Описание
Streams HTTP wrapper does not fail for headers with invalid name and no colon
The headers without colon are currently returned without in $http_response_header. It means that something like:
results in following $http_response_header
In addition headers that contain a space in header name (before the colon) will also not fail which is not allowed by RFC.
Impact
This can allow issues in the application when parsing the array - e.g. application could consider it as a valid header or as a continuation of the previous one (currently folding header are misbehaving so there could be some logic for that in the application that could result in a security issue). So some sort of request smuggling could be possible in this case
Workarounds
Users can add a special handling of $http_response_header. No notification is triggered for this sort of header so no extra handling there is needed.
Пакеты
< 8.1.32
8.1.32
< 8.2.28
8.2.28
< 8.3.18
8.3.19
< 8.4.5
8.4.5
EPSS
CVE ID
Связанные уязвимости
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when receiving headers from HTTP server, the headers missing a colon (:) are treated as valid headers even though they are not. This may confuse applications into accepting invalid headers.
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when receiving headers from HTTP server, the headers missing a colon (:) are treated as valid headers even though they are not. This may confuse applications into accepting invalid headers.
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when receiving headers from HTTP server, the headers missing a colon (:) are treated as valid headers even though they are not. This may confuse applications into accepting invalid headers.
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* ...
EPSS