Cr-Lf injection could be happend via From, User-Agent ini settings #17976

mdsnins · 2025-03-05T15:09:26Z

Description

As #81518, and #81680 (Still not fixed), from, user_agent ini value can lead CrLf injection and may lead HTTP header injection in fopen's http wrapper.

The following code:

PHP side

<?php
ini_set("from", "invalid_from\r\nTest-1: first_line");
ini_set("user_agent", "invalid_ua\r\nTest-2: another_line");

file_get_contents("http://localhost:1337");

Receiver

nc -nlvp 1337

Resulted in this output: (Receiver)

Listening on 0.0.0.0 1337
Connection received on 127.0.0.1 54468
GET / HTTP/1.1
From: invalid_from
Test-1: first_line
Host: localhost:1337
Connection: close
User-Agent: invalid_ua
Test-2: another_line

But I expected this output instead:

Either sanitized or blocked at ini value level

GET / HTTP/1.1
From: invalid_fromTest-1: first_line
Host: localhost:1337
Connection: close
User-Agent: invalid_uaTest-2: another_line

PHP Version

All PHP releases (including 8.5.0-dev)

Operating System

No response

The text was updated successfully, but these errors were encountered:

mdsnins added Bug Status: Needs Triage labels Mar 5, 2025

mdsnins changed the title ~~Cr-Lf injection could be happen via From, User-Agent ini settings~~ Cr-Lf injection could be happend via From, User-Agent ini settings Mar 5, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Cr-Lf injection could be happend via From, User-Agent ini settings #17976

Cr-Lf injection could be happend via From, User-Agent ini settings #17976

mdsnins commented Mar 5, 2025

Cr-Lf injection could be happend via From, User-Agent ini settings #17976

Cr-Lf injection could be happend via From, User-Agent ini settings #17976

Comments

mdsnins commented Mar 5, 2025

Description

PHP Version

Operating System