From 7859464838054605c484ba8b9b0ab98d76053339 Mon Sep 17 00:00:00 2001
From: Ilia Alshanetsky <iliaa@php.net>
Date: Tue, 6 Dec 2005 03:40:09 +0000
Subject: [PATCH] MFH: Prevent header injection by limiting each header to a
 single line.

---
 NEWS        |  1 +
 main/SAPI.c | 13 +++++++++++++
 2 files changed, 14 insertions(+)

diff --git a/NEWS b/NEWS
index 4b98b56d98..23d38dc31c 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,7 @@
 PHP 4                                                                      NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2005, Version 4.4.2
+- Prevent header injection by limiting each header to a single line. (Ilia)
 - Fixed possible XSS inside error reporting functionality. (Ilia)
 - Fixed bug #35536 (mysql_field_type() doesn't handle NEWDECIMAL). (Tony)
 - Fixed bug #35410 (wddx_deserialize() doesn't handle large ints as keys 
diff --git a/main/SAPI.c b/main/SAPI.c
index 451bb217f9..769a039fc3 100644
--- a/main/SAPI.c
+++ b/main/SAPI.c
@@ -546,6 +546,19 @@ SAPI_API int sapi_header_op(sapi_header_op_enum op, void *arg TSRMLS_DC)
 	while(isspace(header_line[header_line_len-1])) 
 		  header_line[--header_line_len]='\0';
 	
+	/* new line safety check */
+	{
+		char *s = header_line, *e = header_line + header_line_len, *p;
+		while (s < e && (p = memchr(s, '\n', (e - s)))) {
+			if (*(p + 1) == ' ' || *(p + 1) == '\t') {
+				s = p + 1;
+				continue;
+			}
+			efree(header_line);
+			sapi_module.sapi_error(E_WARNING, "Header may not contain more then a single header, new line detected.");
+			return FAILURE;
+		}
+	}
 
 	sapi_header.header = header_line;
 	sapi_header.header_len = header_line_len;
-- 
2.40.0