From f001c630732a817fae3a3797643fec76cb4be095 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Wed, 4 Feb 2015 01:11:00 -0800 Subject: [PATCH 1/3] Update header handling to RFC 7230 --- NEWS | 2 ++ ext/standard/tests/general_functions/bug60227_2.phpt | 7 ++++--- ext/standard/tests/general_functions/bug60227_3.phpt | 6 +++--- ext/standard/tests/general_functions/bug60227_4.phpt | 6 +++--- main/SAPI.c | 9 ++------- 5 files changed, 14 insertions(+), 16 deletions(-) diff --git a/NEWS b/NEWS index 2e45ad877ce..462d6a1733a 100644 --- a/NEWS +++ b/NEWS @@ -3,6 +3,8 @@ PHP NEWS ?? ??? 20?? PHP 5.4.38 - Core: + . Removed support for multi-line headers, as the are deprecated by RFC 7230. + (Stas) . Fixed bug #68925 (Mitigation for CVE-2015-0235 – GHOST: glibc gethostbyname buffer overflow). (Stas) diff --git a/ext/standard/tests/general_functions/bug60227_2.phpt b/ext/standard/tests/general_functions/bug60227_2.phpt index 995c364eea2..2cdde78a4a9 100644 --- a/ext/standard/tests/general_functions/bug60227_2.phpt +++ b/ext/standard/tests/general_functions/bug60227_2.phpt @@ -1,14 +1,15 @@ --TEST-- Bug #60227 (header() cannot detect the multi-line header with CR), \r before \n +--INI-- +expose_php=0 --FILE-- --EXPECTF-- + Warning: Header may not contain more than a single header, new line detected in %s on line %d foo --EXPECTHEADERS-- -X-foo: e -foo +Content-type: text/html; charset=UTF-8 diff --git a/ext/standard/tests/general_functions/bug60227_3.phpt b/ext/standard/tests/general_functions/bug60227_3.phpt index 8cba9b8aec6..8246f174383 100644 --- a/ext/standard/tests/general_functions/bug60227_3.phpt +++ b/ext/standard/tests/general_functions/bug60227_3.phpt @@ -1,8 +1,9 @@ --TEST-- Bug #60227 (header() cannot detect the multi-line header with CR), \0 before \n +--INI-- +expose_php=0 --FILE-- @@ -10,5 +11,4 @@ echo 'foo'; Warning: Header may not contain NUL bytes in %s on line %d foo --EXPECTHEADERS-- -X-foo: e -foo +Content-type: text/html; charset=UTF-8 diff --git a/ext/standard/tests/general_functions/bug60227_4.phpt b/ext/standard/tests/general_functions/bug60227_4.phpt index d5e2573d89c..20dba1a2656 100644 --- a/ext/standard/tests/general_functions/bug60227_4.phpt +++ b/ext/standard/tests/general_functions/bug60227_4.phpt @@ -1,8 +1,9 @@ --TEST-- Bug #60227 (header() cannot detect the multi-line header with CR), CRLF +--INI-- +expose_php=0 --FILE-- @@ -10,5 +11,4 @@ echo 'foo'; Warning: Header may not contain more than a single header, new line detected in %s on line %d foo --EXPECTHEADERS-- -X-foo: e - foo +Content-type: text/html; charset=UTF-8 diff --git a/main/SAPI.c b/main/SAPI.c index 994aff38bf7..1390d29f8c5 100644 --- a/main/SAPI.c +++ b/main/SAPI.c @@ -743,13 +743,8 @@ SAPI_API int sapi_header_op(sapi_header_op_enum op, void *arg TSRMLS_DC) /* new line/NUL character safety check */ int i; for (i = 0; i < header_line_len; i++) { - /* RFC 2616 allows new lines if followed by SP or HT */ - int illegal_break = - (header_line[i+1] != ' ' && header_line[i+1] != '\t') - && ( - header_line[i] == '\n' - || (header_line[i] == '\r' && header_line[i+1] != '\n')); - if (illegal_break) { + /* RFC 7230 ch. 3.2.4 deprecates folding support */ + if (header_line[i] == '\n' || header_line[i] == '\r') { efree(header_line); sapi_module.sapi_error(E_WARNING, "Header may not contain " "more than a single header, new line detected"); From 928fdbea0852b804c78fb7e28530c2d5162d44b5 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Thu, 5 Feb 2015 21:54:47 -0800 Subject: [PATCH 2/3] fix tests --- ext/standard/tests/general_functions/bug60227_2.phpt | 2 +- ext/standard/tests/general_functions/bug60227_3.phpt | 2 +- ext/standard/tests/general_functions/bug60227_4.phpt | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ext/standard/tests/general_functions/bug60227_2.phpt b/ext/standard/tests/general_functions/bug60227_2.phpt index 2cdde78a4a9..9b377e931b7 100644 --- a/ext/standard/tests/general_functions/bug60227_2.phpt +++ b/ext/standard/tests/general_functions/bug60227_2.phpt @@ -12,4 +12,4 @@ echo 'foo'; Warning: Header may not contain more than a single header, new line detected in %s on line %d foo --EXPECTHEADERS-- -Content-type: text/html; charset=UTF-8 +Content-type: text/html diff --git a/ext/standard/tests/general_functions/bug60227_3.phpt b/ext/standard/tests/general_functions/bug60227_3.phpt index 8246f174383..e97fdc266ef 100644 --- a/ext/standard/tests/general_functions/bug60227_3.phpt +++ b/ext/standard/tests/general_functions/bug60227_3.phpt @@ -11,4 +11,4 @@ echo 'foo'; Warning: Header may not contain NUL bytes in %s on line %d foo --EXPECTHEADERS-- -Content-type: text/html; charset=UTF-8 +Content-type: text/html diff --git a/ext/standard/tests/general_functions/bug60227_4.phpt b/ext/standard/tests/general_functions/bug60227_4.phpt index 20dba1a2656..f2f2845376f 100644 --- a/ext/standard/tests/general_functions/bug60227_4.phpt +++ b/ext/standard/tests/general_functions/bug60227_4.phpt @@ -11,4 +11,4 @@ echo 'foo'; Warning: Header may not contain more than a single header, new line detected in %s on line %d foo --EXPECTHEADERS-- -Content-type: text/html; charset=UTF-8 +Content-type: text/html From af23980de7248aca587de2a3e5fcad1e044fb58c Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Thu, 5 Feb 2015 22:05:36 -0800 Subject: [PATCH 3/3] turn off online tests, they fail too often on CI --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 3baf50be3b7..20d5b1d4a17 100644 --- a/.travis.yml +++ b/.travis.yml @@ -39,5 +39,5 @@ before_script: # Run PHPs run-tests.php script: - - ./sapi/cli/php run-tests.php -p `pwd`/sapi/cli/php -g "FAIL,XFAIL,BORK,WARN,LEAK,SKIP" --show-diff --set-timeout 120 + - ./sapi/cli/php run-tests.php -p `pwd`/sapi/cli/php -g "FAIL,XFAIL,BORK,WARN,LEAK,SKIP" --offline --show-diff --set-timeout 120 - ./sapi/cli/php sapi/phpdbg/tests/run-tests.php -diff2stdout --phpdbg sapi/phpdbg/phpdbg