Skip to content

Commit 3657693

Browse files
cmb69cmb69
committed
Fix #81518: Header injection via default_mimetype / default_charset
We forbid setting these INI options to values containing NUL bytes, CR or LF. Closes GH-7574.
1 parent 788a701 commit 3657693

File tree

4 files changed

+46
-1
lines changed

4 files changed

+46
-1
lines changed

NEWS

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,10 @@ PHP NEWS
22
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
33
?? ??? ????, PHP 7.4.26
44

5+
- Core:
6+
. Fixed bug #81518 (Header injection via default_mimetype / default_charset).
7+
(cmb)
8+
59
- MySQLi:
610
. Fixed bug #81494 (Stopped unbuffered query does not throw error). (Nikita)
711

main/main.c

Lines changed: 17 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -614,6 +614,10 @@ PHPAPI void (*php_internal_encoding_changed)(void) = NULL;
614614
*/
615615
static PHP_INI_MH(OnUpdateDefaultCharset)
616616
{
617+
if (memchr(ZSTR_VAL(new_value), '\0', ZSTR_LEN(new_value))
618+
|| strpbrk(ZSTR_VAL(new_value), "\r\n")) {
619+
return FAILURE;
620+
}
617621
OnUpdateString(entry, new_value, mh_arg1, mh_arg2, mh_arg3, stage);
618622
if (php_internal_encoding_changed) {
619623
php_internal_encoding_changed();
@@ -627,6 +631,18 @@ static PHP_INI_MH(OnUpdateDefaultCharset)
627631
}
628632
/* }}} */
629633

634+
/* {{{ PHP_INI_MH
635+
*/
636+
static PHP_INI_MH(OnUpdateDefaultMimeTye)
637+
{
638+
if (memchr(ZSTR_VAL(new_value), '\0', ZSTR_LEN(new_value))
639+
|| strpbrk(ZSTR_VAL(new_value), "\r\n")) {
640+
return FAILURE;
641+
}
642+
return OnUpdateString(entry, new_value, mh_arg1, mh_arg2, mh_arg3, stage);
643+
}
644+
/* }}} */
645+
630646
/* {{{ PHP_INI_MH
631647
*/
632648
static PHP_INI_MH(OnUpdateInternalEncoding)
@@ -782,7 +798,7 @@ PHP_INI_BEGIN()
782798
STD_PHP_INI_ENTRY("auto_prepend_file", NULL, PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateString, auto_prepend_file, php_core_globals, core_globals)
783799
STD_PHP_INI_ENTRY("doc_root", NULL, PHP_INI_SYSTEM, OnUpdateStringUnempty, doc_root, php_core_globals, core_globals)
784800
STD_PHP_INI_ENTRY("default_charset", PHP_DEFAULT_CHARSET, PHP_INI_ALL, OnUpdateDefaultCharset, default_charset, sapi_globals_struct, sapi_globals)
785-
STD_PHP_INI_ENTRY("default_mimetype", SAPI_DEFAULT_MIMETYPE, PHP_INI_ALL, OnUpdateString, default_mimetype, sapi_globals_struct, sapi_globals)
801+
STD_PHP_INI_ENTRY("default_mimetype", SAPI_DEFAULT_MIMETYPE, PHP_INI_ALL, OnUpdateDefaultMimeTye, default_mimetype, sapi_globals_struct, sapi_globals)
786802
STD_PHP_INI_ENTRY("internal_encoding", NULL, PHP_INI_ALL, OnUpdateInternalEncoding, internal_encoding, php_core_globals, core_globals)
787803
STD_PHP_INI_ENTRY("input_encoding", NULL, PHP_INI_ALL, OnUpdateInputEncoding, input_encoding, php_core_globals, core_globals)
788804
STD_PHP_INI_ENTRY("output_encoding", NULL, PHP_INI_ALL, OnUpdateOutputEncoding, output_encoding, php_core_globals, core_globals)

sapi/cgi/tests/bug81518a.phpt

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
--TEST--
2+
Bug #81518 (Header injection via default_mimetype / default_charset)
3+
--CGI--
4+
--FILE--
5+
<?php
6+
ini_set(
7+
"default_mimetype",
8+
"text/html;charset=ISO-8859-1\r\nContent-Length: 31\r\n\r\n" .
9+
"Lets smuggle a HTTP response.\r\n"
10+
);
11+
?>
12+
--EXPECTHEADERS--
13+
Content-type: text/html; charset=UTF-8
14+
--EXPECT--

sapi/cgi/tests/bug81518b.phpt

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
--TEST--
2+
Bug #81518 (Header injection via default_mimetype / default_charset)
3+
--CGI--
4+
--FILE--
5+
<?php
6+
ini_set('default_charset', 'ISO-8859-1' . "\r\nHeader-Injection: Works!");
7+
header('Content-Type: text/html');
8+
?>
9+
--EXPECTHEADERS--
10+
Content-type: text/html;charset=UTF-8
11+
--EXPECT--

0 commit comments

Comments
 (0)