Fix GH-17976: CRLF injection via from and user_agent in HTTP wrapper

iliaal · iliaal · commit 76e541099ee8 · 2026-04-06T19:08:29.000-04:00
The from and user_agent INI settings and the user_agent stream context option were written into HTTP request headers without stripping CR/LF characters, allowing header injection. Truncate at the first \r or \n and emit E_WARNING. Closes GH-17976
diff --git a/ext/standard/http_fopen_wrapper.c b/ext/standard/http_fopen_wrapper.c
@@ -353,6 +353,16 @@ static zend_string *php_stream_http_response_headers_parse(php_stream_wrapper *w
 	return NULL;
 }
 
+static inline void smart_str_append_header_value(smart_str *dest, const char *src, const char *header_name)
+{
+	size_t len = strcspn(src, "\r\n");
+	smart_str_appendl(dest, src, len);
+	if (src[len] != '\0') {
+		php_error_docref(NULL, E_WARNING,
+			"Header %s value contains newline characters and has been truncated", header_name);
+	}
+}
+
 static php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper,
 		const char *path, const char *mode, int options, zend_string **opened_path,
 		php_stream_context *context, int redirect_max, int flags,
@@ -784,7 +794,7 @@ static php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper,
 	/* if the user has configured who they are, send a From: line */
 	if (!(have_header & HTTP_HEADER_FROM) && FG(from_address)) {
 		smart_str_appends(&req_buf, "From: ");
-		smart_str_appends(&req_buf, FG(from_address));
+		smart_str_append_header_value(&req_buf, FG(from_address), "From");
 		smart_str_appends(&req_buf, "\r\n");
 	}
 
@@ -818,24 +828,10 @@ static php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper,
 		ua_str = FG(user_agent);
 	}
 
-	if (((have_header & HTTP_HEADER_USER_AGENT) == 0) && ua_str) {
-#define _UA_HEADER "User-Agent: %s\r\n"
-		char *ua;
-		size_t ua_len;
-
-		ua_len = sizeof(_UA_HEADER) + strlen(ua_str);
-
-		/* ensure the header is only sent if user_agent is not blank */
-		if (ua_len > sizeof(_UA_HEADER)) {
-			ua = emalloc(ua_len + 1);
-			if ((ua_len = slprintf(ua, ua_len, _UA_HEADER, ua_str)) > 0) {
-				ua[ua_len] = 0;
-				smart_str_appendl(&req_buf, ua, ua_len);
-			} else {
-				php_error_docref(NULL, E_WARNING, "Cannot construct User-agent header");
-			}
-			efree(ua);
-		}
+	if (((have_header & HTTP_HEADER_USER_AGENT) == 0) && ua_str && *ua_str) {
+		smart_str_appends(&req_buf, "User-Agent: ");
+		smart_str_append_header_value(&req_buf, ua_str, "User-Agent");
+		smart_str_appends(&req_buf, "\r\n");
 	}
 
 	if (user_headers) {
diff --git a/ext/standard/tests/http/gh17976.phpt b/ext/standard/tests/http/gh17976.phpt
@@ -0,0 +1,57 @@
+--TEST--
+GH-17976 (CRLF injection via from and user_agent INI settings in HTTP wrapper)
+--INI--
+allow_url_fopen=1
+--FILE--
+<?php
+$serverCode = <<<'CODE'
+    $ctxt = stream_context_create([
+        "socket" => ["tcp_nodelay" => true]
+    ]);
+
+    $server = stream_socket_server(
+        "tcp://127.0.0.1:0", $errno, $errstr, STREAM_SERVER_BIND | STREAM_SERVER_LISTEN, $ctxt);
+    phpt_notify_server_start($server);
+
+    for ($i = 0; $i < 3; $i++) {
+        $conn = stream_socket_accept($server);
+        $result = fread($conn, 4096);
+        fwrite($conn, "HTTP/1.0 200 OK\r\nContent-Type: text/plain\r\n\r\n" . base64_encode($result));
+        fclose($conn);
+    }
+CODE;
+
+$clientCode = <<<'CODE'
+    // Test 1: from INI with CRLF
+    ini_set("from", "test\r\nInjected-From: evil");
+    ini_set("user_agent", "clean_ua");
+    $raw = base64_decode(file_get_contents("http://{{ ADDR }}/"));
+    echo (str_contains($raw, "Injected-From:") ? "FAIL" : "OK") . ": from INI\n";
+
+    // Test 2: user_agent INI with CRLF
+    ini_restore("from");
+    ini_set("user_agent", "test\r\nInjected-UA: evil");
+    $raw = base64_decode(file_get_contents("http://{{ ADDR }}/"));
+    echo (str_contains($raw, "Injected-UA:") ? "FAIL" : "OK") . ": user_agent INI\n";
+
+    // Test 3: user_agent context option with CRLF
+    ini_restore("user_agent");
+    $ctx = stream_context_create(["http" => [
+        "user_agent" => "test\nInjected-Ctx: evil"
+    ]]);
+    $raw = base64_decode(file_get_contents("http://{{ ADDR }}/", false, $ctx));
+    echo (str_contains($raw, "Injected-Ctx:") ? "FAIL" : "OK") . ": user_agent context\n";
+CODE;
+
+include sprintf("%s/../../../openssl/tests/ServerClientTestCase.inc", __DIR__);
+ServerClientTestCase::getInstance()->run($clientCode, $serverCode);
+?>
+--EXPECTF--
+Warning: file_get_contents(): Header From value contains newline characters and has been truncated in %s on line %d
+OK: from INI
+
+Warning: file_get_contents(): Header User-Agent value contains newline characters and has been truncated in %s on line %d
+OK: user_agent INI
+
+Warning: file_get_contents(): Header User-Agent value contains newline characters and has been truncated in %s on line %d
+OK: user_agent context
