Skip to content

Update #81645 : header() checks the validity of HTTP status code #7676

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 9 commits into from
Closed

Update #81645 : header() checks the validity of HTTP status code #7676

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
7542e8d
Add a rule on HTTP status code while calling header()
mdsnins Nov 23, 2021
407b72d
Fix wrong convention
mdsnins Nov 23, 2021
b295df4
Fix a support for leading zero 3 digits
mdsnins Nov 23, 2021
1136ab2
Replace atoi with ZEND_STRTOUL
mdsnins Nov 23, 2021
ffbc4df
Fix const type of pointer
mdsnins Nov 23, 2021
e6f50cc
Add tests for fix #81645
mdsnins Nov 23, 2021
f8d0a6f
Fix wrong indentation
mdsnins Nov 24, 2021
c93193d
Add range check for status code
mdsnins Nov 25, 2021
4123696
Update a test of Bug #81645
mdsnins Nov 25, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions ext/standard/tests/general_functions/bug81645_1.phpt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
--TEST--
Bug #81645 (header() allows arbitrary status codes) leading zero
--FILE--
<?php
header("HTTP/1.1 000 ZERO");
?>
--EXPECTF--
Warning: Cannot set HTTP status line - status code is malformed in %s on line %d
8 changes: 8 additions & 0 deletions ext/standard/tests/general_functions/bug81645_2.phpt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
--TEST--
Bug #81645 (header() allows arbitrary status codes) 2 digit code
--FILE--
<?php
header("HTTP/1.1 11 ELEVEN");
?>
--EXPECTF--
Warning: Cannot set HTTP status line - status code is malformed in %s on line %d
8 changes: 8 additions & 0 deletions ext/standard/tests/general_functions/bug81645_3.phpt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
--TEST--
Bug #81645 (header() allows arbitrary status codes) longer than 3 digit
--FILE--
<?php
header("HTTP/1.1 1234 One Two Three Four");
?>
--EXPECTF--
Warning: Cannot set HTTP status line - status code is malformed in %s on line %d
8 changes: 8 additions & 0 deletions ext/standard/tests/general_functions/bug81645_4.phpt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
--TEST--
Bug #81645 (header() allows arbitrary status codes) integer overflow
--FILE--
<?php
header("HTTP/1.1 4294967496 There was overflow");
?>
--EXPECTF--
Warning: Cannot set HTTP status line - status code is malformed in %s on line %d
24 changes: 20 additions & 4 deletions main/SAPI.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -549,17 +549,26 @@ SAPI_API void sapi_initialize_empty_request(void)

static int sapi_extract_response_code(const char *header_line)
{
int code = 200;
zend_ulong code = 200;
const char *ptr;

for (ptr = header_line; *ptr; ptr++) {
if (*ptr == ' ' && *(ptr + 1) != ' ') {
code = atoi(ptr + 1);
const char *code_begin = ptr + 1;
char *code_end;

code = ZEND_STRTOUL(code_begin, &code_end, 10);

/* rfc7230 3.1.2 status-code = 3DIGIT */
if (code < 100 || code > 599 || (code_end - code_begin) != 3) {
return -1;
}

break;
}
}

return code;
return (int)code;
}


Expand Down Expand Up @@ -747,7 +756,14 @@ SAPI_API int sapi_header_op(sapi_header_op_enum op, void *arg)
if (header_line_len>=5
&& !strncasecmp(header_line, "HTTP/", 5)) {
/* filter out the response code */
sapi_update_response_code(sapi_extract_response_code(header_line));
int status_code = sapi_extract_response_code(header_line);
if (status_code < 0) {
sapi_module.sapi_error(E_WARNING, "Cannot set HTTP status line - "
"status code is malformed");
efree(header_line);
return FAILURE;
}
sapi_update_response_code(status_code);
/* sapi_update_response_code doesn't free the status line if the code didn't change */
if (SG(sapi_headers).http_status_line) {
efree(SG(sapi_headers).http_status_line);
Expand Down