MFH: Prevent header injection by limiting each header to a single line.

diff --git a/NEWS b/NEWS
index 26de137d4cb16b87953c209ad34cbf4045aba72d..53bb660bc7e589a6818deba3b28c3317e773992d 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -18,6 +18,7 @@ PHP                                                                        NEWS
   . Fixed isset/empty/(bool) behavior
   . Fixed iterator edge cases
   . Added methods getNamespaces(), getDocNamespaces()
+- Prevent header injection by limiting each header to a single line. (Ilia)
 - Fixed possible XSS inside error reporting functionality. (Ilia)
 - Fixed many bugs in OCI8. (Tony)
 - Fixed crash and leak in mysqli when using 4.1.x client libraries and

diff --git a/main/SAPI.c b/main/SAPI.c
index 981fae805f9935b25eca894441100f7812162986..6c3733ae559e7f49e8cc5b07edda298c86c08185 100644 (file)
--- a/main/SAPI.c
+++ b/main/SAPI.c
@@ -566,6 +566,19 @@ SAPI_API int sapi_header_op(sapi_header_op_enum op, void *arg TSRMLS_DC)
        while(isspace(header_line[header_line_len-1])) 
                  header_line[--header_line_len]='\0';
        
+       /* new line safety check */
+       {
+               char *s = header_line, *e = header_line + header_line_len, *p;
+               while (s < e && (p = memchr(s, '\n', (e - s)))) {
+                       if (*(p + 1) == ' ' || *(p + 1) == '\t') {
+                               s = p + 1;
+                               continue;
+                       }
+                       efree(header_line);
+                       sapi_module.sapi_error(E_WARNING, "Header may not contain more then a single header, new line detected.");
+                       return FAILURE;
+               }
+       }
 
        sapi_header.header = header_line;
        sapi_header.header_len = header_line_len;