From: Ilia Alshanetsky <iliaa@php.net>
Date: Tue, 6 Dec 2005 03:39:45 +0000 (+0000)
Subject: MFH: Prevent header injection by limiting each header to a single line.
X-Git-Tag: php-5.1.2RC1~190
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=f2415625d4848b503f1fbcc7986211d6eb4aa7df;p=php

MFH: Prevent header injection by limiting each header to a single line.
---

diff --git a/NEWS b/NEWS
index 26de137d4c..53bb660bc7 100644
--- a/NEWS
+++ b/NEWS
@@ -18,6 +18,7 @@ PHP                                                                        NEWS
   . Fixed isset/empty/(bool) behavior
   . Fixed iterator edge cases
   . Added methods getNamespaces(), getDocNamespaces()
+- Prevent header injection by limiting each header to a single line. (Ilia)
 - Fixed possible XSS inside error reporting functionality. (Ilia)
 - Fixed many bugs in OCI8. (Tony)
 - Fixed crash and leak in mysqli when using 4.1.x client libraries and
diff --git a/main/SAPI.c b/main/SAPI.c
index 981fae805f..6c3733ae55 100644
--- a/main/SAPI.c
+++ b/main/SAPI.c
@@ -566,6 +566,19 @@ SAPI_API int sapi_header_op(sapi_header_op_enum op, void *arg TSRMLS_DC)
 	while(isspace(header_line[header_line_len-1])) 
 		  header_line[--header_line_len]='\0';
 	
+	/* new line safety check */
+	{
+		char *s = header_line, *e = header_line + header_line_len, *p;
+		while (s < e && (p = memchr(s, '\n', (e - s)))) {
+			if (*(p + 1) == ' ' || *(p + 1) == '\t') {
+				s = p + 1;
+				continue;
+			}
+			efree(header_line);
+			sapi_module.sapi_error(E_WARNING, "Header may not contain more then a single header, new line detected.");
+			return FAILURE;
+		}
+	}
 
 	sapi_header.header = header_line;
 	sapi_header.header_len = header_line_len;