 @@
 PHP 4                                                                      NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2005, Version 4.4.2
+- Prevent header injection by limiting each header to a single line. (Ilia)
 - Fixed possible XSS inside error reporting functionality. (Ilia)
 - Fixed bug #35536 (mysql_field_type() doesn't handle NEWDECIMAL). (Tony)
 - Fixed bug #35410 (wddx_deserialize() doesn't handle large ints as keys 

diff --git a/main/SAPI.c b/main/SAPI.c
index 451bb217f95e3b9f1096d30b28b650ae91f64896..769a039fc33ed135f64909443209b9f5e376364e 100644 (file)
--- a/main/SAPI.c
+++ b/main/SAPI.c
@@ -546,6 +546,19 @@ SAPI_API int sapi_header_op(sapi_header_op_enum op, void *arg TSRMLS_DC)
        while(isspace(header_line[header_line_len-1])) 
                  header_line[--header_line_len]='\0';
        
+       /* new line safety check */
+       {
+               char *s = header_line, *e = header_line + header_line_len, *p;
+               while (s < e && (p = memchr(s, '\n', (e - s)))) {
+                       if (*(p + 1) == ' ' || *(p + 1) == '\t') {
+                               s = p + 1;
+                               continue;
+                       }
+                       efree(header_line);
+                       sapi_module.sapi_error(E_WARNING, "Header may not contain more then a single header, new line detected.");
+                       return FAILURE;
+               }
+       }
 
        sapi_header.header = header_line;
        sapi_header.header_len = header_line_len;