Merge branch 'PHP-8.1'

* PHP-8.1:
  Fix #81518: Header injection via default_mimetype / default_charset

main/main.c

@@ -533,6 +533,10 @@ PHPAPI void (*php_internal_encoding_changed)(void) = NULL;
 /* {{{ PHP_INI_MH */
 static PHP_INI_MH(OnUpdateDefaultCharset)
 {
+	if (memchr(ZSTR_VAL(new_value), '\0', ZSTR_LEN(new_value))
+		|| strpbrk(ZSTR_VAL(new_value), "\r\n")) {
+		return FAILURE;
+	}
 	OnUpdateString(entry, new_value, mh_arg1, mh_arg2, mh_arg3, stage);
 	if (php_internal_encoding_changed) {
 		php_internal_encoding_changed();
@@ -546,6 +550,17 @@ static PHP_INI_MH(OnUpdateDefaultCharset)
 }
 /* }}} */
 
+/* {{{ PHP_INI_MH */
+static PHP_INI_MH(OnUpdateDefaultMimeTye)
+{
+	if (memchr(ZSTR_VAL(new_value), '\0', ZSTR_LEN(new_value))
+		|| strpbrk(ZSTR_VAL(new_value), "\r\n")) {
+		return FAILURE;
+	}
+	return OnUpdateString(entry, new_value, mh_arg1, mh_arg2, mh_arg3, stage);
+}
+/* }}} */
+
 /* {{{ PHP_INI_MH */
 static PHP_INI_MH(OnUpdateInternalEncoding)
 {
@@ -693,7 +708,7 @@ PHP_INI_BEGIN()
 	STD_PHP_INI_ENTRY("auto_prepend_file",		NULL,		PHP_INI_SYSTEM|PHP_INI_PERDIR,		OnUpdateString,			auto_prepend_file,		php_core_globals,	core_globals)
 	STD_PHP_INI_ENTRY("doc_root",				NULL,		PHP_INI_SYSTEM,		OnUpdateStringUnempty,	doc_root,				php_core_globals,	core_globals)
 	STD_PHP_INI_ENTRY("default_charset",		PHP_DEFAULT_CHARSET,	PHP_INI_ALL,	OnUpdateDefaultCharset,			default_charset,		sapi_globals_struct, sapi_globals)
-	STD_PHP_INI_ENTRY("default_mimetype",		SAPI_DEFAULT_MIMETYPE,	PHP_INI_ALL,	OnUpdateString,			default_mimetype,		sapi_globals_struct, sapi_globals)
+	STD_PHP_INI_ENTRY("default_mimetype",		SAPI_DEFAULT_MIMETYPE,	PHP_INI_ALL,	OnUpdateDefaultMimeTye,			default_mimetype,		sapi_globals_struct, sapi_globals)
 	STD_PHP_INI_ENTRY("internal_encoding",		NULL,			PHP_INI_ALL,	OnUpdateInternalEncoding,	internal_encoding,	php_core_globals, core_globals)
 	STD_PHP_INI_ENTRY("input_encoding",			NULL,			PHP_INI_ALL,	OnUpdateInputEncoding,				input_encoding,		php_core_globals, core_globals)
 	STD_PHP_INI_ENTRY("output_encoding",		NULL,			PHP_INI_ALL,	OnUpdateOutputEncoding,				output_encoding,	php_core_globals, core_globals)

sapi/cgi/tests/bug81518a.phpt

@@ -0,0 +1,14 @@
+--TEST--
+Bug #81518 (Header injection via default_mimetype / default_charset)
+--CGI--
+--FILE--
+<?php
+ini_set(
+    "default_mimetype",
+    "text/html;charset=ISO-8859-1\r\nContent-Length: 31\r\n\r\n" .
+    "Lets smuggle a HTTP response.\r\n"
+);
+?>
+--EXPECTHEADERS--
+Content-type: text/html; charset=UTF-8
+--EXPECT--

sapi/cgi/tests/bug81518b.phpt

@@ -0,0 +1,11 @@
+--TEST--
+Bug #81518 (Header injection via default_mimetype / default_charset)
+--CGI--
+--FILE--
+<?php
+ini_set('default_charset', 'ISO-8859-1' . "\r\nHeader-Injection: Works!");
+header('Content-Type: text/html');
+?>
+--EXPECTHEADERS--
+Content-type: text/html;charset=UTF-8
+--EXPECT--