?? ??? 20?? PHP 5.4.38
- Core:
+ . Removed support for multi-line headers, as the are deprecated by RFC 7230.
+ (Stas)
. Fixed bug #68925 (Mitigation for CVE-2015-0235 – GHOST: glibc gethostbyname
buffer overflow). (Stas)
--TEST--
Bug #60227 (header() cannot detect the multi-line header with CR), \r before \n
+--INI--
+expose_php=0
--FILE--
<?php
header("X-foo: e\n foo");
-header("X-Foo6: e\rSet-Cookie: ID=123\n d");
echo 'foo';
?>
--EXPECTF--
+
Warning: Header may not contain more than a single header, new line detected in %s on line %d
foo
--EXPECTHEADERS--
-X-foo: e
-foo
+Content-type: text/html; charset=UTF-8
--TEST--
Bug #60227 (header() cannot detect the multi-line header with CR), \0 before \n
+--INI--
+expose_php=0
--FILE--
<?php
-header("X-foo: e\n foo");
header("X-Foo6: e\0Set-Cookie: ID=\n123\n d");
echo 'foo';
?>
Warning: Header may not contain NUL bytes in %s on line %d
foo
--EXPECTHEADERS--
-X-foo: e
-foo
+Content-type: text/html; charset=UTF-8
--TEST--
Bug #60227 (header() cannot detect the multi-line header with CR), CRLF
+--INI--
+expose_php=0
--FILE--
<?php
-header("X-foo: e\r\n foo");
header("X-foo: e\r\nfoo");
echo 'foo';
?>
Warning: Header may not contain more than a single header, new line detected in %s on line %d
foo
--EXPECTHEADERS--
-X-foo: e
- foo
+Content-type: text/html; charset=UTF-8
/* new line/NUL character safety check */
int i;
for (i = 0; i < header_line_len; i++) {
- /* RFC 2616 allows new lines if followed by SP or HT */
- int illegal_break =
- (header_line[i+1] != ' ' && header_line[i+1] != '\t')
- && (
- header_line[i] == '\n'
- || (header_line[i] == '\r' && header_line[i+1] != '\n'));
- if (illegal_break) {
+ /* RFC 7230 ch. 3.2.4 deprecates folding support */
+ if (header_line[i] == '\n' || header_line[i] == '\r') {
efree(header_line);
sapi_module.sapi_error(E_WARNING, "Header may not contain "
"more than a single header, new line detected");
projects / php / commitdiff