Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:57661 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 48954 invoked from network); 3 Feb 2012 14:14:02 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 3 Feb 2012 14:14:02 -0000 Authentication-Results: pb1.pair.com smtp.mail=john.lesueur@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=john.lesueur@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.170 as permitted sender) X-PHP-List-Original-Sender: john.lesueur@gmail.com X-Host-Fingerprint: 209.85.216.170 mail-qy0-f170.google.com Received: from [209.85.216.170] ([209.85.216.170:51381] helo=mail-qy0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 9C/B3-11798-7ABEB2F4 for ; Fri, 03 Feb 2012 09:14:01 -0500 Received: by qcmt36 with SMTP id t36so2073683qcm.29 for ; Fri, 03 Feb 2012 06:13:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=skYMeG4A8PeFAmPfrNurqZG6PvmjhcRxpKSOcCIs6lU=; b=RHeUaOYJJwibnihb1qU/Ql0UDxArIPJPEpIgi5ubWkC5I+qxQaCgEZ90f/eIomeP8k MGF1fUE1atY75pQiiQmILI/Dtvy8yQAXbtyl801m7pXDpetH9TRYdVdqTsBF4FuqRdd/ UCSc3oesSHshydg8zWDO7md8zUAC4jV26lMLI= MIME-Version: 1.0 Received: by 10.229.76.149 with SMTP id c21mr2873955qck.5.1328278436638; Fri, 03 Feb 2012 06:13:56 -0800 (PST) Received: by 10.224.100.136 with HTTP; Fri, 3 Feb 2012 06:13:56 -0800 (PST) In-Reply-To: References: Date: Fri, 3 Feb 2012 07:13:56 -0700 Message-ID: To: Gustavo Lopes Cc: internals@lists.php.net Content-Type: multipart/alternative; boundary=00235429e34c60eeed04b80fecb7 Subject: Re: [PHP-DEV] The case of HTTP response splitting protection in PHP From: john.lesueur@gmail.com (John LeSueur) --00235429e34c60eeed04b80fecb7 Content-Type: text/plain; charset=ISO-8859-1 On Fri, Feb 3, 2012 at 7:01 AM, Gustavo Lopes wrote: > On Fri, 03 Feb 2012 13:03:24 +0100, Gustavo Lopes > wrote: > > On Fri, 03 Feb 2012 12:06:26 +0100, Stefan Esser < >> stefan.esser@sektioneins.de> wrote: >> >> [snip] >>> obviously inside PHP no one cares about reviewing security patches. >>> >>> >> Perhaps then you'd want to comment on: http://nebm.ist.utl.pt/~** >> glopes/misc/bug60227.diff, which addresses the NUL byte issue, although now I'm thinking that since >> we're in the business of validating HTTP headers, we could also forbid the >> other control characters that are forbidden by the spec (not just LF and >> CR). >> >> > I've committed a different version that also forbids \0 (since, as Stefan > says, a NUL byte can result in the truncation of the rest of the header) > and that accepts a CRLF: > > http://svn.php.net/viewvc/php/**php-src/trunk/main/SAPI.c?r1=** > 323043&r2=323042&pathrev=**323043 > > If you or anyone else find any problem, please report a bug; otherwise > I'll merge to 5.3 and 5.4 once 5.4 is out of code freeze. > > Thanks > > > -- > Gustavo Lopes > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > I could be wrong, but doesn't: (header_line[i+1] != ' ' && header_line[i+1] != '\t') access an element past the end of the header_line array on the last iteration of the for loop? shouldn't the for loop go until header_line_len - 1? John --00235429e34c60eeed04b80fecb7--