Skip to content

Fix GH-17976: CRLF injection via from and user_agent in HTTP wrapper#21658

Open
iliaal wants to merge 1 commit into
php:masterfrom
iliaal:fix/gh-17976-crlf-injection-http-wrapper
Open

Fix GH-17976: CRLF injection via from and user_agent in HTTP wrapper#21658
iliaal wants to merge 1 commit into
php:masterfrom
iliaal:fix/gh-17976-crlf-injection-http-wrapper

Conversation

@iliaal

@iliaal iliaal commented Apr 6, 2026

Copy link
Copy Markdown
Contributor

The fopen HTTP wrapper writes from and user_agent INI settings (and the user_agent stream context option) into HTTP request headers without stripping CR/LF characters, allowing header injection.

Truncate at the first \r or \n and emit E_WARNING.

Fixes #17976

@iliaal iliaal requested a review from bukka as a code owner April 6, 2026 23:52
@iliaal iliaal mentioned this pull request Apr 6, 2026
Closed
@iliaal
Fix phpGH-17976: CRLF injection via from and user_agent in HTTP wrapper
02175be 
The from and user_agent INI settings and the user_agent stream context
option were written into HTTP request headers without stripping CR/LF
characters, allowing header injection.

Truncate at the first \r or \n and emit E_WARNING.

Closes phpGH-17976
@iliaal iliaal force-pushed the fix/gh-17976-crlf-injection-http-wrapper branch from 76e5410 to 02175be Compare June 13, 2026 13:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bukka bukka Awaiting requested review from bukka bukka is a code owner

Assignees

No one assigned

Labels

Category: Engine Extension: standard

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Cr-Lf injection could be happend via From, User-Agent ini settings

2 participants

@iliaal @DanielEScherzer