Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:57665
Return-Path: <keisial@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 14251 invoked from network); 3 Feb 2012 20:40:16 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 3 Feb 2012 20:40:16 -0000
Authentication-Results: pb1.pair.com smtp.mail=keisial@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=keisial@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.170 as permitted sender)
X-PHP-List-Original-Sender: keisial@gmail.com
X-Host-Fingerprint: 74.125.82.170 mail-we0-f170.google.com  
Received: from [74.125.82.170] ([74.125.82.170:63846] helo=mail-we0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 08/A0-08838-E264C2F4 for <internals@lists.php.net>; Fri, 03 Feb 2012 15:40:15 -0500
Received: by werm1 with SMTP id m1so3532460wer.29
        for <internals@lists.php.net>; Fri, 03 Feb 2012 12:40:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=message-id:date:from:user-agent:mime-version:to:cc:subject
         :references:in-reply-to:content-type:content-transfer-encoding;
        bh=azYrn2pjs5Hx4e5KXqy0g+/uBG6CPmJQavHXCDDSMUE=;
        b=FGDiKpgRfYFAaKpGV7WLkbUf0/wOzQS0/iV+xj4BGdGveUnTSfsGg4neqFxbHZd0cE
         sgpjBj+n1Ts+RfMWHmsixcw9ERfJBGKgqwqVPDn7UZyF5zlhvr9REzVQ4lB9e1EapBfE
         fNUm6mMfHuxhhEmGy+xzyJvyNKWFWUkUcS/uA=
Received: by 10.216.135.138 with SMTP id u10mr6958605wei.43.1328301611984;
        Fri, 03 Feb 2012 12:40:11 -0800 (PST)
Received: from [192.168.1.26] (210.Red-83-52-184.dynamicIP.rima-tde.net. [83.52.184.210])
        by mx.google.com with ESMTPS id t15sm8976310wiv.6.2012.02.03.12.40.09
        (version=SSLv3 cipher=OTHER);
        Fri, 03 Feb 2012 12:40:10 -0800 (PST)
Message-ID: <4F2C4743.8070609@gmail.com>
Date: Fri, 03 Feb 2012 21:44:51 +0100
User-Agent: Thunderbird
MIME-Version: 1.0
To: Gustavo Lopes <glopes@nebm.ist.utl.pt>
CC: internals@lists.php.net
References: <D5EC076D-8518-4CDC-913F-5A3F3BB97367@sektioneins.de> <op.v83qfyebidpuyk@slws007.slhq.int> <op.v83vw0bcidpuyk@slws007.slhq.int>
In-Reply-To: <op.v83vw0bcidpuyk@slws007.slhq.int>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] The case of HTTP response splitting protection in PHP
From: keisial@gmail.com (=?UTF-8?B?w4FuZ2VsIEdvbnrDoWxleg==?=)

On 03/02/12 15:01, Gustavo Lopes wrote:
> I've committed a different version that also forbids \0 (since, as
> Stefan says, a NUL byte can result in the truncation of the rest of
> the header) and that accepts a CRLF:
>
> http://svn.php.net/viewvc/php/php-src/trunk/main/SAPI.c?r1=323043&r2=323042&pathrev=323043
>

Looks good. But given that the goal is to make this robust, I would go
further:
a) Replace any CRLF + [ \r] with SP
(rfc2616 allows us "A recipient MAY replace any linear white space
with a single SP before forwarding the message downstream.", and
this also protects UAs not following the spec)

b) Bail out on any header_line[i] < ' ' (ie. fail on any special char)



> If you or anyone else find any problem, please report a bug; otherwise
> I'll merge to 5.3 and 5.4 once 5.4 is out of code freeze.
>
> Thanks 
As it's a security patch and of small scope, I would consider it for
5.4. Stas, David?