Merge branch 'PHP-7.4' into PHP-8.0

cmb69 · cmb69 · commit b7f3b67060ec · 2021-10-14T12:21:35.000+02:00
* PHP-7.4:
  Fix #81518: Header injection via default_mimetype / default_charset
diff --git a/NEWS b/NEWS
@@ -2,6 +2,10 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2021, PHP 8.0.13
 
+- Core:
+  . Fixed bug #81518 (Header injection via default_mimetype / default_charset).
+    (cmb)
+
 - Opcache:
   . Fixed bug #81512 (Unexpected behavior with arrays and JIT). (Dmitry)
 
diff --git a/main/main.c b/main/main.c
@@ -538,6 +538,10 @@ PHPAPI void (*php_internal_encoding_changed)(void) = NULL;
 /* {{{ PHP_INI_MH */
 static PHP_INI_MH(OnUpdateDefaultCharset)
 {
+	if (memchr(ZSTR_VAL(new_value), '\0', ZSTR_LEN(new_value))
+		|| strpbrk(ZSTR_VAL(new_value), "\r\n")) {
+		return FAILURE;
+	}
 	OnUpdateString(entry, new_value, mh_arg1, mh_arg2, mh_arg3, stage);
 	if (php_internal_encoding_changed) {
 		php_internal_encoding_changed();
@@ -551,6 +555,17 @@ static PHP_INI_MH(OnUpdateDefaultCharset)
 }
 /* }}} */
 
+/* {{{ PHP_INI_MH */
+static PHP_INI_MH(OnUpdateDefaultMimeTye)
+{
+	if (memchr(ZSTR_VAL(new_value), '\0', ZSTR_LEN(new_value))
+		|| strpbrk(ZSTR_VAL(new_value), "\r\n")) {
+		return FAILURE;
+	}
+	return OnUpdateString(entry, new_value, mh_arg1, mh_arg2, mh_arg3, stage);
+}
+/* }}} */
+
 /* {{{ PHP_INI_MH */
 static PHP_INI_MH(OnUpdateInternalEncoding)
 {
@@ -698,7 +713,7 @@ PHP_INI_BEGIN()
 	STD_PHP_INI_ENTRY("auto_prepend_file",		NULL,		PHP_INI_SYSTEM|PHP_INI_PERDIR,		OnUpdateString,			auto_prepend_file,		php_core_globals,	core_globals)
 	STD_PHP_INI_ENTRY("doc_root",				NULL,		PHP_INI_SYSTEM,		OnUpdateStringUnempty,	doc_root,				php_core_globals,	core_globals)
 	STD_PHP_INI_ENTRY("default_charset",		PHP_DEFAULT_CHARSET,	PHP_INI_ALL,	OnUpdateDefaultCharset,			default_charset,		sapi_globals_struct, sapi_globals)
-	STD_PHP_INI_ENTRY("default_mimetype",		SAPI_DEFAULT_MIMETYPE,	PHP_INI_ALL,	OnUpdateString,			default_mimetype,		sapi_globals_struct, sapi_globals)
+	STD_PHP_INI_ENTRY("default_mimetype",		SAPI_DEFAULT_MIMETYPE,	PHP_INI_ALL,	OnUpdateDefaultMimeTye,			default_mimetype,		sapi_globals_struct, sapi_globals)
 	STD_PHP_INI_ENTRY("internal_encoding",		NULL,			PHP_INI_ALL,	OnUpdateInternalEncoding,	internal_encoding,	php_core_globals, core_globals)
 	STD_PHP_INI_ENTRY("input_encoding",			NULL,			PHP_INI_ALL,	OnUpdateInputEncoding,				input_encoding,		php_core_globals, core_globals)
 	STD_PHP_INI_ENTRY("output_encoding",		NULL,			PHP_INI_ALL,	OnUpdateOutputEncoding,				output_encoding,	php_core_globals, core_globals)
diff --git a/sapi/cgi/tests/bug81518a.phpt b/sapi/cgi/tests/bug81518a.phpt
@@ -0,0 +1,14 @@
+--TEST--
+Bug #81518 (Header injection via default_mimetype / default_charset)
+--CGI--
+--FILE--
+<?php
+ini_set(
+    "default_mimetype",
+    "text/html;charset=ISO-8859-1\r\nContent-Length: 31\r\n\r\n" .
+    "Lets smuggle a HTTP response.\r\n"
+);
+?>
+--EXPECTHEADERS--
+Content-type: text/html; charset=UTF-8
+--EXPECT--
diff --git a/sapi/cgi/tests/bug81518b.phpt b/sapi/cgi/tests/bug81518b.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Bug #81518 (Header injection via default_mimetype / default_charset)
+--CGI--
+--FILE--
+<?php
+ini_set('default_charset', 'ISO-8859-1' . "\r\nHeader-Injection: Works!");
+header('Content-Type: text/html');
+?>
+--EXPECTHEADERS--
+Content-type: text/html;charset=UTF-8
+--EXPECT--
