GHSA-v8xr-gpvj-cx9g

Опубликовано: 13 мар. 2025

Источник: github

Github: Не прошло ревью

Описание

Header parser of http stream wrapper does not handle folded headers

Summary

The header parser of the http stream wrapper does not handle folded headers and passes incorrect MIME types to an attached stream notifier.

Details

The header parser of the http stream parser does not understand that a header line beginning with whitespace continues the previous header and instead considers every newline to be a header separator.

This has two consequences:

The STREAM_NOTIFY_MIME_TYPE_IS notification might report an incorrect MIME type, if the content-type header is a folded header.
The $http_response_header array contains the header continuation lines as they appear on-the-wire, requiring userland code to be aware of folded headers and violating RFC9112#5.2, which specifies:

A user agent that receives an obs-fold in a response message that is not within a "message/http" container MUST replace each received obs-fold with one or more SP octets prior to interpreting the field value.

PoC

<?php function stream_notification_callback($notification_code, $severity, $message, $message_code, $bytes_transferred, $bytes_max) { switch($notification_code) { case STREAM_NOTIFY_MIME_TYPE_IS: echo "Found the mime-type: ", $message, PHP_EOL; break; } } $ctx = stream_context_create(); stream_context_set_params($ctx, array("notification" => "stream_notification_callback")); var_dump(file_get_contents("http://127.0.0.1:8080", false, $ctx)); var_dump($http_response_header);

Running against:

printf "HTTP/1.0 200 Ok\r\nContent-Type: text/html;\r\n charset=utf-8\r\n\r\nbody\r\n" |nc -l 0.0.0.0 8080

results in:

Found the mime-type: text/html; string(6) "body " array(3) { [0]=> string(15) "HTTP/1.0 200 Ok" [1]=> string(24) "Content-Type: text/html;" [2]=> string(17) " charset=utf-8" }

being printed (after killing nc with Ctrl+C), thus missing the charset within the mime type.

Impact

Users of the http stream wrapper might interpret the response with an incorrect MIME type and more generally might misparse the response, for example by incorrectly determining which response headers belong to the final response if a redirect happened.

Пакеты

Наименование

Отсутствует

Затронутые версииВерсия исправления

< 8.1.32

8.1.32

Наименование

Отсутствует

Затронутые версииВерсия исправления

< 8.2.28

8.2.28

Наименование

Отсутствует

Затронутые версииВерсия исправления

< 8.3.18

8.3.19

Наименование

Отсутствует

Затронутые версииВерсия исправления

< 8.4.5

8.4.5

EPSS

Процентиль: 29%

0.00103

Низкий

CVE ID

CVE-2025-1217

Связанные уязвимости

CVE-2025-1217

CVSS3: 3.1

ubuntu

7 месяцев назад

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when http request module parses HTTP response obtained from a server, folded headers are parsed incorrectly, which may lead to misinterpreting the response and using incorrect headers, MIME types, etc.