diff options
author | Stanislav Malyshev <stas@php.net> | 2015-02-04 01:11:00 -0800 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2015-02-05 20:08:12 -0800 |
commit | f001c630732a817fae3a3797643fec76cb4be095 (patch) | |
tree | 6009bac422099ec4692354355d61268ad2ebae4e | |
parent | 7efbd70b034890df171cc0c48363f99121f0c19e (diff) | |
download | php-git-f001c630732a817fae3a3797643fec76cb4be095.tar.gz |
Update header handling to RFC 7230
-rw-r--r-- | NEWS | 2 | ||||
-rw-r--r-- | ext/standard/tests/general_functions/bug60227_2.phpt | 7 | ||||
-rw-r--r-- | ext/standard/tests/general_functions/bug60227_3.phpt | 6 | ||||
-rw-r--r-- | ext/standard/tests/general_functions/bug60227_4.phpt | 6 | ||||
-rw-r--r-- | main/SAPI.c | 9 |
5 files changed, 14 insertions, 16 deletions
@@ -3,6 +3,8 @@ PHP NEWS ?? ??? 20?? PHP 5.4.38 - Core: + . Removed support for multi-line headers, as the are deprecated by RFC 7230. + (Stas) . Fixed bug #68925 (Mitigation for CVE-2015-0235 – GHOST: glibc gethostbyname buffer overflow). (Stas) diff --git a/ext/standard/tests/general_functions/bug60227_2.phpt b/ext/standard/tests/general_functions/bug60227_2.phpt index 995c364eea..2cdde78a4a 100644 --- a/ext/standard/tests/general_functions/bug60227_2.phpt +++ b/ext/standard/tests/general_functions/bug60227_2.phpt @@ -1,14 +1,15 @@ --TEST-- Bug #60227 (header() cannot detect the multi-line header with CR), \r before \n +--INI-- +expose_php=0 --FILE-- <?php header("X-foo: e\n foo"); -header("X-Foo6: e\rSet-Cookie: ID=123\n d"); echo 'foo'; ?> --EXPECTF-- + Warning: Header may not contain more than a single header, new line detected in %s on line %d foo --EXPECTHEADERS-- -X-foo: e -foo +Content-type: text/html; charset=UTF-8 diff --git a/ext/standard/tests/general_functions/bug60227_3.phpt b/ext/standard/tests/general_functions/bug60227_3.phpt index 8cba9b8aec..8246f17438 100644 --- a/ext/standard/tests/general_functions/bug60227_3.phpt +++ b/ext/standard/tests/general_functions/bug60227_3.phpt @@ -1,8 +1,9 @@ --TEST-- Bug #60227 (header() cannot detect the multi-line header with CR), \0 before \n +--INI-- +expose_php=0 --FILE-- <?php -header("X-foo: e\n foo"); header("X-Foo6: e\0Set-Cookie: ID=\n123\n d"); echo 'foo'; ?> @@ -10,5 +11,4 @@ echo 'foo'; Warning: Header may not contain NUL bytes in %s on line %d foo --EXPECTHEADERS-- -X-foo: e -foo +Content-type: text/html; charset=UTF-8 diff --git a/ext/standard/tests/general_functions/bug60227_4.phpt b/ext/standard/tests/general_functions/bug60227_4.phpt index d5e2573d89..20dba1a265 100644 --- a/ext/standard/tests/general_functions/bug60227_4.phpt +++ b/ext/standard/tests/general_functions/bug60227_4.phpt @@ -1,8 +1,9 @@ --TEST-- Bug #60227 (header() cannot detect the multi-line header with CR), CRLF +--INI-- +expose_php=0 --FILE-- <?php -header("X-foo: e\r\n foo"); header("X-foo: e\r\nfoo"); echo 'foo'; ?> @@ -10,5 +11,4 @@ echo 'foo'; Warning: Header may not contain more than a single header, new line detected in %s on line %d foo --EXPECTHEADERS-- -X-foo: e - foo +Content-type: text/html; charset=UTF-8 diff --git a/main/SAPI.c b/main/SAPI.c index 994aff38bf..1390d29f8c 100644 --- a/main/SAPI.c +++ b/main/SAPI.c @@ -743,13 +743,8 @@ SAPI_API int sapi_header_op(sapi_header_op_enum op, void *arg TSRMLS_DC) /* new line/NUL character safety check */ int i; for (i = 0; i < header_line_len; i++) { - /* RFC 2616 allows new lines if followed by SP or HT */ - int illegal_break = - (header_line[i+1] != ' ' && header_line[i+1] != '\t') - && ( - header_line[i] == '\n' - || (header_line[i] == '\r' && header_line[i+1] != '\n')); - if (illegal_break) { + /* RFC 7230 ch. 3.2.4 deprecates folding support */ + if (header_line[i] == '\n' || header_line[i] == '\r') { efree(header_line); sapi_module.sapi_error(E_WARNING, "Header may not contain " "more than a single header, new line detected"); |