Описание
Stream HTTP wrapper header check might omit basic auth header
Details
Currently the header check in check_has_header does not verify \r which could potentially lead to some misbehaviour if only \n is used in the header value. If this value is provided by user and not checked properly (e.g. it can be cookie value and it is not unlikely it could be taken from the user input (at least partially)), then it could specify it like for example Cookie: x=y\nauhtorization:x\r\n. If the URL has user part in it, then this can disable sending of that authorization header. That could potentially impact the result and lead potentially to DoS or potentially to some unexpected issues.
Impact
Preventing authorization header to be sent.
There are also some implication for other headers like user-agent and other checked by this functions. The impact is less likely but there could be possibly some security implications as well.
Пакеты
< 8.1.32
8.1.32
< 8.2.28
8.2.28
< 8.3.18
8.3.19
< 8.4.5
8.4.5
EPSS
CVE ID
Связанные уязвимости
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when user-supplied headers are sent, the insufficient validation of the end-of-line characters may prevent certain headers from being sent or lead to certain headers be misinterpreted.
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when user-supplied headers are sent, the insufficient validation of the end-of-line characters may prevent certain headers from being sent or lead to certain headers be misinterpreted.
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when user-supplied headers are sent, the insufficient validation of the end-of-line characters may prevent certain headers from being sent or lead to certain headers be misinterpreted.
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* ...
EPSS