Cr-Lf injection could be happend via From, User-Agent ini settings

[mdsnins]

Description

As #81518, and #81680 (Still not fixed), from, user_agent ini value can lead CrLf injection and may lead HTTP header injection in fopen's http wrapper.

The following code:

• PHP side

<?php
ini_set("from", "invalid_from\r\nTest-1: first_line");
ini_set("user_agent", "invalid_ua\r\nTest-2: another_line");

file_get_contents("http://localhost:1337");

• Receiver

nc -nlvp 1337

Resulted in this output: (Receiver)

Listening on 0.0.0.0 1337
Connection received on 127.0.0.1 54468
GET / HTTP/1.1
From: invalid_from
Test-1: first_line
Host: localhost:1337
Connection: close
User-Agent: invalid_ua
Test-2: another_line

But I expected this output instead:

Either sanitized or blocked at ini value level

GET / HTTP/1.1
From: invalid_fromTest-1: first_line
Host: localhost:1337
Connection: close
User-Agent: invalid_uaTest-2: another_line

PHP Version

All PHP releases (including 8.5.0-dev)

Operating System

No response