mirror of
https://github.com/php/php-src.git
synced 2024-09-21 18:07:23 +00:00
Fixes #79265: Improper injection of Host header when using fopen for http requests
Check all occurrences of the string "host:" (and other headers), not just the first one.
This commit is contained in:
parent
9e6358af36
commit
d0d60503b5
2
NEWS
2
NEWS
@ -28,6 +28,8 @@ PHP NEWS
|
||||
|
||||
- Standard:
|
||||
. Fixed bug #79254 (getenv() w/o arguments not showing changes). (cmb)
|
||||
. Fixed bug #79265 (Improper injection of Host header when using fopen for
|
||||
http requests). (Miguel Xavier Penha Neto)
|
||||
|
||||
20 Feb 2020, PHP 7.3.15
|
||||
|
||||
|
@ -460,41 +460,76 @@ finish:
|
||||
strip_header(user_headers, t, "content-type:");
|
||||
}
|
||||
|
||||
if ((s = strstr(t, "user-agent:")) &&
|
||||
(s == t || *(s-1) == '\r' || *(s-1) == '\n' ||
|
||||
*(s-1) == '\t' || *(s-1) == ' ')) {
|
||||
s = t;
|
||||
while ((s = strstr(s, "user-agent:"))) {
|
||||
if (s == t || *(s-1) == '\r' || *(s-1) == '\n' ||
|
||||
*(s-1) == '\t' || *(s-1) == ' ') {
|
||||
have_header |= HTTP_HEADER_USER_AGENT;
|
||||
break;
|
||||
}
|
||||
if ((s = strstr(t, "host:")) &&
|
||||
(s == t || *(s-1) == '\r' || *(s-1) == '\n' ||
|
||||
*(s-1) == '\t' || *(s-1) == ' ')) {
|
||||
s++;
|
||||
}
|
||||
|
||||
s = t;
|
||||
while ((s = strstr(s, "host:"))) {
|
||||
if (s == t || *(s-1) == '\r' || *(s-1) == '\n' ||
|
||||
*(s-1) == '\t' || *(s-1) == ' ') {
|
||||
have_header |= HTTP_HEADER_HOST;
|
||||
break;
|
||||
}
|
||||
if ((s = strstr(t, "from:")) &&
|
||||
(s == t || *(s-1) == '\r' || *(s-1) == '\n' ||
|
||||
*(s-1) == '\t' || *(s-1) == ' ')) {
|
||||
s++;
|
||||
}
|
||||
|
||||
s = t;
|
||||
while ((s = strstr(s, "from:"))) {
|
||||
if (s == t || *(s-1) == '\r' || *(s-1) == '\n' ||
|
||||
*(s-1) == '\t' || *(s-1) == ' ') {
|
||||
have_header |= HTTP_HEADER_FROM;
|
||||
break;
|
||||
}
|
||||
if ((s = strstr(t, "authorization:")) &&
|
||||
(s == t || *(s-1) == '\r' || *(s-1) == '\n' ||
|
||||
*(s-1) == '\t' || *(s-1) == ' ')) {
|
||||
s++;
|
||||
}
|
||||
|
||||
s = t;
|
||||
while ((s = strstr(s, "authorization:"))) {
|
||||
if (s == t || *(s-1) == '\r' || *(s-1) == '\n' ||
|
||||
*(s-1) == '\t' || *(s-1) == ' ') {
|
||||
have_header |= HTTP_HEADER_AUTH;
|
||||
break;
|
||||
}
|
||||
if ((s = strstr(t, "content-length:")) &&
|
||||
(s == t || *(s-1) == '\r' || *(s-1) == '\n' ||
|
||||
*(s-1) == '\t' || *(s-1) == ' ')) {
|
||||
s++;
|
||||
}
|
||||
|
||||
s = t;
|
||||
while ((s = strstr(s, "content-length:"))) {
|
||||
if (s == t || *(s-1) == '\r' || *(s-1) == '\n' ||
|
||||
*(s-1) == '\t' || *(s-1) == ' ') {
|
||||
have_header |= HTTP_HEADER_CONTENT_LENGTH;
|
||||
break;
|
||||
}
|
||||
if ((s = strstr(t, "content-type:")) &&
|
||||
(s == t || *(s-1) == '\r' || *(s-1) == '\n' ||
|
||||
*(s-1) == '\t' || *(s-1) == ' ')) {
|
||||
s++;
|
||||
}
|
||||
|
||||
s = t;
|
||||
while ((s = strstr(s, "content-type:"))) {
|
||||
if (s == t || *(s-1) == '\r' || *(s-1) == '\n' ||
|
||||
*(s-1) == '\t' || *(s-1) == ' ') {
|
||||
have_header |= HTTP_HEADER_TYPE;
|
||||
break;
|
||||
}
|
||||
if ((s = strstr(t, "connection:")) &&
|
||||
(s == t || *(s-1) == '\r' || *(s-1) == '\n' ||
|
||||
*(s-1) == '\t' || *(s-1) == ' ')) {
|
||||
s++;
|
||||
}
|
||||
|
||||
s = t;
|
||||
while ((s = strstr(s, "connection:"))) {
|
||||
if (s == t || *(s-1) == '\r' || *(s-1) == '\n' ||
|
||||
*(s-1) == '\t' || *(s-1) == ' ') {
|
||||
have_header |= HTTP_HEADER_CONNECTION;
|
||||
break;
|
||||
}
|
||||
s++;
|
||||
}
|
||||
|
||||
/* remove Proxy-Authorization header */
|
||||
if (use_proxy && use_ssl && (s = strstr(t, "proxy-authorization:")) &&
|
||||
(s == t || *(s-1) == '\r' || *(s-1) == '\n' ||
|
||||
|
39
ext/standard/tests/http/bug79265.phpt
Normal file
39
ext/standard/tests/http/bug79265.phpt
Normal file
@ -0,0 +1,39 @@
|
||||
--TEST--
|
||||
Bug #79265 (Improper injection of Host header when using fopen for http requests)
|
||||
--INI--
|
||||
allow_url_fopen=1
|
||||
--SKIPIF--
|
||||
<?php require 'server.inc'; http_server_skipif('tcp://127.0.0.1:12342'); ?>
|
||||
--FILE--
|
||||
<?php
|
||||
require 'server.inc';
|
||||
|
||||
$responses = array(
|
||||
"data://text/plain,HTTP/1.0 200 OK\r\n\r\n",
|
||||
);
|
||||
|
||||
$pid = http_server("tcp://127.0.0.1:12342", $responses, $output);
|
||||
|
||||
$opts = array(
|
||||
'http'=>array(
|
||||
'method'=>"GET",
|
||||
'header'=>"RandomHeader: localhost:8080\r\n" .
|
||||
"Cookie: foo=bar\r\n" .
|
||||
"Host: userspecifiedvalue\r\n"
|
||||
)
|
||||
);
|
||||
$context = stream_context_create($opts);
|
||||
$fd = fopen('http://127.0.0.1:12342/', 'rb', false, $context);
|
||||
fseek($output, 0, SEEK_SET);
|
||||
echo stream_get_contents($output);
|
||||
fclose($fd);
|
||||
|
||||
http_server_kill($pid);
|
||||
|
||||
?>
|
||||
--EXPECT--
|
||||
GET / HTTP/1.0
|
||||
Connection: close
|
||||
RandomHeader: localhost:8080
|
||||
Cookie: foo=bar
|
||||
Host: userspecifiedvalue
|
Loading…
Reference in New Issue
Block a user