Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:57696 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 13897 invoked from network); 4 Feb 2012 10:42:25 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 4 Feb 2012 10:42:25 -0000 Authentication-Results: pb1.pair.com header.from=glopes@nebm.ist.utl.pt; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=glopes@nebm.ist.utl.pt; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain nebm.ist.utl.pt from 193.136.128.21 cause and error) X-PHP-List-Original-Sender: glopes@nebm.ist.utl.pt X-Host-Fingerprint: 193.136.128.21 smtp1.ist.utl.pt Linux 2.6 Received: from [193.136.128.21] ([193.136.128.21:41007] helo=smtp1.ist.utl.pt) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 5A/2D-08838-D8B0D2F4 for ; Sat, 04 Feb 2012 05:42:22 -0500 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp1.ist.utl.pt (Postfix) with ESMTP id 2863370003F8; Sat, 4 Feb 2012 10:42:18 +0000 (WET) X-Virus-Scanned: by amavisd-new-2.6.4 (20090625) (Debian) at ist.utl.pt Received: from smtp1.ist.utl.pt ([127.0.0.1]) by localhost (smtp1.ist.utl.pt [127.0.0.1]) (amavisd-new, port 10025) with LMTP id IxcY6q8E7gq5; Sat, 4 Feb 2012 10:42:17 +0000 (WET) Received: from nebm.ist.utl.pt (unknown [IPv6:2001:690:2100:4::58:1]) by smtp1.ist.utl.pt (Postfix) with ESMTP id 904B2700042B; Sat, 4 Feb 2012 10:42:17 +0000 (WET) Received: from localhost ([127.0.0.1] helo=nebm.ist.utl.pt) by nebm.ist.utl.pt with esmtp (Exim 4.72) (envelope-from ) id 1Rtd4T-0006DX-Ff; Sat, 04 Feb 2012 10:42:17 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Date: Sat, 04 Feb 2012 11:42:17 +0100 To: =?UTF-8?Q?=C3=81ngel_Gonz=C3=A1lez?= Cc: Organization: =?UTF-8?Q?N=C3=BAcleo_de_Engenharia_Biom=C3=A9dica_do_Insti?= =?UTF-8?Q?tuto_Superior_T=C3=A9cnico?= In-Reply-To: <4F2C6885.8080007@gmail.com> References: <4F2C4743.8070609@gmail.com> <4F2C6885.8080007@gmail.com> Message-ID: <525f07429768fc0057768837f210236c@nebm.ist.utl.pt> X-Sender: glopes@nebm.ist.utl.pt User-Agent: RoundCube Webmail/0.5.3 Subject: Re: [PHP-DEV] The case of HTTP response splitting protection in PHP From: glopes@nebm.ist.utl.pt (Gustavo Lopes) On Sat, 04 Feb 2012 00:06:45 +0100, Ángel González wrote: > On 03/02/12 21:44, Ángel González wrote: >> On 03/02/12 15:01, Gustavo Lopes wrote: >>> I've committed a different version that also forbids \0 (since, as >>> Stefan says, a NUL byte can result in the truncation of the rest of >>> the header) and that accepts a CRLF: >>> >>> >>> http://svn.php.net/viewvc/php/php-src/trunk/main/SAPI.c?r1=323043&r2=323042&pathrev=323043 >>> >> Looks good. But given that the goal is to make this robust, I would >> go >> further: >> a) Replace any CRLF + [ \r] with SP >> (rfc2616 allows us "A recipient MAY replace any linear white space >> with a single SP before forwarding the message downstream.", and >> this also protects UAs not following the spec) >> >> b) Bail out on any header_line[i] < ' ' (ie. fail on any special >> char) > I've gone ahead and written code for that feature. Comments welcome. The comparison has a problem: if char is signed (the most common scenario), you'll be making a signed comparison, so any character over 0x7f will match (if it's an unsigned char, though, it will work, because of the integer promotions and usual arithmetic conversions). It suffices to replace ' ' with 0x20U. Other than that, I am a little uncertain about the impact of this strictness could have on current applications, even if if correct. -- Gustavo Lopes