Cherry-pick 4cc74767

Headers: forbid \r and \n also after \0, allow CRLF followed by HT or SP and forbid \0. See bug #60227.

Conflicts:

	ext/standard/tests/general_functions/bug60227.phpt
	ext/standard/tests/general_functions/bug60227_1.phpt
	ext/standard/tests/general_functions/bug60227_2.phpt
	main/SAPI.c

diff --git a/ext/standard/tests/general_functions/bug60227_1.phpt b/ext/standard/tests/general_functions/bug60227_1.phpt
index f95a061d2c22293753e7b23bfb6fe4ff92c337e5..8efe222adac995b4d17c04ca145c3a6af62695d8 100644 (file)
--- a/ext/standard/tests/general_functions/bug60227_1.phpt
+++ b/ext/standard/tests/general_functions/bug60227_1.phpt
@@ -10,7 +10,7 @@ header("X-Foo5: e\rSet-Cookie: ID=123");
 echo 'foo';
 ?>
 --EXPECTF--
-Warning: Header may not contain more than a single header, new line detected. in %s on line %d
+Warning: Header may not contain more than a single header, new line detected in %s on line %d
 foo
 --EXPECTHEADERS--
 X-Foo1: a

diff --git a/ext/standard/tests/general_functions/bug60227_2.phpt b/ext/standard/tests/general_functions/bug60227_2.phpt
index fd383f3b597df0fd91b8e2bdf319a3156f0bdff0..995c364eea23fa5ea5960ea1d19a2403b23eb819 100644 (file)
--- a/ext/standard/tests/general_functions/bug60227_2.phpt
+++ b/ext/standard/tests/general_functions/bug60227_2.phpt
@@ -7,7 +7,7 @@ header("X-Foo6: e\rSet-Cookie: ID=123\n d");
 echo 'foo';
 ?>
 --EXPECTF--
-Warning: Header may not contain more than a single header, new line detected. in %s on line %d
+Warning: Header may not contain more than a single header, new line detected in %s on line %d
 foo
 --EXPECTHEADERS--
 X-foo: e

diff --git a/ext/standard/tests/general_functions/bug60227_3.phpt b/ext/standard/tests/general_functions/bug60227_3.phpt
new file mode 100644 (file)
index 0000000..8cba9b8
--- /dev/null
+++ b/ext/standard/tests/general_functions/bug60227_3.phpt
@@ -0,0 +1,14 @@
+--TEST--
+Bug #60227 (header() cannot detect the multi-line header with CR), \0 before \n
+--FILE--
+<?php
+header("X-foo: e\n foo");
+header("X-Foo6: e\0Set-Cookie: ID=\n123\n d");
+echo 'foo';
+?>
+--EXPECTF--
+Warning: Header may not contain NUL bytes in %s on line %d
+foo
+--EXPECTHEADERS--
+X-foo: e
+foo

diff --git a/ext/standard/tests/general_functions/bug60227_4.phpt b/ext/standard/tests/general_functions/bug60227_4.phpt
new file mode 100644 (file)
index 0000000..d5e2573
--- /dev/null
+++ b/ext/standard/tests/general_functions/bug60227_4.phpt
@@ -0,0 +1,14 @@
+--TEST--
+Bug #60227 (header() cannot detect the multi-line header with CR), CRLF
+--FILE--
+<?php
+header("X-foo: e\r\n foo");
+header("X-foo: e\r\nfoo");
+echo 'foo';
+?>
+--EXPECTF--
+Warning: Header may not contain more than a single header, new line detected in %s on line %d
+foo
+--EXPECTHEADERS--
+X-foo: e
+ foo

diff --git a/main/SAPI.c b/main/SAPI.c
index e3284cfcf363b2a32fa81f542fb63612ea3b8388..df550e024996cfeb73f341f81e7ed52e07da0f48 100644 (file)
--- a/main/SAPI.c
+++ b/main/SAPI.c
@@ -616,17 +616,26 @@ SAPI_API int sapi_header_op(sapi_header_op_enum op, void *arg TSRMLS_DC)
                        return FAILURE;
                }
        } else {
-               /* new line safety check */
-               char *s = header_line;
-               while ((s = strpbrk(s, "\n\r"))) {
-                       if (s[1] == ' ' || s[1] == '\t') {
-                               /* RFC 2616 allows new lines if followed by SP or HT */
-                               s++;
-                               continue;
+               /* new line/NUL character safety check */
+               int i;
+               for (i = 0; i < header_line_len; i++) {
+                       /* RFC 2616 allows new lines if followed by SP or HT */
+                       int illegal_break =
+                                       (header_line[i+1] != ' ' && header_line[i+1] != '\t')
+                                       && (
+                                               header_line[i] == '\n'
+                                               || (header_line[i] == '\r' && header_line[i+1] != '\n'));
+                       if (illegal_break) {
+                               efree(header_line);
+                               sapi_module.sapi_error(E_WARNING, "Header may not contain "
+                                               "more than a single header, new line detected");
+                               return FAILURE;
+                       }
+                       if (header_line[i] == '\0') {
+                               efree(header_line);
+                               sapi_module.sapi_error(E_WARNING, "Header may not contain NUL bytes");
+                               return FAILURE;
                        }
-                       efree(header_line);
-                       sapi_module.sapi_error(E_WARNING, "Header may not contain more than a single header, new line detected.");
-                       return FAILURE;
                }
        }