Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:75199
Return-Path: <tjerk.meesters@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 66422 invoked from network); 3 Jul 2014 07:03:56 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 3 Jul 2014 07:03:56 -0000
Authentication-Results: pb1.pair.com smtp.mail=tjerk.meesters@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=tjerk.meesters@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.128.180 as permitted sender)
X-PHP-List-Original-Sender: tjerk.meesters@gmail.com
X-Host-Fingerprint: 209.85.128.180 mail-ve0-f180.google.com  
Received: from [209.85.128.180] ([209.85.128.180:40943] helo=mail-ve0-f180.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id C2/85-47713-B5005B35 for <internals@lists.php.net>; Thu, 03 Jul 2014 03:03:56 -0400
Received: by mail-ve0-f180.google.com with SMTP id jw12so12460996veb.39
        for <internals@lists.php.net>; Thu, 03 Jul 2014 00:03:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=Tja4G/prkFGN2WNbshGvJ8SxRQ1ZU4To0iWIHHsygBI=;
        b=eI6dne4ic5lKY9tXS6LlrMeBisXNECFO+QT7LL4KLpYqS6Rl9I5TZXdwFE0E6xERPC
         JthYLT3pjO+6QsOKCtD7DuH4BrzDR5NRufmH04v62HXw3Njk7ajMtYlleqisc7SJst7D
         lsdXbHZjV2VJ9GNoTuKY31LPxA36p9LvEN3stYmTe5ukLoOsz8s5kl+J5fyC3YoRy5Jy
         MxK9XpfjwBcq4ontlBtnaE14CuOsS2GKGixyShYxho7IxP6gAy7lVfvNmw4EOYo8Bf4t
         +HI/di+N7bZmgiJkLGXws1MATbROex8Lgacp5UTLhzrh9VMN+MOvk7GnTqtt+n2b9l8R
         QiHQ==
MIME-Version: 1.0
X-Received: by 10.220.92.135 with SMTP id r7mr2106349vcm.11.1404371033572;
 Thu, 03 Jul 2014 00:03:53 -0700 (PDT)
Received: by 10.58.160.34 with HTTP; Thu, 3 Jul 2014 00:03:53 -0700 (PDT)
In-Reply-To: <20140703063713.GA16777@openwall.com>
References: <20140703003646.GA12662@openwall.com>
	<53B4AC6E.5050401@sugarcrm.com>
	<F494C86C-44E9-4BBC-889F-ADEA38107612@ajf.me>
	<20140703012402.GA13015@openwall.com>
	<CADajX4CvRPVZ7P2UrEynXUJCSD2GCnMhP8zvy7+W29bnecTGGw@mail.gmail.com>
	<CAH-PCH5EbCz+80SyH1M8zqBR4WVqW4K_deDYbheZ5pkU1ch6HA@mail.gmail.com>
	<20140703060837.GB16494@openwall.com>
	<CAH-PCH4YVzU9wrsmY3XNLy=j3MmXfhmc+q6z5kXxy-y4OzTk_A@mail.gmail.com>
	<20140703063713.GA16777@openwall.com>
Date: Thu, 3 Jul 2014 15:03:53 +0800
Message-ID: <CAHMUw2HCwEZxtN5UsA6VRMpot05m-ZnTQE8jWbYMFLsEZW9muQ@mail.gmail.com>
To: Solar Designer <solar@openwall.com>
Cc: Ferenc Kovacs <tyra3l@gmail.com>, Adam Harvey <aharvey@php.net>, Andrea Faulds <ajf@ajf.me>, 
	Stas Malyshev <smalyshev@sugarcrm.com>, PHP internals <internals@lists.php.net>, 
	D0znpp <d0znpp@onsec.ru>
Content-Type: multipart/alternative; boundary=047d7b66f5fb96cb8e04fd449c7d
Subject: Re: [PHP-DEV] multiline HTTP headers support in header()
From: tjerk.meesters@gmail.com (Tjerk Meesters)

--047d7b66f5fb96cb8e04fd449c7d
Content-Type: text/plain; charset=UTF-8

On Thu, Jul 3, 2014 at 2:37 PM, Solar Designer <solar@openwall.com> wrote:

> On Thu, Jul 03, 2014 at 08:19:16AM +0200, Ferenc Kovacs wrote:
> > > Why did the old code special-case NUL, though?  Should we possibly
> > > preserve that?
> >
> > see
> >
> http://grokbase.com/t/php/php-internals/1223makrz1/the-case-of-http-response-splitting-protection-in-php
>
> Wow.  So Adam's patch is in fact buggy in going back to strpbrk()
> without also checking for NUL, whereas the NUL check in the code
> currently in PHP is probably unnecessary (at least not for the original
> reason).  It's good that we're actually reviewing the patch this time,
> and with more than two eyes even.  Thank you!
>
> I think it might be the simplest to use two memchr() calls in place of
> strpbrk(), and not have any loop (unlike the old memchr()-using code
> did) because we can reject on any '\r' or '\n' right away.  Another good
> option is to have a single loop that checks the individual chars and
> aborts with failure if it sees a '\r' or '\n'.  Either is clean enough.
>

Or, check for NUL byte first and reject the whole thing if present; then
continue with `strpbrk()` :)


>
> As to whether we want to check for NUL just in case, even when our
> implementation doesn't depend on that, I don't know.  Some browsers may
> surely be confused by a NUL, but probably not in a way allowing for
> header injection.  I imagine there could be e.g. header($unsafe .
> "suffix") in some script, and $unsafe with a NUL in it would then hide
> the suffix from some browsers.  This would only be a security issue if
> the suffix somehow restricts the meaning of that header.  Maybe such
> headers exist.  So maybe continuing to check for NUL makes sense.  It's
> 3 memchr()'s or 3 chars to check for in a loop, then.  Well, or
> strpbrk() for "\r\n" and a single memchr() for NUL, but that's more
> complicated to review.
>
> Alexander
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>


-- 
--
Tjerk

--047d7b66f5fb96cb8e04fd449c7d--